Coperator整理棉猴论坛VIP之DLL程序编写系列教程笔记.docx
《Coperator整理棉猴论坛VIP之DLL程序编写系列教程笔记.docx》由会员分享,可在线阅读,更多相关《Coperator整理棉猴论坛VIP之DLL程序编写系列教程笔记.docx(16页珍藏版)》请在冰点文库上搜索。
Coperator整理棉猴论坛VIP之DLL程序编写系列教程笔记
第1课DLL基础
一、静态链接库(StaticLinkLibrary)
程序员们把常用的代码集合放进独立的文件里,这样的文件就叫做库。
在写程序的时候,把这个库文件加入编译器,就能够使用这个库包含的所有功能而不必自己再去写一大堆代码。
但是这种方法会把库里所有的东西都包含进去,造成程序体积的增大。
制作静态链接库StaticLibTest
StdAfx.h
//stdafx.h:
includefileforstandardsystemincludefiles,
//orprojectspecificincludefilesthatareusedfrequently,but
//arechangedinfrequently
//
#if!
defined(AFX_STDAFX_H__796D49AA_9488_4F2F_AEB1_C8F28E516D92__INCLUDED_)
#defineAFX_STDAFX_H__796D49AA_9488_4F2F_AEB1_C8F28E516D92__INCLUDED_
#if_MSC_VER>1000
#pragmaonce
#endif//_MSC_VER>1000
#defineWIN32_LEAN_AND_MEAN//Excluderarely-usedstufffromWindowsheaders
extern"C"voidShowInfo();
//TODO:
referenceadditionalheadersyourprogramrequireshere
//{{AFX_INSERT_LOCATION}}
//MicrosoftVisualC++willinsertadditionaldeclarationsimmediatelybeforethepreviousline.
#endif//!
defined(AFX_STDAFX_H__796D49AA_9488_4F2F_AEB1_C8F28E516D92__INCLUDED_)
StdAfx.cpp
//stdafx.cpp:
sourcefilethatincludesjustthestandardincludes
//01_001.pchwillbethepre-compiledheader
//stdafx.objwillcontainthepre-compiledtypeinformation
#include"stdafx.h"
#include//Message()
voidShowInfo()
{
MessageBox(NULL,"ShowInfo()test","MQ",MB_OK);
}
调用静态链接库
ExecuteStaticLib.cpp
//ExecuteStaticLib.cpp:
Definestheentrypointfortheapplication.
//
#include"stdafx.h"
#pragmacomment(lib,"StaticLibTest.lib")
extern"C"voidShowInfo();
intAPIENTRYWinMain(HINSTANCEhInstance,
HINSTANCEhPrevInstance,
LPSTRlpCmdLine,
intnCmdShow)
{
//TODO:
Placecodehere.
ShowInfo();
return0;
}
二、动态链接库DynamicLinkLibrary(DLL)
DLL的格式和EXE文件是一样的,但是不能直接执行。
它把代码封装到自己的内部,只是提供函数接口让外面的EXE程序调用。
在编译的时候不会将所包含的动态链接库编译到程序中。
制作静态链接库DynamicLibTest
DynamicLibTest.cpp
//DynamicLibTest.cpp:
DefinestheentrypointfortheDLLapplication.
//
#include"stdafx.h"
BOOLAPIENTRYDllMain(HANDLEhModule,
DWORDul_reason_for_call,
LPVOIDlpReserved
)
{
returnTRUE;
}
__declspec(dllexport)voidShowInfo()
{
MessageBox(NULL,"DynammicLib","MQ",MB_OK);
}
调用动态链接库
ExecuteDynamicLib.cpp
//ExecuteDynamicLib.cpp:
Definestheentrypointfortheconsoleapplication.
//
#include"stdafx.h"
#pragmacomment(lib,"DynamicLibTest.lib")
voidShowInfo();
intmain(intargc,char*argv[])
{
ShowInfo();
return0;
}
编译的时候用.lib文件,执行的时候用.dll文件
第2课DLL基础再讨论
一、动态链接库的模块定义文件(.def)
模块定义文件是一个有着.def文件扩展名的文本文件。
它被用于导出DLL的函数。
一个.def文件只有两个必需的部分,也就是“LIBRARY”和“EXPORTS”。
DynamicLibDefTest.cpp
//DynamicLibDefTest.cpp:
DefinestheentrypointfortheDLLapplication.
