C中的Windows DLL注入器未注入DLL

问题描述 投票:0回答:1

我正在尝试编写DLL注入器以在计算器进程上执行DLL注入器。

我用C和DLL编写了DLL注入程序,但是注入器注入了DLL或任何其他DLL(我尝试使用一些计算器不使用的随机窗口DLL。

#include <stdio.h>
#include <Windows.h>

int main() {
    LPCSTR dllpath = "C:\\Users\\......\\Dll1.dll";
    printf("#### Starting ####\n");

    printf("step 1: attaching the target process memory\n");
    HANDLE hProcess = OpenProcess( 
        PROCESS_ALL_ACCESS, 
        FALSE, 
        6456 // target process id
    );
    if (hProcess != NULL) {
        printf("step 2: allocate the target memory process\n");
        LPVOID dllPathMemoryAddr = VirtualAllocEx(
            hProcess, 
            NULL, 
            strlen(dllpath), 
            MEM_RESERVE | MEM_COMMIT, 
            PAGE_EXECUTE_READWRITE 
        );
        if (dllPathMemoryAddr != NULL) {
            printf("step 3: write to the process memory\n");
            BOOL succeededWriting = WriteProcessMemory(
                hProcess, 
                dllPathMemoryAddr,  
                dllpath, 
                strlen(dllpath), 
                NULL 
            );

            if (succeededWriting) {
                printf("step 4: execute.\n");
                FARPROC loadLibAddr = GetProcAddress(
                    GetModuleHandle(TEXT("kernel32.dll")),
                    "LoadLibraryA" 
                );
                HANDLE rThread = CreateRemoteThread( 
                    hProcess, 
                    NULL, 
                    0, 
                     (LPTHREAD_START_ROUTINE)loadLibAddr,
                    dllPathMemoryAddr,
                    0,
                    NULL
                );
            }
        }
        CloseHandle(hProcess);
    }
    return TRUE;
}

运行喷油器后,我得到以下输出:

#### Starting ####
step 1: attaching the target process memory
step 2: allocate the target memory process
step 3: write to the process memory
step 4: execute.

此后,我仍然无法在进程浏览器中看到新的DLL。

c dll-injection
1个回答
0
投票

您正在调用GetProcAddress()以获取LoadLibraryA()的地址,这是在本地进程中返回LoadLibraryA的地址,而不是注入的地址。这不能保证在外部过程中是正确的。您不需要手动获取地址,CreateRemoteThread将为您解析地址。

这是一个非常简单的喷油器示例,将说明如何执行此操作

#include <iostream>
#include <Windows.h>
#include <TlHelp32.h>

DWORD GetPid(char * targetProcess)
{
    HANDLE snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (snap && snap != INVALID_HANDLE_VALUE)
    {
        PROCESSENTRY32 pe;
        pe.dwSize = sizeof(pe);
        if (Process32First(snap, &pe))
        {
            do
            {
                if (!_stricmp(pe.szExeFile, targetProcess))
                {
                    CloseHandle(snap);
                    return pe.th32ProcessID;
                }
            } while (Process32Next(snap, &pe));
        }
    }
    return 0;
}

int main()
{
    char * dllpath = "C:\\Users\\me\\Desktop\\dll.dll";
    char * processToInject = "csgo.exe";
    long pid = 0;
    while (!pid)
    {
        pid = GetPid(processToInject);
        Sleep(10);
    }

    HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
    if (hProc && hProc != INVALID_HANDLE_VALUE)
    {
            void * loc = VirtualAllocEx(hProc, 0, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
            WriteProcessMemory(hProc, loc, dllpath, strlen(dllpath) + 1, 0);       
            HANDLE hThread = CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, loc, 0, 0);
            CloseHandle(hThread);
    }

    CloseHandle(hProc);
    return 0;
}
© www.soinside.com 2019 - 2024. All rights reserved.