“注入线程”的意思、由来-中文百科全书

首先你需要编写一个待注入的DLL文件，假如是d.dll.

以下示例是Delphi代码。

unit Unit1;

interface

uses

Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,

Dialogs, StdCtrls,tlhelp32;

type

TForm1 = class(TForm)

Button3: TButton;

Edit1: TEdit;

Label1: TLabel;

procedure Button3Click(Sender: TObject);

private

{ Private declarations }

public

{ Public declarations }

end;

var

Form1: TForm1;

implementation

{$R *.dfm}

{ 列举进程 }

procedure GetMyProcessID(const AFilename: string; const PathMatch: Boolean; var ProcessID: DWORD);

var

tpe: TProcessEntry32;

SsHandle: Thandle;

FoundAProc, FoundOK: boolean;

begin

ProcessID :=0;

{ 创建系统快照 }

SsHandle := CreateToolHelp32SnapShot(TH32CS_SnapProcess, 0);

{ 取得快照中的第一个进程 }

{ 一定要设置结构的大小,否则将返回False }

tpe.dwSize := sizeof(TProcessEntry32);

FoundAProc := Process32First(Sshandle, tpe);

while FoundAProc do

begin

{ 进行匹配 }

if PathMatch then

FoundOK := AnsiStricomp(tpe.szExefile, PChar(AFilename)) = 0

else

FoundOK := AnsiStricomp(PChar(ExtractFilename(tpe.szExefile)), PChar(ExtractFilename(AFilename))) = 0;

if FoundOK then

begin

ProcessID := tpe . th32ProcessID;

break;

end;

{ 未找到,继续下一个进程 }

FoundAProc := Process32Next(SsHandle, tpe);

end;

CloseHandle(SsHandle);

end;

{ 设置权限 }

function EnabledDebugPrivilege(const Enabled : Boolean) : Boolean;

var

hTk : THandle; { 打开令牌句柄 }

rtnTemp : Dword; { 调整权限时返回的值 }

TokenPri : TOKEN_PRIVILEGES;

const

SE_DEBUG = 'SeDebugPrivilege'; { 查询值 }

begin

Result := False;

{ 获取进程令牌句柄,设置权限 }

if (OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,hTk)) then

begin

TokenPri.PrivilegeCount := 1;

{ 获取Luid值 }

LookupPrivilegeValue(nil,SE_DEBUG,TokenPri.Privileges[0].Luid);

if Enabled then

TokenPri.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED

else

TokenPri.Privileges[0].Attributes := 0;

rtnTemp := 0;

{ 设置新的权限 }

AdjustTokenPrivileges(hTk,False,TokenPri,sizeof(TokenPri),nil,rtnTemp);

Result := GetLastError = ERROR_SUCCESS;

CloseHandle(hTk);

end;

{ 注入远程进程 }

function InjectTo(const Host, Guest: string; const PID: DWORD = 0): DWORD;

var

{ 被注入的进程句柄,进程ID}

hRemoteProcess: THandle;

dwRemoteProcessId: DWORD;

{ 写入远程进程的内容大小 }

memSize: DWORD;

{ 写入到远程进程后的地址 }

pszLibFileRemote: Pointer;

iReturnCode: Boolean;

TempVar: DWORD;

{ 指向函数LoadLibraryW的地址 }

pfnStartAddr: TFNThreadStartRoutine;

{ dll全路径,需要写到远程进程的内存中去 }

pszLibAFilename: PwideChar;

begin

Result := 0;

{ 设置权限 }

EnabledDebugPrivilege(True);

{ 为注入的dll文件路径分配内存大小,由于为WideChar,故要乘2 }

Getmem(pszLibAFilename, Length(Guest) * 2 + 1);

StringToWideChar(Guest, pszLibAFilename, Length(Guest) * 2 + 1);

{ 获取进程ID }

if PID > 0 then

dwRemoteProcessID := PID

else

GetMyProcessID(Host, False, dwRemoteProcessID);

{ 取得远程进程句柄,具有写入权限}

if(dwRemoteProcessID<=0 ) then begin

ShowMessage('没找到进程');

exit;

end;

hRemoteProcess := OpenProcess(PROCESS_CREATE_THREAD + {允许远程创建线程}

PROCESS_VM_OPERATION + {允许远程VM操作}

PROCESS_VM_WRITE, {允许远程VM写}

FALSE, dwRemoteProcessId);

{ 用函数VirtualAllocex在远程进程分配空间,并用WriteProcessMemory中写入dll路径 }

memSize := (1 + lstrlenW(pszLibAFilename)) * sizeof(WCHAR);

pszLibFileRemote := PWIDESTRING(VirtualAllocEx(hRemoteProcess, nil, memSize, MEM_COMMIT, PAGE_READWRITE));

TempVar := 0;

iReturnCode := WriteProcessMemory(hRemoteProcess, pszLibFileRemote, pszLibAFilename, memSize, TempVar);

if iReturnCode then

begin

pfnStartAddr := GetProcAddress(GetModuleHandle('Kernel32'), 'LoadLibraryW');

TempVar := 0;

{ 在远程进程中启动dll }

Result := CreateRemoteThread(hRemoteProcess, nil, 0, pfnStartAddr, pszLibFileRemote, 0, TempVar);

end;

{ 释放内存空间 }

Freemem(pszLibAFilename);

end;

{ 测试 }

procedure TForm1.Button3Click(Sender: TObject);

begin

InjectTo(edit1.Text, extractfilepath(paramstr(0))+'d.dll');

end;

end.

