程序运行的容器是进程,真正活动的是其中的线程。因此,改变程序流程的通常做法是改变线程 EIP 、创建新线程或修改目标进程内的某些代码,使其执行 LoadLibrary(Ex) 来加载目标 DLL
CreateRemoteThead法 这是最经典的也是使用范围最广的方法,其基本思路是在目标进程中申请一块内存并向其中写入 DLL 路径,然后调用 CreateRemoteThread,在目标进程中创建一个线程。线程函数的地址就是 LoadLibraryA(W),参数就是存放 DLL 路径的内存指针。这时需要目标进程的 4 个权限(在 Windows7 中需要更多的权限),分别是 PROCESS_CREATE_THREAD、PROCESS_QUERY_INFORMATION、PROCESS_VM_OPERATION 和 PROCESS_VM_WRITE。dll注入.asm
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; Win32汇编实现DLL的远程注入 ; by CarveStone ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; dll注入.asm ; 32位或64位dll 注入 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 使用 nmake 或下列命令进行编译和链接: ; ml /c /coff dll注入.asm ; rc dll注入.rc ; Link /subsystem:windows dll注入.obj dll注入.res ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .386 .model flat, stdcall option casemap :none ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; Include 文件定义 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> include windows.inc include user32.inc includelib user32.lib include kernel32.inc includelib kernel32.lib include comdlg32.inc includelib comdlg32.lib RemoteInjectModule PROTO :DWORD,:DWORD ;RemoteUnloadModule PROTO :DWORD,:DWORD ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; Equ 等值定义 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ICO_MAIN equ 1000h ;图标 DLG_MAIN equ 1 IDC_DLLPATH equ 2 IDC_CHOOSEPATH equ 3 IDC_INPUTPID equ 4 IDC_INJECTION equ 5 IDC_UNLOADING equ 6 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 数据段 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .data? hInstance dd ? pid dd ? ;输入的pid szModule dd ? ;注入的dll lpDllName dd ? szMyDllFull db MAX_PATH dup(?) lpLoadLibrary dd ? hProcess dd ? ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 数据段 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .data szGetModuleHandleA db 'GetModuleHandleA',0 ;szLoadLibraryA db 'LoadLibraryA',0 szFreeLibrary db 'FreeLibrary',0 szErr1 db '进程打开错误',0 szErr2 db '虚拟分配错误',0 szErr3 db '写入进程内存错误',0 szErr4 db '获取进程地址错误',0 szErr5 db '创建远程线程错误',0 szFailed db '注入失败!',0 szSuccessfully db '注入成功!',0 ;szDllKernel db 'Kernel32.dll',0 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 常量 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .const szDllFileExt db 'dll(*.dll);exe(*.exe);所有文件',0,0 szLoadLibrary db 'LoadLibraryA',0 szDllKernel db 'Kernel32.dll',0 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 代码段 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .code ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> RemoteInjectModule proc dwProcID,pszModule ;local hProcess invoke GetModuleHandle,addr szDllKernel invoke GetProcAddress,eax,offset szLoadLibrary mov lpLoadLibrary,eax invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or \ PROCESS_VM_WRITE,FALSE,dwProcID .if eax mov hProcess,eax ;使用VirtualAllocEx函数在远程进程的内存地址空间分配 DLL 文件缓冲区 invoke VirtualAllocEx,hProcess,NULL,MAX_PATH,MEM_COMMIT,PAGE_READWRITE .if eax mov lpDllName,eax ;使用 WriteProcessMemory 函数将 DLL 的路径名复制到远程的内存空间中 invoke WriteProcessMemory,hProcess,eax,pszModule,MAX_PATH,NULL invoke CreateRemoteThread,hProcess,NULL,0,lpLoadLibrary,lpDllName,0,NULL invoke CloseHandle,eax .else invoke MessageBox,NULL,addr szErr2,NULL,MB_OK .endif invoke CloseHandle,hProcess .else invoke