CreateRemoteThread即在当前已有进程中创建新的线程。
从32位进程注入dll到32位进程的步骤如下:
1.OpenProcess 打开已有进程
2.VirtualAllocEx分配空间给它
3.获取LoadLibraryW的地址
4.WriteProcessMemory 写进内存空间
5.CreateRemoteThread实现注入
代码如下:
//32位程序注入到32位程序 //@param:dwPid:需要注入程序的进程pid //@param:dllpath:注入的dll的路径 //return:True:注入成功,False:注入失败 bool injectDll32To32(DWORD dwPid,LPCTSTR dllpath) { //Step 1: oepn destination process HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,false,dwPid); //get dllpath length DWORD dwBufSize = (DWORD)(_tcslen(dllpath)+1)*sizeof(TCHAR); //Step2:VirtualAlloc space for the process LPVOID targetAddress = VirtualAllocEx(hProcess,0,dwBufSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); //Step3:Get LoadLibraryW Address LPTHREAD_START_ROUTINE pfnThreadRtn = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryW"); //Step4:ChangePageProtection DWORD oldProtect = 0; VirtualProtectEx(hProcess,targetAddress,dwBufSize,PAGE_EXECUTE_READWRITE,&oldProtect); //Step5:WriteProcessMemory DWORD bytesRet= 0; if (!WriteProcessMemory(hProcess,targetAddress,(LPVOID)dllpath,dwBufSize,&bytesRet)) { return false; } //Restore Oral VirtualProtectEx(hProcess,targetAddress,dwBufSize,oldProtect,&oldProtect); //Step6:CreateRemoteThread HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,pfnThreadRtn,targetAddress,0,NULL ); if (!hThread) { return false; } WaitForSingleObject(hThread,INFINITE); return true; }
64位注入32位 32注入64位 64注入64 等后面有时间再写