词条	注入线程
释义	在基于黑客软件、杀毒软件、系统应用软件开发过程中，需要使用一种方式：将外部DLL通过线程形式注入到其他进程中。这样的过程就叫注入线程或者叫线程注入。首先你需要编写一个待注入的DLL文件，假如是d.dll. 以下示例是Delphi代码。 unit Unit1; interface uses Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls,tlhelp32; type TForm1 = class(TForm) Button3: TButton; Edit1: TEdit; Label1: TLabel; procedure Button3Click(Sender: TObject); private { Private declarations } public { Public declarations } end; var Form1: TForm1; implementation {$R .dfm} { 列举进程 } procedure GetMyProcessID(const AFilename: string; const PathMatch: Boolean; var ProcessID: DWORD); var tpe: TProcessEntry32; SsHandle: Thandle; FoundAProc, FoundOK: boolean; begin ProcessID :=0; { 创建系统快照 } SsHandle := CreateToolHelp32SnapShot(TH32CS_SnapProcess, 0); { 取得快照中的第一个进程 } { 一定要设置结构的大小,否则将返回False } tpe.dwSize := sizeof(TProcessEntry32); FoundAProc := Process32First(Sshandle, tpe); while FoundAProc do begin { 进行匹配 } if PathMatch then FoundOK := AnsiStricomp(tpe.szExefile, PChar(AFilename)) = 0 else FoundOK := AnsiStricomp(PChar(ExtractFilename(tpe.szExefile)), PChar(ExtractFilename(AFilename))) = 0; if FoundOK then begin ProcessID := tpe . th32ProcessID; break; end; { 未找到,继续下一个进程 } FoundAProc := Process32Next(SsHandle, tpe); end; CloseHandle(SsHandle); end; { 设置权限 } function EnabledDebugPrivilege(const Enabled : Boolean) : Boolean; var hTk : THandle; { 打开令牌句柄 } rtnTemp : Dword; { 调整权限时返回的值 } TokenPri : TOKEN_PRIVILEGES; const SE_DEBUG = 'SeDebugPrivilege'; { 查询值 } begin Result := False; { 获取进程令牌句柄,设置权限 } if (OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,hTk)) then begin TokenPri.PrivilegeCount := 1; { 获取Luid值 } LookupPrivilegeValue(nil,SE_DEBUG,TokenPri.Privileges[0].Luid); if Enabled then TokenPri.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED else TokenPri.Privileges[0].Attributes := 0; rtnTemp := 0; { 设置新的权限 } AdjustTokenPrivileges(hTk,False,TokenPri,sizeof(TokenPri),nil,rtnTemp); Result := GetLastError = ERROR_SUCCESS; CloseHandle(hTk); end; end; { 注入远程进程 } function InjectTo(const Host, Guest: string; const PID: DWORD = 0): DWORD; var { 被注入的进程句柄,进程ID} hRemoteProcess: THandle; dwRemoteProcessId: DWORD; { 写入远程进程的内容大小 } memSize: DWORD; { 写入到远程进程后的地址 } pszLibFileRemote: Pointer; iReturnCode: Boolean; TempVar: DWORD; { 指向函数LoadLibraryW的地址 } pfnStartAddr: TFNThreadStartRoutine; { dll全路径,需要写到远程进程的内存中去 } pszLibAFilename: PwideChar; begin Result := 0; { 设置权限 } EnabledDebugPrivilege(True); { 为注入的dll文件路径分配内存大小,由于为WideChar,故要乘2 } Getmem(pszLibAFilename, Length(Guest) 2 + 1); StringToWideChar(Guest, pszLibAFilename, Length(Guest) * 2 + 1); { 获取进程ID } if PID > 0 then dwRemoteProcessID := PID else GetMyProcessID(Host, False, dwRemoteProcessID); { 取得远程进程句柄,具有写入权限} if(dwRemoteProcessID<=0 ) then begin ShowMessage('没找到进程'); exit; end; hRemoteProcess := OpenProcess(PROCESS_CREATE_THREAD + {允许远程创建线程} PROCESS_VM_OPERATION + {允许远程VM操作} PROCESS_VM_WRITE, {允许远程VM写} FALSE, dwRemoteProcessId); { 用函数VirtualAllocex在远程进程分配空间,并用WriteProcessMemory中写入dll路径 } memSize := (1 + lstrlenW(pszLibAFilename)) * sizeof(WCHAR); pszLibFileRemote := PWIDESTRING(VirtualAllocEx(hRemoteProcess, nil, memSize, MEM_COMMIT, PAGE_READWRITE)); TempVar := 0; iReturnCode := WriteProcessMemory(hRemoteProcess, pszLibFileRemote, pszLibAFilename, memSize, TempVar); if iReturnCode then begin pfnStartAddr := GetProcAddress(GetModuleHandle('Kernel32'), 'LoadLibraryW'); TempVar := 0; { 在远程进程中启动dll } Result := CreateRemoteThread(hRemoteProcess, nil, 0, pfnStartAddr, pszLibFileRemote, 0, TempVar); end; { 释放内存空间 } Freemem(pszLibAFilename); end; { 测试 } procedure TForm1.Button3Click(Sender: TObject); begin InjectTo(edit1.Text, extractfilepath(paramstr(0))+'d.dll'); end; end.
随便看	亏到唐家沱亏点亏短亏法亏法利私亏光亏国课亏害亏教亏节亏名亏名损实亏起唐家沱亏全亏柔亏丧亏杀亏失亏输亏损地幔端元亏损额亏损股亏损元素亏损总额亏图