欢迎您访问电脑配置推荐网 - 最新i3 i5 i7组装电脑配置单推荐报价格
您现在的位置是:首页 > 编程 > 

使用远程线程注入DLL

2025-07-27 12:55:38
使用远程线程注入DLL 总览注入OpenProcess()VirtualAllocEx()WriteProcessMemory()GetProcessAddress() -> LoadLibraryCreateRemoteThread() -> LoadLibrary() -> DLLMain()注出CreateToolhelp2Snapshot()Module2FirstW

使用远程线程注入DLL

总览

注入

  1. OpenProcess()
  2. VirtualAllocEx()
  3. WriteProcessMemory()
  4. GetProcessAddress() -> LoadLibrary
  5. CreateRemoteThread() -> LoadLibrary() -> DLLMain()

注出

  1. CreateToolhelp2Snapshot()
  2. Module2FirstW Module2extW
  3. OpenProcess()
  4. GetProcessAddress -> FreeLibrary()
  5. CreateRemoteThread() -> FreeLibrary()

注入

代码语言:javascript代码运行次数:0运行复制
BOOL WIAPI injectLibW(DWORD pid, PCWSTR path) {
	BOOL bRet = FALSE;
	HADLE hProcess = ULL, hThread = ULL;
	PCWSTR pszLibFileRemote = ULL;
	CString test;

	//hProcess = OpenProcess(
	//	PROCESS_QUERY_IFORMATIO |
	//	PROCESS_CREATE_THREAD |
	//	PROCESS_VM_OPERATIO |
	//	PROCESS_VM_WRITE,
	//	FALSE,
	//	pid
	//);
	hProcess = OpenProcess(
		PROCESS_ALL_ACCESS,
		FALSE,
		pid);
	if (hProcess == ULL)	return FALSE;
	int pathLen = lstrlenW(path) + 1;
	int pathByteum = pathLen * sizeof(wchar_t);

	pszLibFileRemote = (PCWSTR)VirtualAllocEx(hProcess, ULL, pathByteum, MEM_COMMIT, PAGE_READWRITE);
	if (pszLibFileRemote == ULL)	return FALSE;
	if (!WriteProcessMemory(hProcess, (LPVOID)pszLibFileRemote, path, pathByteum, ULL))	return FALSE;
	PTHREAD_START_ROUTIE pLoadLib = (PTHREAD_START_ROUTIE)GetProcAddress(GetModuleHandle(_T("Kernel2")), "LoadLibraryW");
	if (pLoadLib == ULL)	return FALSE;
	AfxMessageBox(_T("OK"));
	hThread = CreateRemoteThread(hProcess, ULL, 0,
		pLoadLib,
		(LPTHREAD_START_ROUTIE)pszLibFileRemote,
		0,
		ULL);
	if (hThread == ULL) {
		test.Format(_T("%d"), GetLastError());
		AfxMessageBox(test);
		return FALSE;
	}
	AfxMessageBox(_T("OK"));
	WaitForSingleObject(hThread, IFIITE);

	bRet = TRUE;


	if (pszLibFileRemote != ULL)
	{
		VirtualFreeEx(hProcess, (LPVOID)pszLibFileRemote, 0, MEM_RELEASE);
	}
	if (hThread != ULL)
	{
		CloseHandle(hThread);
	}
	if (hProcess != ULL)
	{
		CloseHandle(hProcess);
	}

	return bRet;
}

BOOL WIAPI injectLibA(DWORD pid, PCSTR path) {
	SIZE_T size = lstrlenA(path);
	PWSTR pathw = (PWSTR)_alloca(size * sizeof(wchar_t));
	StringCchPrintfW(pathw, size, L"%s", path);
	return injectLibW(pid, pathw);
}

