经典的注入方法,在远程进程分配空间写入dll路径,然后创建LoadLibrary线程。由于Dll此时在目标进程的内存空间内,就可以执行Hook、修改内存等操作。
#include <iostream>
#include <Windows.h>
#include <stdio.h>
int main(int argc, const char* argv[])
{
if (argc < 3) {
printf("not enough parameter\n");
return 0;
}
int pid = atoi(argv[1]);
// 打开远程进程
HANDLE hProcess = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD, FALSE, pid);
if (!hProcess) {
printf("Error opening Process");
return 0;
}
// 分配空间
void* buffer = VirtualAllocEx(hProcess, nullptr, 1 << 12, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (!buffer) {
printf("Failed create buffer");
return 0;
}
// 写入Dll路径
if (!WriteProcessMemory(hProcess, buffer, argv[2], strlen(argv[2]), nullptr)) {
printf("Failed to write memory");
return 0;
}
// 创建线程LoadLibrary,Dll中的DllMain会执行
HANDLE hThread = CreateRemoteThread(hProcess,nullptr, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"kernel32"), "LoadLibraryA"), buffer, 0, nullptr);
if (!hThread) {
printf("Cannot start remote thread");
return 0;
}
return 0;
}
https://rioasmara.com/2020/09/06/basic-remote-thread-injection/