码迷,mamicode.com
首页 > 其他好文 > 详细

创建进程时注入DLL

时间:2014-05-01 20:05:48      阅读:400      评论:0      收藏:0      [点我收藏+]

标签:des   style   blog   class   code   java   tar   ext   javascript   color   get   

mamicode.com,码迷
#include "stdafx.h"
#include <Windows.h>

// 函数声明
typedef BOOL (WINAPI* Proc_CreateProcessW)(LPCWSTR lpApplicationName,
                       LPWSTR lpCommandLine,
                       LPSECURITY_ATTRIBUTES lpProcessAttributes,
                       LPSECURITY_ATTRIBUTES lpThreadAttributes,
                       BOOL bInheritHandles,
                       DWORD dwCreationFlags,
                       LPVOID lpEnvironment,
                       LPCWSTR lpCurrentDirectory,
                       LPSTARTUPINFOW lpStartupInfo,
                       LPPROCESS_INFORMATION lpProcessInformation);

typedef HMODULE (WINAPI* Func_LoadLibraryW)(LPCWSTR lpLibFileName);


BYTE* mov_eax_xx(BYTE* lpCurAddres, DWORD eax)
{
  *lpCurAddres = 0xB8;
  *(DWORD*)(lpCurAddres + 1) = eax;
  return lpCurAddres + 5;
}

BYTE* mov_ebx_xx(BYTE* lpCurAddres, DWORD ebx)
{
  *lpCurAddres = 0xBB;
  *(DWORD*)(lpCurAddres + 1) = ebx;
  return lpCurAddres + 5;
}

BYTE* mov_ecx_xx(BYTE* lpCurAddres, DWORD ecx)
{
  *lpCurAddres = 0xB9;
  *(DWORD*)(lpCurAddres + 1) = ecx;
  return lpCurAddres + 5;
}

BYTE* mov_edx_xx(BYTE* lpCurAddres, DWORD edx)
{
  *lpCurAddres = 0xBA;
  *(DWORD*)(lpCurAddres + 1) = edx;
  return lpCurAddres + 5;
}

BYTE* mov_esi_xx(BYTE* lpCurAddres, DWORD esi)
{
  *lpCurAddres = 0xBE;
  *(DWORD*)(lpCurAddres + 1) = esi;
  return lpCurAddres + 5;
}

BYTE* mov_edi_xx(BYTE* lpCurAddres, DWORD edi)
{
  *lpCurAddres = 0xBF;
  *(DWORD*)(lpCurAddres + 1) = edi;
  return lpCurAddres + 5;
}

BYTE* mov_ebp_xx(BYTE* lpCurAddres, DWORD ebp)
{
  *lpCurAddres = 0xBD;
  *(DWORD*)(lpCurAddres + 1) = ebp;
  return lpCurAddres + 5;
}

BYTE* mov_esp_xx(BYTE* lpCurAddres, DWORD esp)
{
  *lpCurAddres = 0xBC;
  *(DWORD*)(lpCurAddres + 1) = esp;
  return lpCurAddres + 5;
}

BYTE* mov_eip_xx(BYTE* lpCurAddres, DWORD eip, DWORD newEip)
{
  if ( !newEip )
  {
    newEip = (DWORD)lpCurAddres;
  }

  *lpCurAddres = 0xE9;
  *(DWORD*)(lpCurAddres + 1) = eip - (newEip + 5);
  return lpCurAddres + 5;
}

BYTE* push_xx(BYTE* lpCurAddres, DWORD dwAdress)
{

  *lpCurAddres = 0x68;
  *(DWORD*)(lpCurAddres + 1) = dwAdress;

  return lpCurAddres + 5;
}

BYTE* Call_xx(BYTE* lpCurAddres, DWORD eip, DWORD newEip)
{
  if ( !newEip )
  {
    newEip = (DWORD)lpCurAddres;
  }

  *lpCurAddres = 0xE8;
  *(DWORD*)(lpCurAddres + 1) = eip - (newEip + 5);
  return lpCurAddres + 5;
}

BOOL SuspendTidAndInjectCode(HANDLE hProcess, HANDLE hThread, DWORD dwFuncAdress, const BYTE * lpShellCode, size_t uCodeSize)
{
  SIZE_T NumberOfBytesWritten = 0;
  BYTE ShellCodeBuf[0x480];
  CONTEXT Context;
  DWORD flOldProtect = 0;
  LPBYTE lpCurESPAddress = NULL;
  LPBYTE lpCurBufAdress = NULL;
  BOOL bResult = FALSE;
  

  // 挂载起线程
  SuspendThread(hThread);

  memset(&Context,0,sizeof(Context));
  Context.ContextFlags = CONTEXT_FULL;

  if ( GetThreadContext(hThread, &Context))
  {
    // 在对方线程中开辟一个 0x480 大小的局部空
    lpCurESPAddress = (LPBYTE)((Context.Esp - 0x480) & 0xFFFFFFE0);
    
