CreateRemoteThread即在当前已有进程中创建新的线程。
从32位进程注入dll到32位进程的步骤如下:
1.OpenProcess 打开已有进程
2.VirtualAllocEx分配空间给它
3.获取LoadLibraryW的地址
4.WriteProcessMemory 写进内存空间
5.CreateRemoteThread实现注入
代码如下:
//32位程序注入到32位程序
//@param:dwPid:需要注入程序的进程pid
//@param:dllpath:注入的dll的路径
//return:True:注入成功,False:注入失败
bool injectDll32To32(DWORD dwPid,LPCTSTR dllpath)
{
//Step 1: oepn destination process
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,false,dwPid);
//get dllpath length
DWORD dwBufSize = (DWORD)(_tcslen(dllpath)+1)*sizeof(TCHAR);
//Step2:VirtualAlloc space for the process
LPVOID targetAddress = VirtualAllocEx(hProcess,0,dwBufSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
//Step3:Get LoadLibraryW Address
LPTHREAD_START_ROUTINE pfnThreadRtn = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
//Step4:ChangePageProtection
DWORD oldProtect = 0;
VirtualProtectEx(hProcess,targetAddress,dwBufSize,PAGE_EXECUTE_READWRITE,&oldProtect);
//Step5:WriteProcessMemory
DWORD bytesRet= 0;
if (!WriteProcessMemory(hProcess,targetAddress,(LPVOID)dllpath,dwBufSize,&bytesRet))
{
return false;
}
//Restore Oral
VirtualProtectEx(hProcess,targetAddress,dwBufSize,oldProtect,&oldProtect);
//Step6:CreateRemoteThread
HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,pfnThreadRtn,targetAddress,0,NULL );
if (!hThread)
{
return false;
}
WaitForSingleObject(hThread,INFINITE);
return true;
}
64位注入32位 32注入64位 64注入64 等后面有时间再写
