Windows C 中的 DLL 注入器不注入 DLL

Windows DLL injector in C doesn't inject the DLL

我正在尝试编写 DLL 注入器以在计算器进程上执行 DLL 注入器。

我用 C 和 DLL 编写了 DLL 注入器程序,但是注入器确实注入了 DLL 或任何其他 DLL(我尝试使用计算器不使用的随机 windows DLL)。

#include <stdio.h>
#include <Windows.h>

int main() {
    LPCSTR dllpath = "C:\Users\......\Dll1.dll";
    printf("#### Starting ####\n");

    printf("step 1: attaching the target process memory\n");
    HANDLE hProcess = OpenProcess( 
        PROCESS_ALL_ACCESS, 
        FALSE, 
        6456 // target process id
    );
    if (hProcess != NULL) {
        printf("step 2: allocate the target memory process\n");
        LPVOID dllPathMemoryAddr = VirtualAllocEx(
            hProcess, 
            NULL, 
            strlen(dllpath), 
            MEM_RESERVE | MEM_COMMIT, 
            PAGE_EXECUTE_READWRITE 
        );
        if (dllPathMemoryAddr != NULL) {
            printf("step 3: write to the process memory\n");
            BOOL succeededWriting = WriteProcessMemory(
                hProcess, 
                dllPathMemoryAddr,  
                dllpath, 
                strlen(dllpath), 
                NULL 
            );

            if (succeededWriting) {
                printf("step 4: execute.\n");
                FARPROC loadLibAddr = GetProcAddress(
                    GetModuleHandle(TEXT("kernel32.dll")),
                    "LoadLibraryA" 
                );
                HANDLE rThread = CreateRemoteThread( 
                    hProcess, 
                    NULL, 
                    0, 
                     (LPTHREAD_START_ROUTINE)loadLibAddr,
                    dllPathMemoryAddr,
                    0,
                    NULL
                );
            }
        }
        CloseHandle(hProcess);
    }
    return TRUE;
}

在 运行 注入器之后我得到了这个输出:

#### Starting ####
step 1: attaching the target process memory
step 2: allocate the target memory process
step 3: write to the process memory
step 4: execute.

之后,我仍然无法在进程资源管理器中看到新的 DLL。

您正在调用 GetProcAddress() 来获取 LoadLibraryA() 的地址,这是在您的本地进程中返回 LoadLibraryA 的地址,而不是注入的地址。这不能保证在外部过程中是正确的。您无需手动获取地址,CreateRemoteThread 将为您解析地址。

这是一个非常简单的注入器示例,将解释如何做到这一点

#include <iostream>
#include <Windows.h>
#include <TlHelp32.h>

DWORD GetPid(char * targetProcess)
{
    HANDLE snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (snap && snap != INVALID_HANDLE_VALUE)
    {
        PROCESSENTRY32 pe;
        pe.dwSize = sizeof(pe);
        if (Process32First(snap, &pe))
        {
            do
            {
                if (!_stricmp(pe.szExeFile, targetProcess))
                {
                    CloseHandle(snap);
                    return pe.th32ProcessID;
                }
            } while (Process32Next(snap, &pe));
        }
    }
    return 0;
}

int main()
{
    char * dllpath = "C:\Users\me\Desktop\dll.dll";
    char * processToInject = "csgo.exe";
    long pid = 0;
    while (!pid)
    {
        pid = GetPid(processToInject);
        Sleep(10);
    }

    HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
    if (hProc && hProc != INVALID_HANDLE_VALUE)
    {
            void * loc = VirtualAllocEx(hProc, 0, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
            WriteProcessMemory(hProc, loc, dllpath, strlen(dllpath) + 1, 0);       
            HANDLE hThread = CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, loc, 0, 0);
            CloseHandle(hThread);
    }

    CloseHandle(hProc);
    return 0;
}

我发现了问题。我将 DLL 编译为 64 位,但不小心将 DLL 注入器编译为 32 位。