//
#include"stdafx.h"
BOOLAPIENTRYDllMain(HANDLEhModule,
DWORDul_reason_for_call,
LPVOIDlpReserved
)
{
returnTRUE;
}
__declspec(dllexport)voidshowInfo()
{
MessageBox(NULL,"DynamicLib","MQ",MB_OK);
}
voidUseDEFShowInfo()
{
MessageBox(NULL,"defshow","MQ",MB_OK);
}
EXPORTS.def
LIBRARYDynamicLibDefTest
EXPORTSUseDEFShowInfo@1
ExecuteDynamicDEFLib.cpp
//ExecuteDynamicDEFLib.cpp:
Definestheentrypointfortheconsoleapplication.
//
#include"stdafx.h"
#pragmacomment(lib,"DynamicLibDefTest.lib")
voidshowInfo();
voidUseDEFShowInfo();
intmain(intargc,char*argv[])
{
showInfo();
UseDEFShowInfo();
return0;
}
二、动态链接库的入口函数(DLLMain()函数)
每一个DLL必须有一个入口函数,DLLMain()函数是一个缺省的入口函数。
DLLMain()函数负责初始化和结束工作。
每当一个新的进程或该进程的新线程访问DLL时,或者访问DLL的每个进程或者线程不再使用DLL或者线程结束时,都会调用DLLMain()函数。
定义只在进入时调用DLLMain()函数
//DynamicLibDefTest.cpp:
DefinestheentrypointfortheDLLapplication.
//
#include"stdafx.h"
BOOLAPIENTRYDllMain(HANDLEhModule,
DWORDul_reason_for_call,
LPVOIDlpReserved
)
{
switch(ul_reason_for_call)
{
caseDLL_PROCESS_ATTACH:
{
MessageBox(NULL,"DLLfirst","MQ",MB_OK);
}
default:
returnTRUE;
}
returnTRUE;
}
__declspec(dllexport)voidshowInfo()
{
MessageBox(NULL,"DynamicLib","MQ",MB_OK);
}
voidUseDEFShowInfo()
{
MessageBox(NULL,"defshow","MQ",MB_OK);
}
第3次课进程权限的提升
一、OpenProcessToken函数
打开进程令牌环
二、LookupPrivilegeValue函数
获得进程本地唯一ID
三、AdjustTokenPrivileges函数
提升进程的权限
GetCurrentProcess()//获得当前进程句柄
ConRunDll.cpp
//ConRunDll.cpp:
Definestheentrypointfortheconsoleapplication.
//
#include"stdafx.h"
#include
#include//提升权限用
//提升权限函数
intEnableDebugPriv(constchar*name)
{
HANDLEhToken;
if(!
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
printf("openfail!
\n");
return-1;
}
LUIDluid;
if(!
LookupPrivilegeValue(NULL,name,&luid))
{
printf("lookupfail!
\n");
return-1;
}
TOKEN_PRIVILEGEStp;
tp.PrivilegeCount=1;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
if(!
AdjustTokenPrivileges(hToken,FALSE,&tp,NULL,NULL,NULL))
{
printf("privilegesfail!
\n");
}
printf("success!
\n");
return0;
}
intmain(intargc,char*argv[])
{
EnableDebugPriv(SE_DEBUG_NAME);
return0;
}
第4次课远程线程的创建
一、打开远程进程
OpenProcess函数
二、在远程进程的内存中分配空间
VirtualAllocEx函数
三、远程进程的内存的写入
WriteProcessMemory函数
四、找到LoadLibrary函数在Kernel32中的地址
GetProcAddress函数
五、在远程进程中线程(远程线程)
CreateRemoteThread函数
ConRunDll.cpp
//ConRunDll.cpp:
Definestheentrypointfortheconsoleapplication.
//
#include"stdafx.h"
#include
#include//提升权限用
//提升权限函数
intEnableDebugPriv(constchar*name)
{
HANDLEhToken;
if(!
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
printf("openfail!
\n");
return-1;
}
LUIDluid;
if(!
LookupPrivilegeValue(NULL,name,&luid))
{
printf("lookupfail!
\n");
return-1;
}
TOKEN_PRIVILEGEStp;
tp.PrivilegeCount=1;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
if(!
AdjustTokenPrivileges(hToken,FALSE,&tp,NULL,NULL,NULL))
{
printf("privilegesfail!
\n");
}
printf("success!
\n");
return0;
}
BOOLInjectDLL(constchar*DLLFullPath,constDWORDdwRemoteProcessId)
{HANDLEhRemoteProcess;
hRemoteProcess=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwRemoteProcessId);
if(hRemoteProcess==NULL)
{
printf("openprocessfail!
