CreateProcess插入DLL的方法 (EXE篇

 

#include <windows.h>

#include <stdio.h>

#pragma comment(lib, "ImageHlp.lib")

#pragma pack (push ,1)
typedef struct
{
BYTE int_PUSHAD;
BYTE int_PUSH;
DWORD push_Value;
BYTE int_MOVEAX;
DWORD eax_Value;
WORD call_eax;
BYTE jmp_MOVEAX;    
DWORD jmp_Value;
WORD jmp_eax;
char szDLL[MAX_PATH];
}INJECT_LOADLIBRARY_CODE, *LPINJECT_CODE, INJECT_CODE;
#pragma pack (pop , 1)

typedef struct
{
LPBYTE lpEntryPoint;     // 目标进程的入口地址
BYTE   oldcode[sizeof(INJECT_CODE)];// 目标进程的代码保存
}SPY_MEM_SHARE, * LPSPY_MEM_SHARE;

typedef struct
{
DWORD lpEntryPoint;
DWORD OldAddr;
DWORD OldCode[4];
}JMP_CODE, *LPJMP_CODE;
static JMP_CODE _lpCode;

//查找进程入口点
LPBYTE GetExeEntryPoint(char *filename)
{
PIMAGE_NT_HEADERS pNTHeader;
DWORD     pEntryPoint;
PLOADED_IMAGE   pImage;
pImage = ImageLoad(filename, NULL);
if(pImage == NULL)
   return NULL;
pNTHeader = pImage->FileHeader;
pEntryPoint = pNTHeader->OptionalHeader.AddressOfEntryPoint + pNTHeader->OptionalHeader.ImageBase;
ImageUnload(pImage);

return (LPBYTE)pEntryPoint;
}

void jet(LPSTR szRunFile, LPSTR szMyDll)
{
STARTUPINFO stInfo = {sizeof(stInfo)};
PROCESS_INFORMATION m_proInfo = {0};
LPBYTE pEntryPoint;
HANDLE hMap;
SIZE_T cBytesMoved;
LPSPY_MEM_SHARE lpMap;
INJECT_CODE newCode;

CreateProcessA( 0,
      szRunFile,
      0,
      0,
      FALSE,
      CREATE_SUSPENDED,
      0,
      NULL,
      &stInfo,
      &m_proInfo);

pEntryPoint = GetExeEntryPoint(szRunFile);
hMap = CreateFileMapping((HANDLE)0xFFFFFFFF,
         NULL,
         PAGE_READWRITE,
         0,
         sizeof(SPY_MEM_SHARE),
         "MyDllMapView");

lpMap = (LPSPY_MEM_SHARE)MapViewOfFile(hMap, FILE_MAP_ALL_ACCESS, 0, 0, 0);
ReadProcessMemory(m_proInfo.hProcess,
       pEntryPoint,
       &lpMap->oldcode,
       sizeof(INJECT_CODE),
       &cBytesMoved);
lpMap->lpEntryPoint = pEntryPoint;

lstrcpy(newCode.szDLL, szMyDll);
newCode.int_PUSHAD = 0x60;   
newCode.int_PUSH = 0x68;
newCode.int_MOVEAX = 0xB8;
newCode.call_eax = 0xD0FF;
newCode.jmp_MOVEAX = 0xB8;
newCode.jmp_eax = 0xE0FF;
newCode.eax_Value = (DWORD)&LoadLibrary;
newCode.push_Value = (DWORD)(pEntryPoint + offsetof(INJECT_CODE, szDLL));

DWORD dwNewFlg, dwOldFlg;
dwNewFlg = PAGE_READWRITE;
VirtualProtectEx(m_proInfo.hProcess,
      (LPVOID)pEntryPoint,
      sizeof(DWORD),
      dwNewFlg,
      &dwOldFlg);
WriteProcessMemory(m_proInfo.hProcess,
       pEntryPoint,
       &newCode,
       sizeof(newCode),
       NULL);//&dwWrited);
VirtualProtectEx(m_proInfo.hProcess,
      (LPVOID)pEntryPoint,
      sizeof(DWORD),
      dwOldFlg,
      &dwNewFlg);

//释放FileMaping 注意，不是Closehandle(hMap)
UnmapViewOfFile(lpMap);

//继续目标进程的运行
ResumeThread(m_proInfo.hThread);
}

//////////////////////////////////////////////////////////
int APIENTRY _tWinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPTSTR    lpCmdLine,
                     int       nCmdShow)
{
   jet("Ikeeper.mpc", "inet.dll");

Sleep(6000);
return 0;
}