CreateProcess插入DLL的方法

 

#include <stdio.h>

#include <stddef.h>

#include <windows.h>

#pragma comment(lib, "ImageHlp.lib")

#pragma pack (push ,1)    //以下结构字节对齐

typedef struct
{
BYTE int_PUSHAD;
BYTE int_PUSH;
DWORD push_Value;
BYTE int_MOVEAX;

DWORD eax_Value;

WORD call_eax;

BYTE jmp_MOVEAX;      
DWORD jmp_Value;
WORD jmp_eax;

char szDLL[MAX_PATH];
}INJECT_LOADLIBRARY_CODE, *LPINJECT_CODE, INJECT_CODE;
#pragma pack (pop , 1)

typedef struct
{
LPBYTE lpEntryPoint;     // 目标进程的入口地址
BYTE   oldcode[sizeof(INJECT_CODE)];// 目标进程的代码保存
}SPY_MEM_SHARE, * LPSPY_MEM_SHARE;

typedef struct
{
DWORD lpEntryPoint;
DWORD OldAddr;
DWORD OldCode[4];
}JMP_CODE, *LPJMP_CODE;
static JMP_CODE _lpCode;

//跳到目标进程入口地址
void __declspec(naked)DoJmpEntryPoint()
{
DWORD *_glpMovEax;
WORD *_GlpJmp;
DWORD _gfNew;
DWORD _gfOld;

// 恢复LoadLibrary后面的代码
_gfNew = PAGE_READWRITE;
_glpMovEax = (DWORD*)_lpCode.OldAddr;
VirtualProtect(_glpMovEax, 2*sizeof(DWORD), _gfNew, &_gfOld);
*_glpMovEax = _lpCode.OldCode[0];
*(_glpMovEax + 1) = _lpCode.OldCode[1];
VirtualProtect(_glpMovEax, 2*sizeof(DWORD), _gfOld, &_gfNew);

// 跳至目标代码的入口
_asm       popad
_asm       jmp _lpCode.lpEntryPoint

}


BOOL WINAPI InitApiSpy()
{
HANDLE    hMap;
LPSPY_MEM_SHARE lpMem;
DWORD    dwSize;
BOOL    rc;
BYTE    *lpByte;

// 取得FileMapping的句柄
hMap = OpenFileMapping(FILE_MAP_ALL_ACCESS, 0, "MyDllMapView");
if(hMap)
{
   lpMem = (LPSPY_MEM_SHARE)MapViewOfFile(hMap, FILE_MAP_ALL_ACCESS, 0, 0, 0);
   if(lpMem)
   {
    // 恢复目标进程的入口代码
    // 得到mov eax, value代码的地址
    _lpCode.OldAddr = (DWORD)((BYTE*)lpMem->lpEntryPoint + offsetof(INJECT_CODE, jmp_MOVEAX));
    _lpCode.lpEntryPoint = (DWORD)lpMem->lpEntryPoint;

    // 保存LoadLibrary()后面的代码
    memcpy(&_lpCode.OldCode, (BYTE*)lpMem->oldcode + offsetof(INJECT_CODE, jmp_MOVEAX), 2*sizeof(DWORD));

    // 恢复目标进程的入口代码
    rc = WriteProcessMemory(GetCurrentProcess(), lpMem->lpEntryPoint, lpMem->oldcode, sizeof(INJECT_CODE), &dwSize);
    lpByte = (BYTE*)lpMem->lpEntryPoint + offsetof(INJECT_CODE, jmp_MOVEAX);
    UnmapViewOfFile(lpMem);
   }
   CloseHandle(hMap);
}

BYTE *lpMovEax;
DWORD *lpMovEaxValu;
WORD *lpJmp;
DWORD fNew;
DWORD fOld;

fNew = PAGE_READWRITE;
lpMovEax = lpByte;
VirtualProtect(lpMovEax, 2*sizeof(DWORD), fNew, &fOld);
*lpMovEax = 0xB8;
lpMovEaxValu = (DWORD*)(lpMovEax + 1);
*lpMovEaxValu = (DWORD)&DoJmpEntryPoint;
lpJmp = (WORD*)(lpMovEax + 5);
*lpJmp = 0xE0FF; // (FF E0)
VirtualProtect(lpMovEax, 2*sizeof(DWORD), fOld, &fNew);

//调用自定义函数,做你想做的事
//MyFunc();

return TRUE;
}

BOOL APIENTRY DllMain( HANDLE hInstance,
                       DWORD ul_reason_for_call,
                       LPVOID lpReserved)
{
//MyhModule = (HMODULE)hInstance;
if(ul_reason_for_call == DLL_PROCESS_ATTACH)
   return InitApiSpy();

    return TRUE;
}

你可能感兴趣的:(struct,dll,Access,byte,winapi,fold)