windows提供了一个机制使得你可以在另外一个进程的地址空间内启动线程,简称远线程,如果在另外一个进程的地址空间内启动远线程,并让这个线程调用Loadlibrary自然就可以注入我们想要的模块了。
XP以下使用代码:
BOOL WINAPI RemoteLoadLibrary(LPCTSTR pszDllName, DWORD dwProcessId)
{
//打开目标进程
HANDLE hProcess = ::OpenProcess(
PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION, FALSE, dwProcessId);
if(hProcess == NULL)
returnFALSE;
//在目标进程申请空间,存放字符串pszDllName,作为远程线程的参数
intcbSize = (::lstrlen(pszDllName) +1);
LPVOID lpRemoteDllName = ::VirtualAllocEx(hProcess, NULL, cbSize, MEM_COMMIT, PAGE_READWRITE);
::WriteProcessMemory(hProcess, lpRemoteDllName, pszDllName, cbSize, NULL);
//取得LoadLibraryA函数的地址,我们将以它作为远程线程函数启动
HMODULE hModule=::GetModuleHandle (_T("kernel32.dll"));
LPTHREAD_START_ROUTINE pfnStartRoutine =
(LPTHREAD_START_ROUTINE)::GetProcAddress(hModule,"LoadLibraryA");
//启动远程线程
HANDLE hRemoteThread = ::CreateRemoteThread(hProcess, NULL,0, pfnStartRoutine, lpRemoteDllName,0, NULL);
if(hRemoteThread == NULL)
{
::CloseHandle(hProcess);
returnFALSE;
}
::CloseHandle(hRemoteThread);
::CloseHandle(hProcess);
returnTRUE;
}
这段代码在vista,win7下不能成功,需要改进。