给注入explorer.exe的dll添加上开机自动启动的功能
给注入explorer.exe的dll添加上开机自动启动的功能
在此处我们通过写注册表的方式进行开机启动
void AutoRunFun()
{
TCHAR szFullPath[MAX_PATH + 1] = { 0 };//定义存放当前文件的字符串变量
GetModuleFileName(NULL,szFullPath,MAX_PATH);//获取当前文件的路径
LPCTSTR lpSubKey = _T("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run");//定义操作的注册表的路径
HKEY hKey;//注册表的返回值
REGSAM flag = KEY_WOW64_64KEY;//当前系统为win7 64位,访问的是64位的注册表,如果访问32位,则改为KEY_WOW64_32KEY
LONG lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, lpSubKey, 0, KEY_ALL_ACCESS | flag, &hKey);//打开注册表
//探测是否有错
if (ERROR_SUCCESS != lRet)
{
cout << "RegOpenKeyEx fail!" << endl;
return;
}
//设置注册表的值
lRet = RegSetValueEx(hKey, TEXT("TEST"), 0, REG_SZ, LPBYTE(szFullPath), wcslen(szFullPath));
if (ERROR_SUCCESS != lRet)
{
cout << "no cheng gong2";
return;
}
return;
}
结果我们的整个程序代码如下:
#include
#include
#include
#include
using namespace std;
bool RemoteThreadInject(SIZE_T dwPid);
SIZE_T GetProcessIdByName(LPCTSTR pszExeFile);
void AutoRunFun();
int main()
{
SIZE_T pid;
AutoRunFun();
pid = GetProcessIdByName(L"explorer.exe");//获取explorer.exe进程id
RemoteThreadInject(pid);//将dll注入explorer.exe进程,这样只要有explorer.exe的运行的时候,你的dll程序会一直运行
//开机启动程序
AutoRunFun();
}
//该函数是通过进程的名称来获取进程的id
void AutoRunFun()
{
//获取文件路径
TCHAR szFullPath[MAX_PATH + 1] = { 0 };
GetModuleFileName(NULL, szFullPath, MAX_PATH);
LPCTSTR lpSubKey = _T("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run");
HKEY hKey;
REGSAM flag = KEY_WOW64_64KEY;//当前系统为win7 64位,访问的是64位的注册表,如果访问32位,则改为KEY_WOW64_32KEY
LONG lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, lpSubKey, 0, KEY_ALL_ACCESS | flag, &hKey);
if (ERROR_SUCCESS != lRet)
{
cout << "RegOpenKeyEx fail!" << endl;
return;
}
lRet = RegSetValueEx(hKey, TEXT("TEST"), 0, REG_SZ, LPBYTE(szFullPath), wcslen(szFullPath));
if (ERROR_SUCCESS != lRet)
{
cout << "no cheng gong2";
return;
}
return;
}
SIZE_T GetProcessIdByName(LPCTSTR pszExeFile)
{
SIZE_T nProcessID = 0;//定义进程的返回的id
PROCESSENTRY32 pe = { sizeof(PROCESSENTRY32) };
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0);
if (hSnapshot != INVALID_HANDLE_VALUE)
{
if (Process32First(hSnapshot, &pe))
{
while (Process32Next(hSnapshot, &pe))
{
if (lstrcmpi(pszExeFile, pe.szExeFile) == 0)
{
nProcessID = pe.th32ProcessID;
break;
}
}
}
CloseHandle(hSnapshot);
}
return nProcessID;
}
bool RemoteThreadInject(SIZE_T dwPid)
{
//1.使用PID打开进程获取权限
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, dwPid);
//2.申请内存,写入DLL路径,dll路径必须为绝对路径
int nLen = sizeof(WCHAR) * (wcslen(L"F:\\win\\InjectionDll\\x64\\Release\\InjectionDll.dll") + 1);
LPVOID pBuf = VirtualAllocEx(hProcess, NULL, nLen, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (!pBuf)
{
printf("申请内存失败!\n");
return false;
}
//3.写入内存
SIZE_T dwWrite = 0;
if (!WriteProcessMemory(hProcess, pBuf, L"F:\\win\\InjectionDll\\x64\\Release\\InjectionDll.dll", nLen, &dwWrite))
{
printf("写入内存失败!\n");
return false;
}
//4.创建远程线程,让对方调用LoadLibrary
HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL,
(LPTHREAD_START_ROUTINE)LoadLibrary, pBuf, 0, 0);
//5.等待线程结束返回,释放资源
WaitForSingleObject(hRemoteThread, -1);
CloseHandle(hRemoteThread);
VirtualFreeEx(hProcess, pBuf, 0, MEM_FREE);
return true;
}