C#如何线程注入DLL到另一个进程

Kendall · 发表于 2022-2-20 15:56:07

需要一个C#线程注入DLL的例子或帮助

doudou1234 · 发表于 2023-11-15 17:15:55

我也想知道

Mouth · 发表于 2023-9-26 15:35:13

感谢分享

获取邀请码 · 发表于 2023-9-12 12:15:23

public class Injector
      {
         const int PROCESS_ALL_ACCESS = 0x1F0FFF;
         const int PROCESS_CREATE_THREAD = 0x0002;
         const int PROCESS_QUERY_INFORMATION = 0x0400;
         const int PROCESS_VM_OPERATION = 0x0008;
         const int PROCESS_VM_WRITE = 0x0020;
         const int PROCESS_VM_READ = 0x0010;
         const uint MEM_COMMIT = 0x00001000;
         const uint MEM_RESERVE = 0x00002000;
         const uint PAGE_READWRITE = 4;

         [DllImport("kernel32.dll")]
         public static extern int OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);

         [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
         public static extern int GetModuleHandle(string lpModuleName);

         [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
         static extern int GetProcAddress(int hModule, string procName);

         [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
         static extern int VirtualAllocEx(int hProcess, int lpAddress,
            int dwSize, uint flAllocationType, uint flProtect);

         [DllImport("kernel32.dll", SetLastError = true)]
         static extern bool WriteProcessMemory(int hProcess, int lpBaseAddress, string lpBuffer, int nSize, int lpNumberOfBytesWritten);

         [DllImport("kernel32.dll")]
         static extern int CreateRemoteThread(int hProcess,
         int lpThreadAttributes, uint dwStackSize, int lpStartAddress, int lpParameter, uint dwCreationFlags, int lpThreadId);

         [StructLayout(LayoutKind.Sequential)]
         public struct Luid
         {
            public UInt32 LowPart;
            public Int32 HighPart;
         }

         public const UInt32 SePrivilegeEnabledByDefault = 0x00000001;
         public const UInt32 SePrivilegeEnabled = 0x00000002;
         public const UInt32 SePrivilegeRemoved = 0x00000004;
         public const UInt32 SePrivilegeUsedForAccess = 0x80000000;

         [StructLayout(LayoutKind.Sequential)]
         public struct TokenPrivileges
         {
            public UInt32 PrivilegeCount;
            public Luid Luid;
            public UInt32 Attributes;
         }

         [StructLayout(LayoutKind.Sequential)]
         public struct LuidAndAttributes
         {
            public Luid Luid;
            public UInt32 Attributes;
         }

         [DllImport("advapi32.dll", SetLastError = true)]
         [return: MarshalAs(UnmanagedType.Bool)]
         static extern bool OpenProcessToken(IntPtr processHandle,
            UInt32 desiredAccess, out IntPtr tokenHandle);

         [DllImport("kernel32.dll", SetLastError = true)]
         static extern IntPtr GetCurrentProcess();

         [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)]
         [return: MarshalAs(UnmanagedType.Bool)]
         static extern bool LookupPrivilegeValue(string lpSystemName, string lpName,
            out Luid lpLuid);

         [DllImport("kernel32.dll", SetLastError = true)]
         static extern bool CloseHandle(IntPtr hHandle);

         [DllImport("advapi32.dll", SetLastError = true)]
         [return: MarshalAs(UnmanagedType.Bool)]
         static extern bool AdjustTokenPrivileges(IntPtr tokenHandle,
            [MarshalAs(UnmanagedType.Bool)] bool disableAllPrivileges,
            ref TokenPrivileges newState,
            UInt32 zero,
            IntPtr null1,
            IntPtr null2);

         public static void Inject(int pid)
         {
            var dllPath = "C:\aa.dll";
            var p = Process.GetProcessById(pid);
            var hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
            int dllPathSize = dllPath.Length + 1;
            int lpBaseAddress = VirtualAllocEx(hProcess, 0, dllPathSize, MEM_COMMIT, PAGE_READWRITE);

            WriteProcessMemory(hProcess, lpBaseAddress, dllPath, dllPathSize, 0);
            int module = GetModuleHandle("Kernel32.dll");
            int LoadLibraryAddress = GetProcAddress(module, "LoadLibraryA");
            var rt = CreateRemoteThread(hProcess, 0, 0, LoadLibraryAddress, lpBaseAddress, 0, 0);
         }

         public static string GetAefHookPath()
         {
            var fn = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "AefHook.bin");
            if (!File.Exists(fn))
            {
                  var bytes = AefHookCode.xSplitBySpace().Select(s => byte.Parse(s)).ToArray();
                  File.WriteAllBytes(fn, bytes);
            }
            return fn;
         }

         private static uint _tokenAdjustPrivileges = 0x0020;
         private static uint _tokenQuery = 0x0008;
         public const string SeDebugName = "SeDebugPrivilege";

         public static bool EnableDebugPrivilege()
         {
            IntPtr hToken;
            Luid luidSeDebugNameValue;
            TokenPrivileges tkpPrivileges;

            if (!OpenProcessToken(Process.GetCurrentProcess().Handle, _tokenAdjustPrivileges | _tokenQuery, out hToken))
            {
                  return false;
            }

            if (!LookupPrivilegeValue(null, SeDebugName, out luidSeDebugNameValue))
            {
                  return false;
            }

            tkpPrivileges.PrivilegeCount = 1;
            tkpPrivileges.Luid = luidSeDebugNameValue;
            tkpPrivileges.Attributes = SePrivilegeEnabled;

            if (!AdjustTokenPrivileges(hToken, false, ref tkpPrivileges, 0, IntPtr.Zero, IntPtr.Zero))
            {
                  return false;
            }

            CloseHandle(hToken);
            return true;
         }

      }

惊风雨 · 发表于 2023-9-11 18:40:56

同求+1！！！

wdsaqefgz · 发表于 2022-3-16 13:16:43

同求！！！

		自动登录	找回密码
密码			注册

[C#求助] C#如何线程注入DLL到另一个进程