C++封装远程注入类CreateRemoteThreadEx实例
本文实例讲述了C++封装远程注入类CreateRemoteThreadEx的方法,分享给大家供大家参考。具体方法如下:
首先,类初始化时传入要注入的DLL文件名
只使用两个函数
//注入DLL到指定的地址空间 BOOLInjectModuleInto(DWORDdwProcessId); //从指定的地址空间卸载DLL BOOLEjectModuleFrom(DWORDdwProcessId);
.h头文件如下:
#pragmaonce
#include<windows.h> //在头文件中包含
classCRemThreadInject
{
public:
CRemThreadInject(LPSTRlpDllName);
~CRemThreadInject(void);
protected:
charm_szDllName[MAX_PATH];
staticBOOLEnableDebugPrivilege(BOOLbEnable);
public:
//注入DLL到指定的地址空间
BOOLInjectModuleInto(DWORDdwProcessId);
//从指定的地址空间卸载DLL
BOOLEjectModuleFrom(DWORDdwProcessId);
};
.cpp源文件如下:
#include"RemThreadInject.h"
#include<tlhelp32.h>
CRemThreadInject::CRemThreadInject(LPSTRlpDllName)
{
memcpy(m_szDllName,lpDllName,MAX_PATH);
EnableDebugPrivilege(TRUE);
}
CRemThreadInject::~CRemThreadInject(void)
{
EnableDebugPrivilege(FALSE);
}
BOOLCRemThreadInject::EnableDebugPrivilege(BOOLbEnable)
{
HANDLEhToken=INVALID_HANDLE_VALUE;
//OpenProcessToken
if(0==::OpenProcessToken(::GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken))
{
returnFALSE;
}
LUIDluid;
//
::LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid);
TOKEN_PRIVILEGEStp;
tp.PrivilegeCount=1;
tp.Privileges[0].Luid=luid;
if(bEnable)
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes=0;
if(!AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL))
{
returnFALSE;
}
if(GetLastError()==ERROR_NOT_ALL_ASSIGNED)
{
returnFALSE;
}
::CloseHandle(hToken);
returnTRUE;
}
//注入DLL到指定的地址空间
BOOLCRemThreadInject::InjectModuleInto(DWORDdwProcessId)
{
//
if(::GetCurrentProcessId()==dwProcessId)
{
returnFALSE;
}
BOOLbFound;
/************************************************************************/
/*遍历模块 */
/************************************************************************/
HANDLEhModuleSnap=INVALID_HANDLE_VALUE;
MODULEENTRY32me32;
// Takeasnapshotofallmodulesinthespecifiedprocess.
hModuleSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwProcessId);
if(hModuleSnap==INVALID_HANDLE_VALUE)
{
return(FALSE);
}
me32.dwSize=sizeof(MODULEENTRY32);
if(!Module32First(hModuleSnap,&me32))
{
CloseHandle(hModuleSnap); //Mustcleanupthesnapshotobject!
return(FALSE);
}
do
{
if(stricmp(me32.szModule,m_szDllName)==0)
{
bFound=TRUE;
break;
}
}while(Module32Next(hModuleSnap,&me32));
// Donotforgettocleanupthesnapshotobject.
CloseHandle(hModuleSnap);
if(bFound)//如果已经加载了模块,就不再加载
{
returnFALSE;
}
//如果没加载,打开进程,远程注入
HANDLEhProcess=::OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwProcessId);
if(hProcess==NULL)
{
returnFALSE;
}
HMODULE hKernerl32=GetModuleHandle("kernel32.dll");
LPTHREAD_START_ROUTINEpfnLoadLibraryA=(LPTHREAD_START_ROUTINE)::GetProcAddress(hKernerl32,"LoadLibraryA");
intcbSize=strlen(m_szDllName)+1;
LPVOIDlpRemoteDllName=::VirtualAllocEx(hProcess,0,cbSize,MEM_COMMIT,PAGE_READWRITE);
::WriteProcessMemory(hProcess,lpRemoteDllName,m_szDllName,cbSize,NULL);
HANDLEhRemoteThread=::CreateRemoteThreadEx(hProcess,NULL,0,pfnLoadLibraryA,lpRemoteDllName,0,NULL,NULL);
if(NULL==hRemoteThread)
{
::CloseHandle(hProcess);
returnFALSE;
}
//等待目标线程运行结束,即LoadLibraryA函数返回
::WaitForSingleObject(hRemoteThread,INFINITE);
::CloseHandle(hRemoteThread);
::CloseHandle(hProcess);
returnTRUE;
}
//从指定的地址空间卸载DLL
BOOLCRemThreadInject::EjectModuleFrom(DWORDdwProcessId)
{
//
if(::GetCurrentProcessId()==dwProcessId)
{
returnFALSE;
}
BOOLbFound;
/************************************************************************/
/*遍历模块 */
/************************************************************************/
HANDLEhModuleSnap=INVALID_HANDLE_VALUE;
MODULEENTRY32me32;
// Takeasnapshotofallmodulesinthespecifiedprocess.
hModuleSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwProcessId);
if(hModuleSnap==INVALID_HANDLE_VALUE)
{
return(FALSE);
}
me32.dwSize=sizeof(MODULEENTRY32);
if(!Module32First(hModuleSnap,&me32))
{
CloseHandle(hModuleSnap); //Mustcleanupthesnapshotobject!
return(FALSE);
}
do
{
if(stricmp(me32.szModule,m_szDllName)==0)
{
bFound=TRUE;
break;
}
}while(Module32Next(hModuleSnap,&me32));
// Donotforgettocleanupthesnapshotobject.
CloseHandle(hModuleSnap);
if(!bFound)//如果没有加载模块,就不能卸载
{
returnFALSE;
}
//如果加载了,打开进程,远程注入
HANDLEhProcess=::OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwProcessId);
if(hProcess==NULL)
{
returnFALSE;
}
HMODULE hKernerl32=GetModuleHandle("kernel32.dll");
LPTHREAD_START_ROUTINEpfnFreeLibrary=(LPTHREAD_START_ROUTINE)::GetProcAddress(hKernerl32,"FreeLibrary");
intcbSize=strlen(m_szDllName)+1;
LPVOIDlpRemoteDllName=::VirtualAllocEx(hProcess,0,cbSize,MEM_COMMIT,PAGE_READWRITE);
::WriteProcessMemory(hProcess,lpRemoteDllName,m_szDllName,cbSize,NULL);
HANDLEhRemoteThread=::CreateRemoteThreadEx(hProcess,NULL,0,pfnFreeLibrary,lpRemoteDllName,0,NULL,NULL);
if(NULL==hRemoteThread)
{
::CloseHandle(hProcess);
returnFALSE;
}
//等待目标线程运行结束,即LoadLibraryA函数返回
::WaitForSingleObject(hRemoteThread,INFINITE);
::CloseHandle(hRemoteThread);
::CloseHandle(hProcess);
returnTRUE;
}
希望本文所述对大家的C++程序设计有所帮助。