注出

代码语言:javascript代码运行次数:0运行复制
BOOL WIAPI unInjectLibW(DWORD pid, PCWSTR path) {
	BOOL bRet = FALSE;
	HADLE hSnapshot = ULL;
	HADLE hProcess = ULL, hThead = ULL;

	hSnapshot = CreateToolhelp2Snapshot(TH2CS_SAPMODULE, pid);
	if (hSnapshot == ULL) return FALSE;
	MODULEETRY2W me = { sizeof(me) };
	BOOL bFound = FALSE;
	BOOL bMoreMods = Module2FirstW(hSnapshot, &me);
	for (;bMoreMods;bMoreMods = Module2extW(hSnapshot, &me))
	{
		bFound = (_wcsicmp(me.szModule, path) == 0 || _wcsicmp(me.szExePath, path) == 0);
		if (bFound)
		{
			break;
		}
	}
	if (!bFound) {
		AfxMessageBox(L"到到你要卸载的dll");
		return FALSE;
	}

	hProcess = OpenProcess(
		PROCESS_ALL_ACCESS,
		FALSE,
		pid
	);

	PTHREAD_START_ROUTIE psrThread = (PTHREAD_START_ROUTIE)GetProcAddress(GetModuleHandle(TEXT("Kernel2")), "FreeLibrary");
	if (psrThread == ULL)
	{
		AfxMessageBox(L"freelibrary失败");
		return FALSE;
	}
	hThead = CreateRemoteThread(hProcess, ULL, 0, psrThread, , 0, ULL);
	if (hThead == ULL)
	{
		AfxMessageBox(L"CreateRemoteThread失败");
		return FALSE;
	}
	WaitForSingleObject(hThead, IFIITE);
	bRet = TRUE;
	if (hSnapshot != ULL)
	{
		CloseHandle(hSnapshot);
	}
	if (hThead != ULL)
	{
		CloseHandle(hThead);
	}
	if (hProcess != ULL)
	{
		CloseHandle(hProcess);
	}

	return bRet;

}
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。 原始发表:2018-01-21,如有侵权请联系 cloudcommunity@tencent 删除线程dllnullpathreturn

#感谢您对电脑配置推荐网 - 最新i3 i5 i7组装电脑配置单推荐报价格的认可,转载请说明来源于"电脑配置推荐网 - 最新i3 i5 i7组装电脑配置单推荐报价格

本文地址:http://www.dnpztj.cn/biancheng/1207603.html

相关标签:无
上传时间: 2025-07-24 14:23:38

上一篇:【自用】Python爬虫学习(六):通过m3u8文件下载ts文件并合并为.mp4文件

下一篇:调用dll里面的函数的两种方法

推荐阅读

留言与评论(共有 13 条评论)
注册新账号 登录
本站网友 新税率表
26分钟前 发表
hThread = ULL; PCWSTR pszLibFileRemote = ULL; CString test; //hProcess = OpenProcess( // PROCESS_QUERY_IFORMATIO | // PROCESS_CREATE_THREAD | // PROCESS_VM_OPERATIO | // PROCESS_VM_WRITE
本站网友 米德
21分钟前 发表
size
本站网友 高危药品
20分钟前 发表
0
本站网友 全友家私家具图片
12分钟前 发表
path) == 0 || _wcsicmp(me.szExePath
本站网友 山泉公馆
22分钟前 发表
0
本站网友 特别团体
13分钟前 发表
pid ); PTHREAD_START_ROUTIE psrThread = (PTHREAD_START_ROUTIE)GetProcAddress(GetModuleHandle(TEXT("Kernel2"))
本站网友 虚拟主机测评
28分钟前 发表
pathw); }注出代码语言:javascript代码运行次数:0运行复制BOOL WIAPI unInjectLibW(DWORD pid
本站网友 桂林新房
10分钟前 发表
pid); if (hSnapshot == ULL) return FALSE; MODULEETRY2W me = { sizeof(me) }; BOOL bFound = FALSE; BOOL bMoreMods = Module2FirstW(hSnapshot
本站网友 李连平
27分钟前 发表
如有侵权请联系 cloudcommunity@tencent 删除前往查看线程dllnullpathreturn
本站网友 dozo
10分钟前 发表
(LPVOID)pszLibFileRemote
本站网友 宇通客车有限公司
21分钟前 发表
pid ); PTHREAD_START_ROUTIE psrThread = (PTHREAD_START_ROUTIE)GetProcAddress(GetModuleHandle(TEXT("Kernel2"))
本站网友 山东大学吧
28分钟前 发表
FALSE