Giter VIP home page Giter VIP logo

Comments (5)

ttttupup avatar ttttupup commented on May 13, 2024

-u

from wxhelper.

hailiangchen avatar hailiangchen commented on May 13, 2024

-u

我粘贴错了我用的也是-u
.\ConsoleInject.exe -u WeChat.exe -d wxhelper.dll
是这个不生效的。

from wxhelper.

ttttupup avatar ttttupup commented on May 13, 2024

`
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include <tlhelp32.h>
DWORD GetPIDForProcess(wchar_t* process)
{
HANDLE hSnapshot;
DWORD targetPid = 0;
PROCESSENTRY32W pe32;
int working;
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (!hSnapshot) {
return 0;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
for (working = Process32FirstW(hSnapshot, &pe32); working; working = Process32NextW(hSnapshot, &pe32))
{
if (!wcscmp(pe32.szExeFile, process))
{
targetPid = pe32.th32ProcessID;
break;
}
}
CloseHandle(hSnapshot);
return targetPid;
}

HINSTANCE__* cdecl GetDLLHandle(wchar_t* wDllName, DWORD dPid)
{
HINSTANCE* result;
tagMODULEENTRY32W me32;
void* snapMod;

if (!dPid) {
	return 0;
}

snapMod = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dPid);
me32.dwSize = sizeof(tagMODULEENTRY32W);
if (Module32FirstW(snapMod, &me32))
{
	while (wcscmp(wDllName, me32.szModule))
	{
		if (!Module32NextW(snapMod, &me32))
			goto error;
	}
	CloseHandle(snapMod);
	result = me32.hModule;
}
else
{
error:
	CloseHandle(snapMod);
	result = 0;
}
return result;

}

int cdecl InjectDll(wchar_t* szPName, wchar_t* szDllPath)
{
int result;
HANDLE hRemoteThread;
LPTHREAD_START_ROUTINE lpSysLibAddr;
HINSTANCE* hKernelModule;
LPVOID lpRemoteDllBase;
HANDLE hProcess;
unsigned int dwPid;
size_t ulDllLength;

dwPid = GetPIDForProcess(szPName);
ulDllLength = wcslen(szDllPath) + 1;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwPid);
if (!hProcess) {
	return 0;
}

lpRemoteDllBase = VirtualAllocEx(hProcess, NULL, ulDllLength, MEM_COMMIT, PAGE_READWRITE);
if (lpRemoteDllBase)
{
	if (WriteProcessMemory(hProcess, lpRemoteDllBase, szDllPath, ulDllLength, NULL)
		&& (hKernelModule = GetModuleHandleW(L"kernel32.dll")) != 0
		&& (lpSysLibAddr = (LPTHREAD_START_ROUTINE)GetProcAddress(hKernelModule, "LoadLibraryW")) != 0
		&& (hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, lpSysLibAddr, lpRemoteDllBase, 0, NULL)) != 0)
	{
		WaitForSingleObject(hRemoteThread, INFINITE);
		VirtualFreeEx(hProcess, lpRemoteDllBase, ulDllLength, MEM_DECOMMIT | MEM_RELEASE);
		CloseHandle(hRemoteThread);
		CloseHandle(hProcess);
		OutputDebugStringA("[DBG] dll inject success");
		result = 1;
	}
	else
	{
		VirtualFreeEx(hProcess, lpRemoteDllBase, ulDllLength, MEM_DECOMMIT | MEM_RELEASE);
		CloseHandle(hProcess);
		result = 0;
	}
}
else
{
	CloseHandle(hProcess);
	result = 0;
}
return result;

}

int cdecl UnInjectDll(wchar_t* szPName, wchar_t* szDName)
{
HINSTANCE* hDll;
LPTHREAD_START_ROUTINE lpFreeLibAddr;
HINSTANCE__* hK32;
HANDLE hProcess;
unsigned int dwPID;

dwPID = GetPIDForProcess(szPName);
hProcess = OpenProcess(0x1FFFFFu, 0, dwPID);
if (!hProcess) {
	return 0;
}

hK32 = GetModuleHandleW(L"Kernel32.dll");
if (!hK32) {
	return 0;
}

lpFreeLibAddr = (LPTHREAD_START_ROUTINE)GetProcAddress(hK32, "FreeLibraryAndExitThread");
hDll = GetDLLHandle(szDName, dwPID);
if (hDll && CreateRemoteThread(hProcess, 0, 0, lpFreeLibAddr, hDll, 0, 0)) {
	return 1;
}

CloseHandle(hProcess);
return 0;

}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

`

ida逆向出的来的,卸载函数你可以替换成常规卸载函数。

from wxhelper.

hailiangchen avatar hailiangchen commented on May 13, 2024

是用这个FreeLibrary 和 FreeLibraryAndExitThread 都是卸载不掉,会在WaitForSingleObject(hThread, INFINITE) 这一步卡着。我自己写了一个dll 弹出窗口的,使用FreeLibrary 可以卸载掉

from wxhelper.

ttttupup avatar ttttupup commented on May 13, 2024

已经修复

from wxhelper.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.