注入技术--APC注入

1. APC即远程过程调用, 分为内核级和用户级,在ring3层中,使用用户级的APC即可进行注入dll

但是不能针对已有进程

2. 

//apc注入, 需要新建立目标进程, 不能针对已运行的进程
DWORD apcInject(WCHAR* dllpath,WCHAR* exepath)
{
    STARTUPINFOW sp = { 0 };
    sp.cb = sizeof(STARTUPINFOW);
    sp.dwFlags = STARTF_USESHOWWINDOW;
    sp.wShowWindow = SW_MINIMIZE;
    PROCESS_INFORMATION pi = { 0 };
    //暂停方式启动进程
    if (!CreateProcessW(exepath, NULL, 0, 0, 0, CREATE_SUSPENDED, 0, 0, &sp, &pi))
    {
        return 0;
    }
    //申请内存存放参数
    LPVOID p = VirtualAllocEx(pi.hProcess, 0, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    if (!p)
    {
        CloseHandle(pi.hProcess);
        CloseHandle(pi.hThread);
        return 0;
    }
    //写参数
    if (!WriteProcessMemory(pi.hProcess, p, (LPVOID)(dllpath), lstrlenW(dllpath)*2+2, NULL))
    {
        VirtualFreeEx(pi.hProcess, p, 0x1000, MEM_FREE);
        CloseHandle(pi.hProcess);
        CloseHandle(pi.hThread);
        return 0;
    }
    LPVOID ll = (LPVOID)GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "LoadLibraryW");
    //插入apc
    if (!QueueUserAPC((PAPCFUNC)ll, pi.hThread, (ULONG_PTR)p))
    {
        VirtualFreeEx(pi.hProcess, p, 0x1000, MEM_FREE);
        CloseHandle(pi.hProcess);
        CloseHandle(pi.hThread);
        return 0;
    }
    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);
    return 1;
}

 

未完待续...