我已经为检测工程目的在C中创建了一个进程DLL注入器,它似乎对我在shell中生成的测试进程很有用(也许是因为它们在同一路径中,或者是带有非shell和printf的东西),但是每当我在随机进程上对其进行测试时,它都会在CreateRemoteThread步骤中使该进程崩溃,从而想知道是否有人可以帮助您。
这是我使用的命令(如果有帮助的话)(重击): ./ProcessInjector.exe [PID] C:\ Users \ wsam \ Documents \ Process-Injection \ bad_dll.dll
编辑:我注意到,如果我取出bad_dll.dll中的所有代码,而循环则成功创建线程并且不会使进程崩溃,为什么?
ProcessInjector.c
#include <windows.h>
#include <string.h>
#include <stdio.h>
#include <tlhelp32.h>
int main(int argc, char* argv[]){
char dllPath[MAX_PATH];
strcpy(dllPath, argv[2]);
printf("Victim PID : %s\n", argv[1]);
// use full or relative path
printf("DLL to inject : %s\n", argv[2]);
// get Handle from proc id
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, atoi(argv[1]));
if (hProcess == NULL) {
printf("[---] Failed to open process %s.\n", argv[1]);
return 1;
}
printf("Press Enter to attempt DLL injection.");
getchar();
// Allocate memory for DLL's path
LPVOID dllPathAlloc = VirtualAllocEx(hProcess, NULL, strlen(dllPath), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(dllPathAlloc == NULL){
printf("[---] VirtualAllocEx unsuccessful.\n");
getchar();
return 1;
}
// Write path to memory
BOOL pathWrote = WriteProcessMemory(hProcess, dllPathAlloc, dllPath, strlen(dllPath), NULL);
if(!pathWrote){
printf("[---] WriteProcessMemory unsuccessful.\n");
getchar();
return 1;
}
// returns pointer to LoadLibrary address, same in every process.
LPVOID loadLibraryAddress = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
if(loadLibraryAddress == NULL){
printf("[---] LoadLibrary not found in process.\n");
getchar();
return 1;
}
// creates remote thread and start mal dll
HANDLE remoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)loadLibraryAddress, dllPathAlloc, 0, NULL);
if(remoteThread == NULL){
printf("[---] CreateRemoteThread unsuccessful.\n");
getchar();
return 1;
}
//Start-Address:kernel32.dll!LoadLibraryA
CloseHandle(hProcess);
return 0;
}
bad_dll.c
#include <windows.h>
#include <stdio.h>
#include <unistd.h>
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved){
FILE * fp;
fp = fopen ("C:\\Users\\wsam\\Documents\\Hacked.txt","w");
fprintf (fp, "Hacked\n");
fclose (fp);
while(1){
printf("HACKED\n");
fflush(stdout);
sleep(1);
}
}
答案 0 :(得分:0)
这是我使用VirtualAllocEx,CreateRemoteThread和LoadLibrary的dll注入器的最基本示例:
#include <iostream>
#include <Windows.h>
#include <TlHelp32.h>
DWORD GetPid(char * targetProcess)
{
HANDLE snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (snap && snap != INVALID_HANDLE_VALUE)
{
PROCESSENTRY32 pe;
pe.dwSize = sizeof(pe);
if (Process32First(snap, &pe))
{
do
{
if (!_stricmp(pe.szExeFile, targetProcess))
{
CloseHandle(snap);
return pe.th32ProcessID;
}
} while (Process32Next(snap, &pe));
}
}
return 0;
}
int main()
{
char * dllpath = "C:\\Users\\me\\Desktop\\dll.dll";
char * processToInject = "csgo.exe";
long pid = 0;
while (!pid)
{
pid = GetPid(processToInject);
Sleep(10);
}
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
if (hProc && hProc != INVALID_HANDLE_VALUE)
{
void * loc = VirtualAllocEx(hProc, 0, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
WriteProcessMemory(hProc, loc, dllpath, strlen(dllpath) + 1, 0);
HANDLE hThread = CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, loc, 0, 0);
CloseHandle(hThread);
}
CloseHandle(hProc);
return 0;
}
此代码包括获取路径字符串的空终止符:
strlen(dllpath) + 1
编辑:我注意到是否在循环时取出bad_dll.dll中的所有代码 它成功创建了一个线程并且没有使进程崩溃,为什么 那?
我相信您在DllMain中的无限循环是造成问题的原因,它永远不会返回。当您删除循环中的代码时,编译器正在优化循环,因此不再崩溃。
每个人都说永远不要从DllMain调用CreateThread(),但是数以百万计的人正在这样做而没有任何问题。关注点是关于加载程序死锁,但是我注入DLL已有5年了,并且从未遇到过任何问题,这就是我的经验,而我的信念根源于经验。通过阅读和跟踪this question中的链接,您至少应该意识到可能的问题。
不考虑DLLMain中的所有CRT,我建议您这样做:
DWORD __stdcall hackthread(HMODULE hModule)
{
FILE * fp;
fp = fopen ("C:\\Users\\wsam\\Documents\\Hacked.txt","w");
fprintf (fp, "Hacked\n");
fclose (fp);
while(1){
printf("HACKED\n");
fflush(stdout);
sleep(1);
}
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, PVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
HANDLE hThread = CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)hackthread, hModule, 0, nullptr);
CloseHandle(hThread);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
通过这种方式,CreateThread和DllMain都返回99.9999%的时间。
这是基于我的经验的概念证明。