创建远程线程,在目标进程中加载特定DLL,达到注入DLL的目的。无耻卑鄙下流没人格的3721/Baidu的流氓软件龌龊地使用了这个本来不龌龊的方法。
看看:LoBind,配合PoBind
DWORD Bind(HANDLE hProcess, PCTSTR ptzPath)
{
DWORD dwResult = 0;
PVOID pvRemote = NULL;
HANDLE hThread = NULL;
do
{
if (hProcess == NULL)
{
dwResult = 1;
break;
}
DWORD dwSize =(lstrlen(ptzPath) + 1) * sizeof(TCHAR);
pvRemote = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
if (pvRemote == NULL)
{
dwResult = 2;
break;
}
if (!WriteProcessMemory(hProcess, pvRemote, ptzPath, dwSize, NULL))
{
dwResult = 3;
break;
}
PTHREAD_START_ROUTINE pfnLoadLibraryW =
(PTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle(TEXT(“Kernel32.dll”)), STR_LoadLibrary);
if (pfnLoadLibraryW == NULL)
{
dwResult = 4;
break;
}
hThread = CreateRemoteThread(hProcess, NULL, 0, pfnLoadLibraryW, pvRemote, 0, NULL);
if (hThread == NULL)
{
dwResult = 5;
break;
}
WaitForSingleObject(hThread, INFINITE);
}
while (FALSE);
if (hThread)
{
CloseHandle(hThread);
}
if (pvRemote)
{
VirtualFreeEx(hProcess, pvRemote, 0, MEM_RELEASE);
}
if (hProcess)
{
CloseHandle(hProcess);
}
return dwResult;
}