About ShutDown of Windows(五)
一直在想DLL注入时到底是怎么样的,于是动了下手试下
Google 到的资料
http://www.cppblog.com/mydriverc/articles/28536.html
http://www.cppblog.com/road420/archive/2009/10/26/99510.aspx
http://www.cppblog.com/free2000fly/archive/2008/07/21/56764.html
VC IDE 新建一个 Win32 Dynamic-Link Library Project,名为 DLLInject
//
DLLInject.cpp : Defines the entry point for the DLL application.
//
#include
"
stdafx.h
"
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch
( ul_reason_for_call )
{
case
DLL_PROCESS_ATTACH:
{
MessageBox( NULL,
"
DLL已进入目标进程。
"
,
"
信息
"
, MB_ICONINFORMATION );
}
break
;
case
DLL_PROCESS_DETACH:
{
MessageBox( NULL,
"
DLL已从目标进程卸载。
"
,
"
信息
"
, MB_ICONINFORMATION );
}
break
;
}
return
TRUE;
}
VC IDE 新建一个 Win32 Console Applacation project, 名为 DLLInjectDosExe
#include <iostream>
using namespace std;
#include <windows.h>
#include <TLHELP32.H>
#include <Shlwapi.h>
#pragma comment(lib,"Shlwapi.lib")
DWORD FindTargetProcessID( LPCTSTR lpszProcess )
{
DWORD dwRet = 0;
HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof( PROCESSENTRY32 );
Process32First( hSnapshot, &pe32 );
do
{
if ( lstrcmpi( pe32.szExeFile, lpszProcess ) == 0 )
{
dwRet = pe32.th32ProcessID;
break;
}
} while ( Process32Next( hSnapshot, &pe32 ) );
CloseHandle( hSnapshot );
return dwRet;
}
int main()
{
DWORD dwProcessID = 0;
dwProcessID = FindTargetProcessID("explorer.exe");
// 打开目标进程
HANDLE hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwProcessID );
TCHAR szPath[MAX_PATH] = {0};
::GetModuleFileName(NULL, szPath, MAX_PATH);
::PathRemoveFileSpec(szPath);
strcat(szPath, "\\DLLInject.dll");
// 向目标进程地址空间写入DLL名称
DWORD dwSize, dwWritten;
dwSize = lstrlenA( szPath ) + 1;
LPVOID lpBuf = VirtualAllocEx( hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE );
if ( NULL == lpBuf )
{
CloseHandle( hProcess );
// 失败处理
}
if ( WriteProcessMemory( hProcess, lpBuf, (LPVOID)szPath, dwSize, &dwWritten ) )
{
// 要写入字节数与实际写入字节数不相等,仍属失败
if ( dwWritten != dwSize )
{
VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );
CloseHandle( hProcess );
// 失败处理
}
}
else
{
CloseHandle( hProcess );
// 失败处理
}
// 使目标进程调用LoadLibrary,加载DLL
DWORD dwID;
LPVOID pFunc = LoadLibraryA;
HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, lpBuf, 0, &dwID );
// 等待LoadLibrary加载完毕
WaitForSingleObject( hThread, INFINITE );
// 释放目标进程中申请的空间
VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );
CloseHandle( hThread );
CloseHandle( hProcess );
return 0;
}
运行之后,弹出 MessageBox 提示“
DLL已进入目标进程”
使用 SystemCheck.exe 工具查看 explorer.exe 进程的模块信息时,会发现,此时多了一个
C:\Documents and Settings\test\桌面\DLLInject.dll 的DLL
这表示已经注入成功
[资料]
深入浅出dll插入型木马病毒的原理,查杀与防范DLL注入的唯一用处,就是它并不需要创建一个单独的进程,它寄生到已有进程里面去,在任务栏管理器里看不到它,
达到了所谓的“隐藏进程”的效果。