远程线程注入(一)

 

需要注意的点就是不要导入宏，要导入函数名称

 

话不多说，插入自己的代码

VOID Injection(DWORD Pid, LPSTR DllPath)
{
    HANDLE pro=OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid);
    if (!pro)
    {
        MessageBox(0, 0, L"进程句柄获取失败", 0);
        return;
    }
    HMODULE hModule=LoadLibrary(L"kernel32.dll");
    if (!hModule)
    {
        MessageBox(0, 0, L"导入模块失败", 0);
        return;
    }
    DWORD load_addr=(DWORD)GetProcAddress(hModule, "LoadLibraryA");
    if (!load_addr)
    {
        MessageBox(0, 0, L"函数地址获取失败", 0);
        return;
    }
    DWORD hLength=strlen(DllPath)+1;
    LPVOID lpStr=VirtualAllocEx(pro, NULL, hLength,MEM_COMMIT , PAGE_READWRITE);
    if (!lpStr)
    {
        MessageBox(0, 0, L"远程内存分配失败",0);
        return;
    }
    BOOL success=WriteProcessMemory(pro, lpStr, DllPath, hLength , NULL);
    if (!success)
    {
        MessageBox(0, 0, L"字符串注入失败", 0);
        return;
    }
    
    HANDLE hThread=CreateRemoteThread(pro, NULL, 0, (LPTHREAD_START_ROUTINE)load_addr, lpStr, NULL, NULL);
    WaitForSingleObject(hThread,INFINITE);

    DWORD acc;
    GetExitCodeThread(hThread, &acc);
    acc = GetLastError();
    VirtualFree(pro, hLength + 1, MEM_COMMIT);

    CloseHandle(hThread);
    CloseHandle(pro);

}

记录一下思路：

1.首先获取进程pid，打开进程，获取进程句柄

2.调用virtualAllocEx函数在其他进程中申请内存空间

3.用WriteMemory写入字符

4.由于LoadLibrary函数和线程函数的参数都是一个，所以把其地址当做线程函数传进去，又因为每个进程都要调用kernel32.dll模块，所以地址是不变的，直接用本地址的函数地址即可就行

5.调用=CreateRemoteThread创建远程线程，即可