C/C++ Forum :: Fensterprozedur eines fremden Child-Fensters ersetzen

JokerXXL Mitglied 21:29:00 06.02.2002 Titel:

Wie genau macht das mit ner DLL? Codebeispiel wäre nicht schlecht [img]images/smiles/icon_rolleyes.gif[/img]

MfG

RockNix Mitglied 12:19:00 07.02.2002 Titel:

@Uli und JokerXLL

1) eigene DLL schreiben, die das gewünschte subclassing über DLL_PROCESS_ATTACH ausführt

2) kleines EXE Programm schreiben das sich mit der Funktion CreateRemoteThread() in den anderen Prozess hängt und dort einen Thread ausführt

3) als ThreadProc für (2) nimmst Du LoadLibrary() aus Kernel32 und als Parameter den Namen Deiner DLL aus (1)

Ach ja, den Namen Deiner DLL kannst Du nicht einfach als String-Pointer übergeben, da dieser ja nicht lesbar ist vom anderen Process, daher musst Du eine Kopie mit Read/WriteProcessMemory() im Speicher des Fremdproczesses anlegen.

Das wars ... híer noch ein wenig Code, wie man sich in z.B. in Notepad "reinhängt" ...

UND LEUTE ... wie es funktioniert steht zwar auch in einem Artikel/Buch von Microsoft, ist aber KEINE !!! Hackeranleitung, wir verstehen uns [img]images/smiles/icon_wink.gif[/img]

C/C++ Code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87	// inject dll via remote thread // (c) RockNix 2001 // rocknix@klangwerker.de #include <windows.h> #include <stdio.h> #include <conio.h> #include <tlhelp32.h> int main() { PROCESSENTRY32 pInfo; bool bProcAvailable = false; int iResult=-1; HANDLE hProcess=NULL; LPVOID lpVMem=NULL; PTHREAD_START_ROUTINE pThreadRtn = NULL; HMODULE hKernelMod = NULL; char* lpModuleName = "c:\\inject.dll"; // size=14 DWORD dwNumBytes=0; pInfo.dwSize = sizeof(PROCESSENTRY32); HWND hwnd = FindWindow("Notepad",NULL); HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL); bProcAvailable = Process32First(hSnapShot, &pInfo); printf("scanning available processes for notepad...\n\n"); while(bProcAvailable && iResult!=0) { bProcAvailable = Process32Next(hSnapShot, &pInfo); iResult = strcmp(pInfo.szExeFile,"notepad.exe"); } if(iResult) { pInfo.th32ProcessID = GetCurrentProcessId(); iResult=0; } if(!iResult) // notepad found - lets start injection { printf("notepad found -> PID = %i\n",pInfo.th32ProcessID); getch(); hProcess = OpenProcess(PROCESS_CREATE_THREAD\|PROCESS_VM_OPERATION\|PROCESS_VM_WRITE, false, pInfo.th32ProcessID); if(lpVMem = VirtualAllocEx(hProcess,NULL,20,MEM_COMMIT,PAGE_READWRITE)) printf("virtual memory allocation in remote process ... ok\n"); if(hKernelMod = GetModuleHandle("Kernel32")) printf("kernel dll handle loaded ... ok\n"); if(pThreadRtn = (PTHREAD_START_ROUTINE) GetProcAddress(hKernelMod,"LoadLibraryA")) printf("pointer to thread procedure ... ok\n"); if(WriteProcessMemory(hProcess, lpVMem, (LPVOID) lpModuleName, 14, &dwNumBytes)) printf("copy thread procedure symbol into remote process ... ok\n"); if(CreateRemoteThread(hProcess, NULL, 0, pThreadRtn, lpVMem, 0, NULL)) printf("remote thread startup ... ok\n\n"); } else printf("NOTEPAD not available ...\n\n"); printf("press key ...\n"); getch(); CloseHandle(hProcess); CloseHandle(hSnapShot); return 0; }

