C++로 작성한 DLL Injector.
Eject 기능은 없습니다.
사용법은 소스에 있듯이 " DLLInjector.exe [Target] [DLL] " 입니다.
인젝션 및 후킹 공부 진행하면서 작성하였습니다.
CreateRemoteThread를 이용해 LoadLibraryA 함수를 실행하게 하여 DLL을 삽입합니다.
디버깅 편의상 gle를 자주 출력하도록 해 두었습니다.
삽입할 DLL 내부에서 Thread를 돌리게 했더니 에러가 나기도 하더군요...
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 | #include <stdio.h> #include <Windows.h> #include <TlHelp32.h> DWORD findPID(LPCTSTR szProcessName); BOOL injectDLL(DWORD dwPID, LPCTSTR szDLLName); int main(int argc, char *argv[]) { if (argc != 3) { printf("[*] Usage : %s [Target] [DLL]", argv[0]); return 1; } DWORD pid = findPID(argv[1]); if (pid == 0xFFFFFFFF) { printf("[*] Process not found\n"); return 1; } else { printf("[*] pid : %u\n", pid); } if (!injectDLL(pid, argv[2])) { printf("[*] Injection Failed\n"); return 1; } else { printf("[*] Injection Successed\n"); } return 0; } DWORD findPID(LPCTSTR szProcessName) { DWORD dwPID = 0xFFFFFFFF; HANDLE hSnapshot = INVALID_HANDLE_VALUE; PROCESSENTRY32 pe; pe.dwSize = sizeof(PROCESSENTRY32); hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL); if (hSnapshot == INVALID_HANDLE_VALUE) { printf("[*] CreateToolhelp32Snapshot Error"); return 0xFFFFFFFF; } Process32First(hSnapshot, &pe); do { if (!_stricmp(szProcessName, pe.szExeFile)) { dwPID = pe.th32ProcessID; break; } } while (Process32Next(hSnapshot, &pe)); CloseHandle(hSnapshot); return dwPID; } BOOL injectDLL(DWORD dwPID, LPCTSTR szDLLName) { HANDLE hProcess, hThread; HMODULE hMod; LPVOID pRemoteBuf; DWORD dwBufSize = lstrlen(szDLLName) + 1; LPTHREAD_START_ROUTINE pThreadProc; if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID))) return FALSE; if (hProcess == INVALID_HANDLE_VALUE) { printf("[*] OpenProcess Error"); return FALSE; } printf("gle : %u\n", GetLastError()); pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE); if (pRemoteBuf == INVALID_HANDLE_VALUE) { printf("[*] VirtualAllocEx Error"); return FALSE; } printf("gle : %u\n", GetLastError()); WriteProcessMemory(hProcess, pRemoteBuf, szDLLName, dwBufSize, NULL); hMod = GetModuleHandle("kernel32.dll"); pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hMod, "LoadLibraryA"); if (pThreadProc == INVALID_HANDLE_VALUE) { printf("[*] GetProcAddress Error"); return FALSE; } printf("gle : %u\n", GetLastError()); hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, pRemoteBuf, 0, NULL); if (hThread == INVALID_HANDLE_VALUE) { printf("[*] CreateRemoteThread Error"); return FALSE; } printf("gle : %u\n", GetLastError()); WaitForSingleObject(hThread, INFINITE); CloseHandle(hThread); CloseHandle(hProcess); printf("gle : %u\n", GetLastError()); return TRUE; } | cs |
'Programming' 카테고리의 다른 글
[PyQt4] 0x01. PyQt4 설치, Simple text editor (0) | 2016.11.15 |
---|---|
[Go] Defer, Panic, Recovery (0) | 2016.10.09 |
[C/C++] 공용체 (union) (0) | 2016.09.22 |
[Go] struct{} 와 &struct{} 선언의 차이점? (3) | 2016.07.23 |
[C++] Reference In Low-level (0) | 2016.07.02 |