\n");
returnFALSE;
}
char*pszLibFileRemote;
pszLibFileRemote=(char*)VirtualAllocEx(hRemoteProcess,NULL,lstrlen(DLLFullPath)+1,MEM_COMMIT,PAGE_READWRITE);
if(pszLibFileRemote==NULL)
{
printf("allocfail!
\n");
returnFALSE;
}
if(!
WriteProcessMemory(hRemoteProcess,pszLibFileRemote,(LPVOID)DLLFullPath,lstrlen(DLLFullPath)+1,NULL))
{
printf("writememoryfail!
\n");
returnFALSE;
}
PTHREAD_START_ROUTINEpfnStartAddr=
(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"LoadLibraryA");
if(pfnStartAddr==NULL)
{
printf("getprocaddrfail!
\n");
returnFALSE;
}
if(CreateRemoteThread(hRemoteProcess,NULL,0,pfnStartAddr,pszLibFileRemote,0,NULL)==NULL)
{
printf("createremotethreadfail!
\n");
returnFALSE;
}
printf("good!
\n");
}
intmain(intargc,char*argv[])
{
EnableDebugPriv(SE_DEBUG_NAME);
InjectDLL("D:
\\DynamicLibDefTest.dll",4892);
while
(1);
getchar();
returnTRUE;
return0;
}
第5次课进程ID的获取
一、系统进程快照
CreateToolhelp32Snapshot函数
二、在快照中搜索指定进程
Process32First函数
Processe32Next函数
ConRunDll.cpp
//ConRunDll.cpp:
Definestheentrypointfortheconsoleapplication.
//
#include"stdafx.h"
#include
#include//提升权限用
#include
//提升权限函数
intEnableDebugPriv(constchar*name)
{
HANDLEhToken;
if(!
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
printf("openfail!
\n");
return-1;
}
LUIDluid;
if(!
LookupPrivilegeValue(NULL,name,&luid))
{
printf("lookupfail!
\n");
return-1;
}
TOKEN_PRIVILEGEStp;
tp.PrivilegeCount=1;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
if(!
AdjustTokenPrivileges(hToken,FALSE,&tp,NULL,NULL,NULL))
{
printf("privilegesfail!
\n");
}
printf("success!
\n");
return0;
}
BOOLInjectDLL(constchar*DLLFullPath,constDWORDdwRemoteProcessId)
{HANDLEhRemoteProcess;
hRemoteProcess=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwRemoteProcessId);
if(hRemoteProcess==NULL)
{
printf("openprocessfail!
\n");
returnFALSE;
}
char*pszLibFileRemote;
pszLibFileRemote=(char*)VirtualAllocEx(hRemoteProcess,NULL,lstrlen(DLLFullPath)+1,MEM_COMMIT,PAGE_READWRITE);
if(pszLibFileRemote==NULL)
{
printf("allocfail!
\n");
returnFALSE;
}
if(!
WriteProcessMemory(hRemoteProcess,pszLibFileRemote,(LPVOID)DLLFullPath,lstrlen(DLLFullPath)+1,NULL))
{
printf("writememoryfail!
\n");
returnFALSE;
}
PTHREAD_START_ROUTINEpfnStartAddr=
(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"LoadLibraryA");
if(pfnStartAddr==NULL)
{
printf("getprocaddrfail!
\n");
returnFALSE;
}
if(CreateRemoteThread(hRemoteProcess,NULL,0,pfnStartAddr,pszLibFileRemote,0,NULL)==NULL)
{
printf("createremotethreadfail!
\n");
returnFALSE;
}
printf("good!
\n");
returnTRUE;
}
unsignedlonggetprocid(char*pn)
{
HANDLEhnd;
hnd=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hnd==NULL)
{
printf("snapshortfail!
\n");
return0;
}
PROCESSENTRY32pe;
pe.dwSize=sizeof(PROCESSENTRY32);
BOOLb;
b=Process32First(hnd,&pe);
while(b)
{
if(strcmp(pe.szExeFile,pn)==0)
{
returnpe.th32ProcessID;
}
b=Process32Next(hnd,&pe);
}
return0;
}
intmain(intargc,char*argv[])
{
EnableDebugPriv(SE_DEBUG_NAME);
//InjectDLL("D:
\\DynamicLibDefTest.dll",4892);
InjectDLL("D:
\\DynamicLibDefTest.dll",getpro
升级会员 