{"id":13839663,"url":"https://github.com/suvllian/process-inject","last_synced_at":"2025-07-11T06:30:59.573Z","repository":{"id":37743334,"uuid":"71335091","full_name":"suvllian/process-inject","owner":"suvllian","description":"在Windows环境下的进程注入方法：远程线程注入、创建进程挂起注入、反射注入、APCInject、SetWindowHookEX注入","archived":false,"fork":false,"pushed_at":"2018-09-22T10:54:08.000Z","size":120,"stargazers_count":634,"open_issues_count":4,"forks_count":134,"subscribers_count":22,"default_branch":"master","last_synced_at":"2024-08-05T17:24:01.782Z","etag":null,"topics":["c","c-plus-plus","cpp","dll","dll-injection","dll-shellcode","injection","injection-attacks","windows"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/suvllian.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-10-19T08:24:10.000Z","updated_at":"2024-08-05T03:22:44.000Z","dependencies_parsed_at":"2022-07-14T00:50:40.109Z","dependency_job_id":null,"html_url":"https://github.com/suvllian/process-inject","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/suvllian%2Fprocess-inject","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/suvllian%2Fprocess-inject/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/suvllian%2Fprocess-inject/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/suvllian%2Fprocess-inject/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/suvllian","download_url":"https://codeload.github.com/suvllian/process-inject/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225699955,"owners_count":17510432,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c","c-plus-plus","cpp","dll","dll-injection","dll-shellcode","injection","injection-attacks","windows"],"created_at":"2024-08-04T17:00:32.839Z","updated_at":"2024-11-21T08:31:22.453Z","avatar_url":"https://github.com/suvllian.png","language":"C","funding_links":[],"categories":["C","C (286)"],"sub_categories":[],"readme":"# 在Windows环境下的进程注入方法\n\n## 一、关于进程注入  \n进程注入简而言之就是将代码注入到正在运行的进程内存空间中，进程注入也是PC端软件开发必须掌握的一个基础知识点。\n\nWindows为每个进程分配了4G内存空间，在这4G空间中的代码可以被这个进程访问执行。 \n给软件“打补丁”实际上就是进程注入，想给已经上线的软件添加一个小功能，不需要重新设计软件，只需要将你需要添加功能的代码注入到进程中即可。  \n也有很多黑客利用进程注入将恶意代码注入到目标进程中进行攻击。  \n  \nWindows环境下常用的进程注入方法有：CreateRemoteThread、APCInject、SuspendThread、SetWindowHookEX等。    \n此外还学过一种比较奇特的注入方法：反射注入。反射注入主要是通过对PE文件的操作实现注入，注入成功率高，也最有学习价值。  \n\n## 二、几种进程注入方法的原理  \n\n### 1.远程线程注入\n* 打开目标进程(` OpneProcess`)。  \n* 在目标进程空间为dll得路径内申请空间(`VirtualAllocEX`)。    \n* 将dll路劲写入目标进程空间内(`WriteProcessMemory`)。  \n* 创建远程线程(`CreateRemoteThread`)。从kenerl32中得到loadlibrary的函数地址(`GetProcAddress`)，将写入目标进程的动态库路径作为参数传入loadlibrary。  \n* 等待远程线程结束(`WaitForSingleObejct`)，释放内存，关闭句柄。\n\n### 2.创建进程挂起  \n* 创建挂起进程(`CreateProcess`)将第六参数设置为挂起。\n* 在进程地址空间中为DLL路径和shellcode申请内存\n* 得到主线程的上下背景文，根据线程的eip创建shellcode。\n* 将dll路径和shellcode写入目标进程中。唤醒挂起线程。\n\n### 3.APCInject  \n* 在目标进程空间内申请内存，将动态库路径写入\n* 创建快照，遍历目标进程的线程\n* 打开目标进程的线程 使用`QueueUserAPC`函数将`LoadLibrary`函数作为APC对象加入到线程的APC队列中，并将DLL的路径作为参数传入。注意释放句柄和内存。\n\n### 4.反射注入\n整体思路是在dll中实现加载动态库的`loadlibrary`函数，将自身加载到目标进程中。  \n\n* 打开dll文件，获取大小。\n* 在自身程序中申请内存，将dll的数据写入。提升自身权限。\n* 打开目标进程，将动态库载入。   \n  \n其中`Loadibrary`函数是通过修改PE文件实现的：    \n1、在目标进程地址空间申请空间将dll写入。    \n2、得到dll中实现的加载自身的函数在文件中的地址，创建远程线程，将该函数地址传入。而在dll中加载自身的函数也实现的很巧妙。\n\n### 5.SetWindowHookEX  \n* 首先在动态库中得到导出函数地址，导出函数的作用是弹出messagebox。\n* 得到目标进程的一个线程ID\n* 使用`setWindowsHookEX`函数进行注入。\n\n### 6.挂起线程注入\n  \n### 7.注册表注入  \n\n## 三、开发环境\n\nWindows操作系统、VS2015。  \n在32位windows系统和64位windows系统中均测试通过，进行测试时请修改源代码中的目标进程以及Dll路径。\n\n## 四、项目目录\n\n```\n.\n|-- APCInject(Ring0)                 // 驱动层的APC注入\n|-- APCInject                        // Ring3层的APC注入\n|-- CreateSuspend                    // 挂起线程注入\n|-- InjectByRegister                 // 注册表注入（未测试）\n|-- ReflectDll                       // 反射注入的Dll\n|-- ReflectiveInject                 // 反射注入\n|-- RemoteThread                     // 远程线程注入\n|-- Src                              // 驱动层的APC注入源码\n|-- Dll.dll                          // 32位测试Dll\n|-- Dll64.dll                        // 64位测试Dll\n|-- Process-Inject.sln               // 项目启动文件\n|-- README.md                        // 项目说明文件\n.\n```\n\n## 五、其他\n欢迎Pull Request，欢迎提Issue。\n\n## License\n在对本作品进行演绎时，请署名并以相同方式共享。\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsuvllian%2Fprocess-inject","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsuvllian%2Fprocess-inject","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsuvllian%2Fprocess-inject/lists"}