MessageBox,NULL,addr szFailed,NULL,MB_OK .endif mov eax,1 ret RemoteInjectModule endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> _ProcDlgMain proc uses ebx edi esi hWnd,wMsg,wParam,lParam local @szBuffer[MAX_PATH]:byte local @stOpenFileName:OPENFILENAME mov eax,wMsg .if eax == WM_CLOSE invoke EndDialog,hWnd,NULL .elseif eax == WM_INITDIALOG invoke LoadIcon,hInstance,ICO_MAIN invoke SendMessage,hWnd,WM_SETICON,ICON_BIG,eax .elseif eax == WM_COMMAND mov eax,wParam .if ax == IDC_INJECTION ;********************************************************************* ; dll注入 invoke GetDlgItemInt,hWnd,IDC_INPUTPID,NULL,FALSE invoke RemoteInjectModule,eax,addr szMyDllFull ;********************************************************************* .elseif ax == IDC_UNLOADING .elseif ax == IDC_CHOOSEPATH ;********************************************************************* ; 读取dll文件路径 invoke RtlZeroMemory,addr @stOpenFileName,sizeof OPENFILENAME invoke RtlZeroMemory,addr @szBuffer,sizeof @szBuffer mov @stOpenFileName.lStructSize,SIZEOF @stOpenFileName mov @stOpenFileName.Flags,OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST push hWnd pop @stOpenFileName.hwndOwner mov @stOpenFileName.lpstrFilter,offset szDllFileExt lea eax,@szBuffer mov @stOpenFileName.lpstrFile,eax mov @stOpenFileName.nMaxFile,MAX_PATH invoke GetOpenFileName,addr @stOpenFileName invoke SetDlgItemText,hWnd,IDC_DLLPATH,addr @szBuffer lea eax,@szBuffer mov szModule,eax ;invoke GetCurrentDirectory,MAX_PATH,addr szMyDllFull invoke lstrcat,addr szMyDllFull,addr @szBuffer ;********************************************************************** .endif .else mov eax,FALSE ret .endif mov eax,TRUE ret _ProcDlgMain endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> start: invoke GetModuleHandle,NULL mov hInstance,eax invoke DialogBoxParam,hInstance,DLG_MAIN,NULL,offset _ProcDlgMain,NULL invoke ExitProcess,NULL ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> end startdll注入.rc
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #include <resource.h> //>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #define DLG_MAIN 1 #define IDC_DLLPATH 2 #define IDC_CHOOSEPATH 3 #define IDC_INPUTPID 4 #define ICO_MAIN 0x1000 #define IDC_INJECTION 5 #define IDC_UNLOADING 6 //>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ICO_MAIN ICON "carve.ico" //>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> DLG_MAIN DIALOG 50, 50,280, 180 STYLE DS_MODALFRAME | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU CAPTION "DLL注入工具" FONT 9, "宋体" { CTEXT "", IDC_DLLPATH, 10, 20, 200, 20 CTEXT "PID:", -1, 10, 55, 40, 20 EDITTEXT IDC_INPUTPID,50,50,60,20 DEFPUSHBUTTON "选中注入的DLL",IDC_CHOOSEPATH,160,45,100,30 DEFPUSHBUTTON "注入", IDC_INJECTION, 20, 120, 100, 30 DEFPUSHBUTTON "卸载(暂不可用)", IDC_UNLOADING, 160, 120, 100, 30 } //>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Makefile 写了这个文件后,可以用 nmake 来编译
NAME = dll注入 OBJS = $(NAME).obj RES = $(NAME).res LINK_FLAG = /subsystem:windows ML_FLAG = /c /coff $(NAME).exe: $(OBJS) $(RES) Link $(LINK_FLAG) $(OBJS) $(RES) .asm.obj: ml $(ML_FLAG) $< .rc.res: rc $< clean: del *.obj del *.rescsdn https://download.csdn.net/download/weixin_44018458/12912071 github https://github.com/CarveStone/dll-
