远程线程注入

经典的注入方法,在远程进程分配空间写入dll路径,然后创建LoadLibrary线程。由于Dll此时在目标进程的内存空间内,就可以执行Hook、修改内存等操作。

代码

#include <iostream>
#include <Windows.h>
#include <stdio.h>

int main(int argc, const char* argv[])
{
    if (argc < 3) {
        printf("not enough parameter\n");
        return 0;
    }

    int pid = atoi(argv[1]);
    // 打开远程进程
    HANDLE hProcess = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD, FALSE, pid);

    if (!hProcess) {
        printf("Error opening Process");
        return 0;
    }
    // 分配空间
    void* buffer = VirtualAllocEx(hProcess, nullptr, 1 << 12, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

    if (!buffer) {
        printf("Failed create buffer");
        return 0;
    }
    // 写入Dll路径
    if (!WriteProcessMemory(hProcess, buffer, argv[2], strlen(argv[2]), nullptr)) {
        printf("Failed to write memory");
        return 0;
    }
    // 创建线程LoadLibrary,Dll中的DllMain会执行
    HANDLE hThread = CreateRemoteThread(hProcess,nullptr, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"kernel32"), "LoadLibraryA"), buffer, 0, nullptr);

    if (!hThread) {
        printf("Cannot start remote thread");
        return 0;
    }
    return 0;
}

参考

https://rioasmara.com/2020/09/06/basic-remote-thread-injection/