说明
《黑客编程揭秘与探索》
GetLastError()返回值意义
获取时间
string get_current_time()
{
tm t;
time_t now;
time(&now);
localtime_s(&t, &now); //获取当地日期和时间
char buf[100];
sprintf_s(buf,100, "%.4d-%.2d-%.2d %.2d:%.2d:%.2d", t.tm_year + 1900, t.tm_mon + 1, t.tm_mday, t.tm_hour, t.tm_min,t.tm_sec);
return string(buf);
}
远程线性 + dll注入
准备步骤
CreateRemoteThread,即CreateThread的底层实现,用来在某个进程启动线程
LoadLibraryA/LoadLibrary在任何进程中的地址一样,也就是kernel32.dll的加载地址保持不变
WriteProcessMemory 把dll路径写入目标进程地址空间,然后启动远程线程就行了
dll卸载很简单,因为只需要传递模块句柄(也就是dll在目标空间的地址)
这可以dll快照拿到,直接把模块句柄写进线性参数就行了
远程线程dll注入代码
/*
---- From XDU's mzb
*/
#include <bits/stdc++.h>
#include <windows.h>
using namespace std;
using ll = long long int;
bool inject_dll(ll pid,char const* dll_name)
{
if (pid == 0 or strlen(dll_name) == 0)
return 0;
HANDLE h_process = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);
if (h_process == 0)
return 0;
ll len_dll_name = strlen(dll_name) + sizeof(char);
PVOID dll_name_addr = VirtualAllocEx(h_process,NULL,len_dll_name,MEM_COMMIT,PAGE_READWRITE);
if (dll_name_addr == 0)
{
return 0;
}
WriteProcessMemory(h_process,dll_name_addr,dll_name,len_dll_name,NULL);
FARPROC func_addr = GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
HANDLE h_thread = CreateRemoteThread(h_process,NULL,0,(LPTHREAD_START_ROUTINE)(func_addr),dll_name_addr,0,NULL);
WaitForSingleObject(h_thread,INFINITE);
CloseHandle(h_process);
CloseHandle(h_thread);
return 1;
}
int main()
{
const char dll_name[] = "E:\\InjectDll\\Inject_dll_test.dll";
DWORD process_id;
cin >> process_id;
inject_dll(process_id,dll_name);
return 0;
}
无dll的代码注入
就是把线程参数、线程代码,暴力写进目标空间,然后一个远程线性调用,思路非常简单