E
eWuYong
Unregistered / Unconfirmed
GUEST, unregistred user!
近日学习DLL注入,通过CreateRemoteThread与LoadLibraryW完成DLL注入、成功,想通过如下代码使进程释放DLL未获成功,请高手指点!
{ 取得远程进程句柄,具有写入权限}
hRemoteProcess := OpenProcess(PROCESS_CREATE_THREAD + {允许远程创建线程}
PROCESS_VM_OPERATION + {允许远程VM操作}
PROCESS_VM_WRITE, {允许远程VM写}
FALSE, dwRemoteProcessId);
{ 为注入的dll文件路径分配内存大小,由于为WideChar,故要乘2 }
Getmem(pszLibAFilename, Length(Guest) * 2 + 1);
StringToWideChar(Guest, pszLibAFilename, Length(Guest) * 2 + 1);
//用函数VirtualAllocex在远程进程分配空间
memSize := (1 + lstrlenW(pszLibAFilename)) * sizeof(WCHAR);
pszLibFileRemote := PWIDESTRING(VirtualAllocEx(hRemoteProcess, nil, memSize, MEM_COMMIT, PAGE_READWRITE));
//并用WriteProcessMemory中写入dll路径
TempVar := 0;
iReturnCode := WriteProcessMemory(hRemoteProcess, pszLibFileRemote, pszLibAFilename, memSize, TempVar);
if iReturnCode then
begin
pfnStartAddr := GetProcAddress(GetModuleHandle('Kernel32'), 'GetModuleHandleW');
TempVar := 0;
Result := CreateRemoteThread(hRemoteProcess, nil, 0, pfnStartAddr, pszLibFileRemote, 0, TempVar);
// 等待GetModuleHandleW加载完毕
WaitForSingleObject( Result, INFINITE );
// 获得GetModuleHandle的返回值
GetExitCodeThread(Result, TempVar);
ShowMessage('成功:$'+IntToHex(TempVar,8));
// 释放目标进程中申请的空间
VirtualFreeEx( hRemoteProcess, pszLibFileRemote, memSize, MEM_DECOMMIT);
GetMem(dllhandle,SizeOf(THandle));
dllhandle^ := TempVar;
// DLLData^.myHandle := TempVar;
memSize := SizeOf(THandle);
pszLibFileRemote := PHandle(VirtualAllocEx(hRemoteProcess, nil, memSize, MEM_COMMIT, PAGE_READWRITE));
//并用WriteProcessMemory中写入dll的Handle
TempVar := 0;
iReturnCode := WriteProcessMemory(hRemoteProcess, pszLibFileRemote, dllhandle, memSize, TempVar);
if iReturnCode then
begin
//使目标进程调用FreeLibrary,卸载DLL
pfnStartAddr := GetProcAddress(GetModuleHandle('Kernel32'), 'FreeLibrary');
TempVar := 0;
Result := CreateRemoteThread(hRemoteProcess, nil, 0, pfnStartAddr, pszLibFileRemote, 0, TempVar);
//等待FreeLibrary卸载完毕
WaitForSingleObject( Result, INFINITE);
// 获得GetModuleHandle的返回值
GetExitCodeThread( Result, TempVar);
ShowMessage(IntToHex(TempVar,8)); //这里总是0
// 释放目标进程中申请的空间
VirtualFreeEx( hRemoteProcess, pszLibFileRemote, memSize, MEM_DECOMMIT);
end;
Freemem(dllhandle);
CloseHandle( Result );
CloseHandle( hRemoteProcess);
end else begin
CloseHandle( hRemoteProcess);
//失败处理
end;
{ 释放内存空间 }
Freemem(pszLibAFilename);
{ 取得远程进程句柄,具有写入权限}
hRemoteProcess := OpenProcess(PROCESS_CREATE_THREAD + {允许远程创建线程}
PROCESS_VM_OPERATION + {允许远程VM操作}
PROCESS_VM_WRITE, {允许远程VM写}
FALSE, dwRemoteProcessId);
{ 为注入的dll文件路径分配内存大小,由于为WideChar,故要乘2 }
Getmem(pszLibAFilename, Length(Guest) * 2 + 1);
StringToWideChar(Guest, pszLibAFilename, Length(Guest) * 2 + 1);
//用函数VirtualAllocex在远程进程分配空间
memSize := (1 + lstrlenW(pszLibAFilename)) * sizeof(WCHAR);
pszLibFileRemote := PWIDESTRING(VirtualAllocEx(hRemoteProcess, nil, memSize, MEM_COMMIT, PAGE_READWRITE));
//并用WriteProcessMemory中写入dll路径
TempVar := 0;
iReturnCode := WriteProcessMemory(hRemoteProcess, pszLibFileRemote, pszLibAFilename, memSize, TempVar);
if iReturnCode then
begin
pfnStartAddr := GetProcAddress(GetModuleHandle('Kernel32'), 'GetModuleHandleW');
TempVar := 0;
Result := CreateRemoteThread(hRemoteProcess, nil, 0, pfnStartAddr, pszLibFileRemote, 0, TempVar);
// 等待GetModuleHandleW加载完毕
WaitForSingleObject( Result, INFINITE );
// 获得GetModuleHandle的返回值
GetExitCodeThread(Result, TempVar);
ShowMessage('成功:$'+IntToHex(TempVar,8));
// 释放目标进程中申请的空间
VirtualFreeEx( hRemoteProcess, pszLibFileRemote, memSize, MEM_DECOMMIT);
GetMem(dllhandle,SizeOf(THandle));
dllhandle^ := TempVar;
// DLLData^.myHandle := TempVar;
memSize := SizeOf(THandle);
pszLibFileRemote := PHandle(VirtualAllocEx(hRemoteProcess, nil, memSize, MEM_COMMIT, PAGE_READWRITE));
//并用WriteProcessMemory中写入dll的Handle
TempVar := 0;
iReturnCode := WriteProcessMemory(hRemoteProcess, pszLibFileRemote, dllhandle, memSize, TempVar);
if iReturnCode then
begin
//使目标进程调用FreeLibrary,卸载DLL
pfnStartAddr := GetProcAddress(GetModuleHandle('Kernel32'), 'FreeLibrary');
TempVar := 0;
Result := CreateRemoteThread(hRemoteProcess, nil, 0, pfnStartAddr, pszLibFileRemote, 0, TempVar);
//等待FreeLibrary卸载完毕
WaitForSingleObject( Result, INFINITE);
// 获得GetModuleHandle的返回值
GetExitCodeThread( Result, TempVar);
ShowMessage(IntToHex(TempVar,8)); //这里总是0
// 释放目标进程中申请的空间
VirtualFreeEx( hRemoteProcess, pszLibFileRemote, memSize, MEM_DECOMMIT);
end;
Freemem(dllhandle);
CloseHandle( Result );
CloseHandle( hRemoteProcess);
end else begin
CloseHandle( hRemoteProcess);
//失败处理
end;
{ 释放内存空间 }
Freemem(pszLibAFilename);