About ShutDown of Windows(五)
一直在想DLL注入時到底是怎么樣的,于是動了下手試下
Google 到的資料
http://www.shnenglu.com/mydriverc/articles/28536.html
http://www.shnenglu.com/road420/archive/2009/10/26/99510.aspx
http://www.shnenglu.com/free2000fly/archive/2008/07/21/56764.html
VC IDE 新建一個 Win32 Dynamic-Link Library Project,名為 DLLInject
//
?DLLInject.cpp?:?Defines?the?entry?point?for?the?DLL?application.
//
#include?
"
stdafx.h
"
BOOL?APIENTRY?DllMain(?HANDLE?hModule,?
???????????????????????DWORD??ul_reason_for_call,?
???????????????????????LPVOID?lpReserved
?????????????????????)
{
????
switch
?(?ul_reason_for_call?)
????{
????
case
?DLL_PROCESS_ATTACH:
????????{
????????????MessageBox(?NULL,?
"
DLL已進入目標進程。
"
,?
"
信息
"
,?MB_ICONINFORMATION?);
????????}
????????
break
;
????
case
?DLL_PROCESS_DETACH:
????????{
????????????MessageBox(?NULL,?
"
DLL已從目標進程卸載。
"
,?
"
信息
"
,?MB_ICONINFORMATION?);
????????}
????????
break
;
????}
????
return
?TRUE;
}
VC IDE 新建一個 Win32 Console Applacation project, 名為 DLLInjectDosExe
#include?<iostream>
using?namespace?std;
#include?<windows.h>
#include?<TLHELP32.H>
#include?<Shlwapi.h>
#pragma?comment(lib,"Shlwapi.lib")?
DWORD?FindTargetProcessID(?LPCTSTR?lpszProcess?)
{
????DWORD?dwRet?=?0;
????HANDLE?hSnapshot?=?CreateToolhelp32Snapshot(?TH32CS_SNAPPROCESS,?0?);
????PROCESSENTRY32?pe32;
????pe32.dwSize?=?sizeof(?PROCESSENTRY32?);
????Process32First(?hSnapshot,?&pe32?);
????do
????{
????????if?(?lstrcmpi(?pe32.szExeFile,?lpszProcess?)?==?0?)
????????{
????????????dwRet?=?pe32.th32ProcessID;
????????????break;
????????}
????}?while?(?Process32Next(?hSnapshot,?&pe32?)?);
????
????CloseHandle(?hSnapshot?);
????return?dwRet;
}?
int?main()
{
????DWORD?dwProcessID?=?0;
????
????dwProcessID?=?FindTargetProcessID("explorer.exe");
????//?打開目標進程
????HANDLE?hProcess?=?OpenProcess(?PROCESS_CREATE_THREAD?|?PROCESS_VM_OPERATION?|?PROCESS_VM_WRITE,?FALSE,?dwProcessID?);
????
????TCHAR?szPath[MAX_PATH]?=?{0};
????::GetModuleFileName(NULL,?szPath,?MAX_PATH);
????::PathRemoveFileSpec(szPath);
????strcat(szPath,?"\\DLLInject.dll");
????//?向目標進程地址空間寫入DLL名稱
????DWORD?dwSize,?dwWritten;
????dwSize?=?lstrlenA(?szPath?)?+?1;
????LPVOID?lpBuf?=?VirtualAllocEx(?hProcess,?NULL,?dwSize,?MEM_COMMIT,?PAGE_READWRITE?);
????if?(?NULL?==?lpBuf?)
????{
????????CloseHandle(?hProcess?);
????????//?失敗處理
????}
????if?(?WriteProcessMemory(?hProcess,?lpBuf,?(LPVOID)szPath,?dwSize,?&dwWritten?)?)
????{
????????//?要寫入字節數與實際寫入字節數不相等,仍屬失敗
????????if?(?dwWritten?!=?dwSize?)
????????{
????????????VirtualFreeEx(?hProcess,?lpBuf,?dwSize,?MEM_DECOMMIT?);
????????????CloseHandle(?hProcess?);
????????????//?失敗處理
????????}
????}
????else
????{
????????CloseHandle(?hProcess?);
????????//?失敗處理
????}
????//?使目標進程調用LoadLibrary,加載DLL
????DWORD?dwID;
????LPVOID?pFunc?=?LoadLibraryA;
????HANDLE?hThread?=?CreateRemoteThread(?hProcess,?NULL,?0,?(LPTHREAD_START_ROUTINE)pFunc,?lpBuf,?0,?&dwID?);?
????
????//?等待LoadLibrary加載完畢
????WaitForSingleObject(?hThread,?INFINITE?);
????//?釋放目標進程中申請的空間
????VirtualFreeEx(?hProcess,?lpBuf,?dwSize,?MEM_DECOMMIT?);
????CloseHandle(?hThread?);
????CloseHandle(?hProcess?);?
????return?0;
}
運行之后,彈出 MessageBox 提示“
DLL已進入目標進程”
使用 SystemCheck.exe 工具查看 explorer.exe 進程的模塊信息時,會發現,此時多了一個
C:\Documents and Settings\test\桌面\DLLInject.dll 的DLL
這表示已經注入成功
[資料]
深入淺出dll插入型木馬病毒的原理,查殺與防范DLL注入的唯一用處,就是它并不需要創建一個單獨的進程,它寄生到已有進程里面去,在任務欄管理器里看不到它,
達到了所謂的“隱藏進程”的效果。