Blizzaaard: Inject Code into Another Process

1.将代码放入DLL中，通过windows hooks将DLL映射到远程进程。
在EXE中显式或隐式调用HookDll.dll中的InjectDll，InjectDll函数调用SetWindowsHookEx。这时，HookDll.dll被映射到目标进程空间，并且通过HookProc监视并处理目标进程的消息。
由于HookDll.dll同时映射到了EXE和远程进程，所以可用通过共享数据区或其它方式进行通信。
以下为HookDll.dll源代码。

#include <windows.h> #include <tchar.h> #include "HookDll.h" //------------------------------------------------------- // 共享数据区 //------------------------------------------------------- #pragma data_seg (".shared") HWND g_hWnd = 0; // 远程进程的窗口(包含其它控件)句柄 HHOOK g_hHook = 0; UINT WM_HOOKSPY = 0; #pragma data_seg () #pragma comment(linker,"/SECTION:.shared,RWS") //------------------------------------------------------- // 全局变量 (不能共享!) //------------------------------------------------------- HINSTANCE hDll; //------------------------------------------------------- // DllMain //------------------------------------------------------- BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { hDll = (HINSTANCE)hModule; return TRUE; } //------------------------------------------------------- // HookProc //------------------------------------------------------- LRESULT HookProc(int code, // hook code WPARAM wParam, // virtual-key code LPARAM lParam) // keystroke-message information { if(((CWPSTRUCT*)lParam)->message == WM_HOOKSPY) { // to-do ::UnhookWindowsHookEx(g_hHook); } return ::CallNextHookEx(g_hHook, code, wParam, lParam); } //------------------------------------------------------- // InjectDll //------------------------------------------------------- bool InjectDll(HWND hWnd) // hWnd为远程进程的窗口(包含其它控件)句柄 { g_hWnd = hWnd; g_hHook = SetWindowsHookEx(WH_CALLWNDPROC, (HOOKPROC)HookProc, hDll, GetWindowThreadProcessId(hWnd, NULL)); if(g_hHook == NULL) { return false; } if (WM_HOOKSPY == NULL) { WM_HOOKSPY = ::RegisterWindowMessage("WM_HOOKSPY_RK"); } SendMessage(hWnd, WM_HOOKSPY, 0, 0); return true; }

HookProc与窗口过程的区别？
DLL的物理地址相同？

2.将代码放入EXE中，通过使用CreateRemoteThread和LoadLibrary将DLL映射到远程进程。

//----------------------------------------------- // InjectDll //----------------------------------------------- int InjectDll(HANDLE hProcess) { HANDLE hThread; char szLibPath [_MAX_PATH]; void* pLibRemote = 0; // address of szLibPath in the remote process DWORD hLibModule = 0; // base address of loaded module (==HMODULE); HMODULE hKernel32 = ::GetModuleHandle("Kernel32"); // Get full path of "LibSpy.dll" if(!GetModuleFileName(hInst, szLibPath, _MAX_PATH)) { return false; } strcpy( strstr(szLibPath,".exe"),".dll" ); // 1. Allocate memory in the remote process for szLibPath // 2. Write szLibPath to the allocated memory pLibRemote = ::VirtualAllocEx(hProcess, NULL, sizeof(szLibPath), MEM_COMMIT, PAGE_READWRITE ); if(pLibRemote == NULL) { return false; } ::WriteProcessMemory(hProcess, pLibRemote, (void*)szLibPath, sizeof(szLibPath), NULL); // Load "LibSpy.dll" into the remote process // (via CreateRemoteThread & LoadLibrary) hThread = ::CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)::GetProcAddress( hKernel32, "LoadLibraryA"), pLibRemote, 0, NULL); if(hThread == NULL) { goto JUMP; } ::WaitForSingleObject(hThread, INFINITE); // Get handle of loaded module ::GetExitCodeThread(hThread, &hLibModule); ::CloseHandle(hThread); JUMP: ::VirtualFreeEx(hProcess, pLibRemote, sizeof(szLibPath), MEM_RELEASE); if( hLibModule == NULL ) { return false; } // Unload "LibSpy.dll" from the remote process // (via CreateRemoteThread & FreeLibrary) hThread = ::CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)::GetProcAddress( hKernel32,"FreeLibrary"), (void*)hLibModule, 0, NULL); if(hThread == NULL) // failed to unload { return false; } ::WaitForSingleObject(hThread, INFINITE); ::GetExitCodeThread(hThread, &hLibModule); ::CloseHandle(hThread); // return value of remote FreeLibrary (=nonzero on success) return hLibModule; }

Blizzaaard

Tuesday, September 16, 2008

Inject Code into Another Process

No comments:

About Me

Links

Blog Archive

Labels