C/C++ Code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87	// inject dll via remote thread // (c) RockNix 2001 // rocknix@klangwerker.de #include <windows.h> #include <stdio.h> #include <conio.h> #include <tlhelp32.h> int main() { PROCESSENTRY32 pInfo; bool bProcAvailable = false; int iResult=-1; HANDLE hProcess=NULL; LPVOID lpVMem=NULL; PTHREAD_START_ROUTINE pThreadRtn = NULL; HMODULE hKernelMod = NULL; char* lpModuleName = "c:\\inject.dll"; // size=14 DWORD dwNumBytes=0; pInfo.dwSize = sizeof(PROCESSENTRY32); HWND hwnd = FindWindow("Notepad",NULL); HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL); bProcAvailable = Process32First(hSnapShot, &pInfo); printf("scanning available processes for notepad...\n\n"); while(bProcAvailable && iResult!=0) { bProcAvailable = Process32Next(hSnapShot, &pInfo); iResult = strcmp(pInfo.szExeFile,"notepad.exe"); } if(iResult) { pInfo.th32ProcessID = GetCurrentProcessId(); iResult=0; } if(!iResult) // notepad found - lets start injection { printf("notepad found -> PID = %i\n",pInfo.th32ProcessID); getch(); hProcess = OpenProcess(PROCESS_CREATE_THREAD\|PROCESS_VM_OPERATION\|PROCESS_VM_WRITE, false, pInfo.th32ProcessID); if(lpVMem = VirtualAllocEx(hProcess,NULL,20,MEM_COMMIT,PAGE_READWRITE)) printf("virtual memory allocation in remote process ... ok\n"); if(hKernelMod = GetModuleHandle("Kernel32")) printf("kernel dll handle loaded ... ok\n"); if(pThreadRtn = (PTHREAD_START_ROUTINE) GetProcAddress(hKernelMod,"LoadLibraryA")) printf("pointer to thread procedure ... ok\n"); if(WriteProcessMemory(hProcess, lpVMem, (LPVOID) lpModuleName, 14, &dwNumBytes)) printf("copy thread procedure symbol into remote process ... ok\n"); if(CreateRemoteThread(hProcess, NULL, 0, pThreadRtn, lpVMem, 0, NULL)) printf("remote thread startup ... ok\n\n"); } else printf("NOTEPAD not available ...\n\n"); printf("press key ...\n"); getch(); CloseHandle(hProcess); CloseHandle(hSnapShot); return 0; }

C/C++ Code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87	// inject dll via remote thread // (c) RockNix 2001 // rocknix@klangwerker.de #include <windows.h> #include <stdio.h> #include <conio.h> #include <tlhelp32.h> int main() { PROCESSENTRY32 pInfo; bool bProcAvailable = false; int iResult=-1; HANDLE hProcess=NULL; LPVOID lpVMem=NULL; PTHREAD_START_ROUTINE pThreadRtn = NULL; HMODULE hKernelMod = NULL; char* lpModuleName = "c:\\inject.dll"; // size=14 DWORD dwNumBytes=0; pInfo.dwSize = sizeof(PROCESSENTRY32); HWND hwnd = FindWindow("Notepad",NULL); HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL); bProcAvailable = Process32First(hSnapShot, &pInfo); printf("scanning available processes for notepad...\n\n"); while(bProcAvailable && iResult!=0) { bProcAvailable = Process32Next(hSnapShot, &pInfo); iResult = strcmp(pInfo.szExeFile,"notepad.exe"); } if(iResult) { pInfo.th32ProcessID = GetCurrentProcessId(); iResult=0; } if(!iResult) // notepad found - lets start injection { printf("notepad found -> PID = %i\n",pInfo.th32ProcessID); getch(); hProcess = OpenProcess(PROCESS_CREATE_THREAD\|PROCESS_VM_OPERATION\|PROCESS_VM_WRITE, false, pInfo.th32ProcessID); if(lpVMem = VirtualAllocEx(hProcess,NULL,20,MEM_COMMIT,PAGE_READWRITE)) printf("virtual memory allocation in remote process ... ok\n"); if(hKernelMod = GetModuleHandle("Kernel32")) printf("kernel dll handle loaded ... ok\n"); if(pThreadRtn = (PTHREAD_START_ROUTINE) GetProcAddress(hKernelMod,"LoadLibraryA")) printf("pointer to thread procedure ... ok\n"); if(WriteProcessMemory(hProcess, lpVMem, (LPVOID) lpModuleName, 14, &dwNumBytes)) printf("copy thread procedure symbol into remote process ... ok\n"); if(CreateRemoteThread(hProcess, NULL, 0, pThreadRtn, lpVMem, 0, NULL)) printf("remote thread startup ... ok\n\n"); } else printf("NOTEPAD not available ...\n\n"); printf("press key ...\n"); getch(); CloseHandle(hProcess); CloseHandle(hSnapShot); return 0; }

RockNix///

[ Dieser Beitrag wurde am 07.02.2002 um 11:33 Uhr von RockNix editiert. ]

kwoTx Mitglied 18:11:00 07.02.2002 Titel:

da hätten wir doch mal wieder nenn netten beitrag für die faq.