    // 获取指针 用指针来操作
    lpCurBufAdress = &ShellCodeBuf[0];

    if (lpShellCode)
    {
      memcpy(ShellCodeBuf + 128, lpShellCode, uCodeSize);
      lpCurBufAdress = push_xx(lpCurBufAdress, (DWORD)lpCurESPAddress + 128); // push
      lpCurBufAdress = Call_xx(lpCurBufAdress, dwFuncAdress, (DWORD)lpCurESPAddress + (DWORD)lpCurBufAdress - (DWORD)&ShellCodeBuf); //Call
    }

    lpCurBufAdress = mov_eax_xx(lpCurBufAdress, Context.Eax);
    lpCurBufAdress = mov_ebx_xx(lpCurBufAdress, Context.Ebx);
    lpCurBufAdress = mov_ecx_xx(lpCurBufAdress, Context.Ecx);
    lpCurBufAdress = mov_edx_xx(lpCurBufAdress, Context.Edx);
    lpCurBufAdress = mov_esi_xx(lpCurBufAdress, Context.Esi);
    lpCurBufAdress = mov_edi_xx(lpCurBufAdress, Context.Edi);
    lpCurBufAdress = mov_ebp_xx(lpCurBufAdress, Context.Ebp);
    lpCurBufAdress = mov_esp_xx(lpCurBufAdress, Context.Esp);
    lpCurBufAdress = mov_eip_xx(lpCurBufAdress, Context.Eip, (DWORD)lpCurESPAddress + (DWORD)lpCurBufAdress - (DWORD)&ShellCodeBuf);
    Context.Esp = (DWORD)(lpCurESPAddress - 4);
    Context.Eip = (DWORD)lpCurESPAddress;
    
    if ( VirtualProtectEx(hProcess, lpCurESPAddress, 0x480, PAGE_EXECUTE_READWRITE, &flOldProtect)
      && WriteProcessMemory(hProcess, lpCurESPAddress, &ShellCodeBuf, 0x480, &NumberOfBytesWritten)
      && FlushInstructionCache(hProcess, lpCurESPAddress, 0x480)
      && SetThreadContext(hThread, &Context) )
    {
      bResult = TRUE;
    }

  }
  
  // 回复线程
  ResumeThread(hThread);

  return TRUE;
}

DWORD GetFuncAdress()
{
  return (DWORD)GetProcAddress(GetModuleHandleA("Kernel32"), "LoadLibraryW");
}

BOOL WINAPI CreateProcessWithDllW(  LPCWSTR lpApplicationName,
                  LPWSTR lpCommandLine,
                  LPSECURITY_ATTRIBUTES lpProcessAttributes,
                  LPSECURITY_ATTRIBUTES lpThreadAttributes,
                  BOOL bInheritHandles,
                  DWORD dwCreationFlags,
                  LPVOID lpEnvironment,
                  LPCWSTR lpCurrentDirectory,
                  LPSTARTUPINFOW lpStartupInfo,
                  LPPROCESS_INFORMATION lpProcessInformation,
                  LPWSTR lpDllFullPath,
                  Proc_CreateProcessW FuncAdress
                  )
{
  BOOL bResult = FALSE;
  size_t uCodeSize = 0;
  DWORD dwCreaFlags;
  PROCESS_INFORMATION pi;
  ZeroMemory( &pi, sizeof(pi) );

  if (FuncAdress == NULL)
  {
    FuncAdress = CreateProcessW;
  }
  

  // 设置创建就挂起进程
  dwCreaFlags = dwCreationFlags | CREATE_SUSPENDED;
  if (CreateProcessW(lpApplicationName, 
            lpCommandLine, 
            lpProcessAttributes, 
            lpThreadAttributes, 
            bInheritHandles, 
            dwCreaFlags, 
            lpEnvironment,
            lpCurrentDirectory,
            lpStartupInfo,
            &pi
           ))
  {
    if ( lpDllFullPath )
      uCodeSize = 2 * wcslen(lpDllFullPath) + 2;
    else
      uCodeSize = 0;

    // 得到LoadLibraryW 的地址
    DWORD dwLoadDllProc = GetFuncAdress();

    // 挂起线程 写入Shellcode
    if (SuspendTidAndInjectCode(pi.hProcess, pi.hThread, dwLoadDllProc, (BYTE*)lpDllFullPath, uCodeSize))
    {
      if ( lpProcessInformation )
        memcpy(lpProcessInformation, &pi, sizeof(PROCESS_INFORMATION));

      if ( !(dwCreationFlags & CREATE_SUSPENDED) )
        ResumeThread(pi.hThread);

      bResult = TRUE;
    }
  }

  return bResult;
}


int _tmain(int argc, _TCHAR* argv[])
{  
  WCHAR wszPath[] = L"D:\\TestCreateProcessWithDll.exe";
  WCHAR wszDll[] = L"D:\\SampleDLL.dll";

  STARTUPINFOW si;
  PROCESS_INFORMATION pi;
  
  ZeroMemory( &si, sizeof(si) );
  si.cb = sizeof(si);
  ZeroMemory( &pi, sizeof(pi) );
  CreateProcessWithDllW(NULL, wszPath, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi, wszDll, NULL);

  return 0;
}
mamicode.com,码迷

 

创建进程时注入DLL,码迷,mamicode.com

创建进程时注入DLL

标签:des   style   blog   class   code   java   tar   ext   javascript   color   get   

原文地址:http://www.cnblogs.com/icew4y/p/3702739.html
(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
分享档案
更多>
2021年07月29日 (22)
2021年07月28日 (40)
2021年07月27日 (32)
2021年07月26日 (79)
2021年07月23日 (29)
2021年07月22日 (30)
2021年07月21日 (42)
2021年07月20日 (16)
2021年07月19日 (90)
2021年07月16日 (35)
周排行
mamicode.com排行更多图片
更多
友情链接
兰亭集智   国之画   百度统计   站长统计   阿里云   chrome插件   新版天听网
关于我们 - 联系我们 - 留言反馈
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!