插APC实现DLL注入

#include <Windows.h>  
#include <TlHelp32.h>  
  
int InjectDllWithApc(char DllFullPath[MAX_PATH], ULONG pid )  
{  
    HANDLE hProcess,hThread,hThreadSnap = INVALID_HANDLE_VALUE;  
    THREADENTRY32 te32 = {0} ;  
    HMODULE hDll = GetModuleHandle("Kernel32.dll");   
    int len = strlen(DllFullPath) + 1;  
    hProcess = OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE,TRUE,pid);  
    //打开目标进程，向目标进程写入DLL  
    if(hProcess==NULL)  
    {  
        printf("failed to open process!!\n");  
        return 0;  
    }  
    //申请内存  
    PVOID pszLibFileRemote = (char *)VirtualAllocEx(hProcess, NULL, lstrlen(DllFullPath)+1, MEM_COMMIT, PAGE_READWRITE);   
    if (pszLibFileRemote != NULL)  
    {//写入DLL  
        if(WriteProcessMemory(hProcess,pszLibFileRemote,(void *)DllFullPath, lstrlen(DllFullPath)+1, NULL))  
        {  
            HANDLE hThreadSnap = INVALID_HANDLE_VALUE;   
            THREADENTRY32 te32;  
            hThreadSnap = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 );  
            if( hThreadSnap == INVALID_HANDLE_VALUE )   
                return 1;   
            te32.dwSize = sizeof(THREADENTRY32 );   
            if( !Thread32First( hThreadSnap, &te32 ) )   
            {  
                CloseHandle( hThreadSnap );  
                return 1;  
            }  
            do   
            {//遍历进程线程  
                if( te32.th32OwnerProcessID == pid )  
                { printf("TID:%d\n", te32.th32ThreadID) ;  
              
                hThread = OpenThread(THREAD_SET_CONTEXT ,FALSE,te32.th32ThreadID);  
                if (hThread != 0)  
                {//目标线程插入APC  
                    if(QueueUserAPC((PAPCFUNC)LoadLibraryA, hThread, (DWORD)pszLibFileRemote))  
                    {  
                        printf("插入APC成功\n") ;  
                    }  
                    else  
                    {    
                        printf("插入APC失败\n");  
                        return 1;  
                    }  
                    CloseHandle(hThread);  
                }  
                }  
            }while( Thread32Next(hThreadSnap, &te32 ) );   
            CloseHandle( hThreadSnap );  
        }  
    }  
    CloseHandle(hProcess);  
    return 0;  
}  
  
int _tmain(int argc, _TCHAR* argv[])  
{  
    InjectDllWithApc("C:\\DllTest.dll",1496);  
    return 0;  
}

#include <Windows.h>

#include <TlHelp32.h>

int InjectDllWithApc(char DllFullPath[MAX_PATH], ULONG pid )

{

HANDLE hProcess,hThread,hThreadSnap = INVALID_HANDLE_VALUE;

THREADENTRY32 te32 = {0} ;

HMODULE hDll = GetModuleHandle("Kernel32.dll");

int len = strlen(DllFullPath) + 1;

hProcess = OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE,TRUE,pid);

//打开目标进程，向目标进程写入DLL

if(hProcess==NULL)

{

printf("failed to open process!!\n");

return 0;

}

//申请内存

PVOID pszLibFileRemote = (char *)VirtualAllocEx(hProcess, NULL, lstrlen(DllFullPath)+1, MEM_COMMIT, PAGE_READWRITE);

if (pszLibFileRemote != NULL)

{//写入DLL

if(WriteProcessMemory(hProcess,pszLibFileRemote,(void *)DllFullPath, lstrlen(DllFullPath)+1, NULL))

{

HANDLE hThreadSnap = INVALID_HANDLE_VALUE;

THREADENTRY32 te32;

hThreadSnap = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 );

if( hThreadSnap == INVALID_HANDLE_VALUE )

return 1;

te32.dwSize = sizeof(THREADENTRY32 );

if( !Thread32First( hThreadSnap, &te32 ) )

{

CloseHandle( hThreadSnap );

return 1;

}

{//遍历进程线程

if( te32.th32OwnerProcessID == pid )

{ printf("TID:%d\n", te32.th32ThreadID) ;

hThread = OpenThread(THREAD_SET_CONTEXT ,FALSE,te32.th32ThreadID);

if (hThread != 0)

{//目标线程插入APC

if(QueueUserAPC((PAPCFUNC)LoadLibraryA, hThread, (DWORD)pszLibFileRemote))

{

printf("插入APC成功\n") ;

}

else

{

printf("插入APC失败\n");

return 1;

}

CloseHandle(hThread);

}

}while( Thread32Next(hThreadSnap, &te32 ) );

CloseHandle( hThreadSnap );

}

CloseHandle(hProcess);

return 0;

}

int _tmain(int argc, _TCHAR* argv[])

{

InjectDllWithApc("C:\\DllTest.dll",1496);

return 0;

}

转载请注明：exchen's blog » 插APC实现DLL注入

与本文相关的文章

Hi，您需要填写昵称和邮箱！