在基於黑客軟體、防毒軟體、系統套用軟體開發過程中,需要使用一種方式:將外部DLL通過執行緒形式注入到其他進程中。這樣的過程就叫注入執行緒或者叫執行緒注入。首先在當前所有運行的進程中找到目標進程,然後將我們的dll的內容寫入目標進程的私有空間中,最後通過關鍵的API:CreateRemoteThread創建執行緒。該執行緒只執行一個任務:loadlibrary載入我們的dll。
首先你需要編寫一個待注入的DLL檔案,假如是d.dll.
以下示例是Delphi代碼。
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls,tlhelp32;
type
TForm1 = class(TForm)
Button3: TButton;
Edit1: TEdit;
Label1: TLabel;
procedure Button3Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
{ 列舉進程 }
procedure GetMyProcessID(const AFilename: string; const PathMatch: Boolean; var ProcessID: DWORD);
var
tpe: TProcessEntry32;
SsHandle: Thandle;
FoundAProc, FoundOK: boolean;
begin
ProcessID :=0;
{ 創建系統快照 }
SsHandle := CreateToolHelp32SnapShot(TH32CS_SnapProcess, 0);
{ 取得快照中的第一個進程 }
{ 一定要設定結構的大小,否則將返回False }
tpe.dwSize := sizeof(TProcessEntry32);
FoundAProc := Process32First(Sshandle, tpe);
while FoundAProc do
begin
{ 進行匹配 }
if PathMatch then
FoundOK := AnsiStricomp(tpe.szExefile, PChar(AFilename)) = 0
else
FoundOK := AnsiStricomp(PChar(ExtractFilename(tpe.szExefile)), PChar(ExtractFilename(AFilename))) = 0;
if FoundOK then
begin
ProcessID := tpe . th32ProcessID;
break;
end;
{ 未找到,繼續下一個進程 }
FoundAProc := Process32Next(SsHandle, tpe);
end;
CloseHandle(SsHandle);
end;
{ 設定許可權 }
function EnabledDebugPrivilege(const Enabled : Boolean) : Boolean;
var
hTk : THandle; { 打開令牌句柄 }
rtnTemp : Dword; { 調整許可權時返回的值 }
TokenPri : TOKEN_PRIVILEGES;
const
SE_DEBUG = 'SeDebugPrivilege'; { 查詢值 }
begin
Result := False;
{ 獲取進程令牌句柄,設定許可權 }
if (OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,hTk)) then
begin
TokenPri.PrivilegeCount := 1;
{ 獲取Luid值 }
LookupPrivilegeValue(nil,SE_DEBUG,TokenPri.Privileges[0].Luid);
if Enabled then
TokenPri.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED
else
TokenPri.Privileges[0].Attributes := 0;
rtnTemp := 0;
{ 設定新的許可權 }
AdjustTokenPrivileges(hTk,False,TokenPri,sizeof(TokenPri),nil,rtnTemp);
Result := GetLastError = ERROR_SUCCESS;
CloseHandle(hTk);
end;
end;
{ 注入遠程進程 }
function InjectTo(const Host, Guest: string; const PID: DWORD = 0): DWORD;
var
{ 被注入的進程句柄,進程ID}
hRemoteProcess: THandle;
dwRemoteProcessId: DWORD;
{ 寫入遠程進程的內容大小 }
memSize: DWORD;
{ 寫入到遠程進程後的地址 }
pszLibFileRemote: Pointer;
iReturnCode: Boolean;
TempVar: DWORD;
{ 指向函式LoadLibraryW的地址 }
pfnStartAddr: TFNThreadStartRoutine;
{ dll全路徑,需要寫到遠程進程的記憶體中去 }
pszLibAFilename: PwideChar;
begin
Result := 0;
{ 設定許可權 }
EnabledDebugPrivilege(True);
{ 為注入的dll檔案路徑分配記憶體大小,由於為WideChar,故要乘2 }
Getmem(pszLibAFilename, Length(Guest) * 2 + 1);
StringToWideChar(Guest, pszLibAFilename, Length(Guest) * 2 + 1);
{ 獲取進程ID }
if PID > 0 then
dwRemoteProcessID := PID
else
GetMyProcessID(Host, False, dwRemoteProcessID);
{ 取得遠程進程句柄,具有寫入許可權}
if(dwRemoteProcessID<=0 ) then begin
ShowMessage('沒找到進程');
exit;
end;
hRemoteProcess := OpenProcess(PROCESS_CREATE_THREAD + {允許遠程創建執行緒}
PROCESS_VM_OPERATION + {允許遠程VM操作}
PROCESS_VM_WRITE, {允許遠程VM寫}
FALSE, dwRemoteProcessId);
{ 用函式VirtualAllocex在遠程進程分配空間,並用WriteProcessMemory中寫入dll路徑 }
memSize := (1 + lstrlenW(pszLibAFilename)) * sizeof(WCHAR);
pszLibFileRemote := PWIDESTRING(VirtualAllocEx(hRemoteProcess, nil, memSize, MEM_COMMIT, PAGE_READWRITE));
TempVar := 0;
iReturnCode := WriteProcessMemory(hRemoteProcess, pszLibFileRemote, pszLibAFilename, memSize, TempVar);
if iReturnCode then
begin
pfnStartAddr := GetProcAddress(GetModuleHandle('Kernel32'), 'LoadLibraryW');
TempVar := 0;
{ 在遠程進程中啟動dll }
Result := CreateRemoteThread(hRemoteProcess, nil, 0, pfnStartAddr, pszLibFileRemote, 0, TempVar);
end;
{ 釋放記憶體空間 }
Freemem(pszLibAFilename);
end;
{ 測試 }
procedure TForm1.Button3Click(Sender: TObject);
begin
InjectTo(edit1.Text, extractfilepath(paramstr(0))+'d.dll');
end;
end.
