不透過CreateRemoteThread inject DLL |
|
|
|
rick060
高階會員   發表:2 回覆:112 積分:217 註冊:2009-11-17 發送簡訊給我 |
CreateRemoteThread 使用指定的 ProcessId 來讓行程跑一段 Code,但有些需要監視的 func 不一定在 main thread 上,那怎麼辨,以下方法透過改變 thread CONTEXT的方式來跑一段 codepages ,達到 LoadLibrary 的效果
error handle 需自行注意 #define TARGETEXE "target.exe" #define INJECTDLL "C:\\Users\\Rick\\Desktop\\play\\HookDll\\Debug\\HookDll.dll" void AsmHook() { THREADENTRY32 te; HANDLE threadHandle; BOOL bThreadRet; snapHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); return; bRet = Process32First(snapHandle,&ee); { { if(threadHandle == INVALID_HANDLE_VALUE) te.dwSize = sizeof(THREADENTRY32); for(;bThreadRet;bThreadRet = Thread32Next(threadHandle,&te)) if(te.th32OwnerProcessID == ee.th32ProcessID) InjectThread(te.th32OwnerProcessID,te.th32ThreadID); } CloseHandle(threadHandle); } CloseHandle(snapHandle); } void InjectThread(DWORD processId,DWORD threadId) { CONTEXT ctx; HANDLE hThread; LPVOID dllName; DWORD writeLen; DWORD *ebx; BOOL ret; int cbSize; 0xB8,0x00,0x00,0x00,0x00, 0x53, 0xB9,0x00,0x00,0x00,0x00, }; { mov ebx ,0x0 call eax jmp ecx // infinite loop processHandle = OpenProcess(PROCESS_ALL_ACCESS,FALSE,processId); dllName = (LPVOID)((DWORD)injectCodes offset); eax = (DWORD *)((DWORD)injectCodes 1); loopAddr = (DWORD *)((DWORD)injectCodes 14); if(loadProc == NULL) *eax = (DWORD)loadProc; *loopAddr = 18; hThread = OpenThread(THREAD_ALL_ACCESS,FALSE,threadId); return; oldCtx.ContextFlags = CONTEXT_FULL; ctx = oldCtx; *ebx = *ebx (DWORD)alloc; ret = WriteProcessMemory(processHandle,alloc,injectCodes,cbSize,&writeLen); return; ctx.Eip = (DWORD)alloc; ResumeThread(hThread); { GetThreadContext(hThread,&ctx); { SetThreadContext(hThread,&oldCtx); ResumeThread(hThread); } } CloseHandle(hThread); }
|
發表時間:2012-12-22 15:58:43
IP:114.32.xxx.xxx 未訂閱
系統時間:2024-11-21 23:49:39
聯絡我們 | Delphi K.Top討論版
| 本站聲明 |
|
1. 本論壇為無營利行為之開放平台,所有文章都是由網友自行張貼,如牽涉到法律糾紛一切與本站無關。 2. 假如網友發表之內容涉及侵權,而損及您的利益,請立即通知版主刪除。 3. 請勿批評中華民國元首及政府或批評各政黨,是藍是綠本站無權干涉,但這裡不是政治性論壇! |