首页 > 编程 > .NET > 正文

怎样实现.net程序的进程注入_.Net教程

2024-07-10 12:51:08
字体:
来源:转载
供稿:网友

推荐:如何在.NET环境下为网站增加IP过滤功能
华能集团下某发电厂的企业网站(基于Asp.Net2.0实现,不允许修改源程序)要求实现厂内用户可直接访问整个站点的所有页面,厂外用户只能访问指定的页面的功能,本文将按照需求分析、方案设计、编码实现、部署应用的顺序逐步阐述整个解决方案的形成过程。 1.

进程注入比较常见,比如用IDE调试程序以及一些Spy程序,如果仅仅为了与调试器通讯,可以使用.net提供的Debugger接口(在EnvDTE.dll的EnvDTE命名空间下).但无论出于什么目的,进程注入都是比较好玩的事情,所以不妨一试 . 进程注入的方法貌似很多(比如像特洛伊一样乔装打扮让目标进程误认为你的程序集合法而加载到目标进程),这里提到的仅是其中的一种或某些方法的结合.

  大致原理是这样的:

  源进程(也就是你的代码所在的进程)获得目标进程(也就是你的注入目标所在的进程)的ID或进程对象

  源进程提供一回调函数methodA(也就是你想要注入到目标进程后所执行的代码)

  将目标进程和回调函数methodA的完整路径(其所在的Assembly,Classic以及MethodName)提交给Injector(也就是我们编写的负责注入的类),让Injector来完成注入和让目标进程执行回调函数

  Injector根据提供的目标进程ID取得目标进程对象,并获得目标进程的一个线程(我们称为目标线程)

  在目标线程中分配一块内存,将回调函数methodA的完整路径作为字符串存入该内存中

  Injector在目标进程中安装一个钩子(Hook)监视某一个Windows消息(messageA),撰写钩子的回调函数methodB(该方法中的内容稍后解释)

  像目标进程发消息messageA,并将刚才分配的内存的基地址作为消息参数传递.

  由于我们针对messageA安装了钩子,所以目标进程会调用我们钩子函数methodB,并会把分配的内存的基地址包含在函数参数中

  methodB中, 根据函数参数中的内存基地址在内存中解析出其实际对象,也就是一个表示我们的methodA的完整路径的字符串.根据该字符串中所表示的Assembly,className, methodName利用.net反射,反射出其MethodInfo对象(注意,关键点,methodB被回调时已经是在目标进程的某个线程中了) Invoke反射出的MethodInfo对象, 我们的methodA得到了执行.

  下面这个图可能会帮助你理解上面的话: 

如何实现.net程序的进程注入

    图片看不清楚?请点击这里查看原图(大图)。

  如果还没明白的话,那就看代码吧(这需要一点点C++/CLI知识,但我已经为每句加上了注释,应该蛮好懂的,C++/CLI可以点击这里了解更多.关于ManagedInjector可以点击这里了解更多)

#include "stdafx.h"
#include "Injector.h"
#include <vcclr.h>
using namespace ManagedInjector;
//defines a new window message that is guaranteed to be unique throughout the system.
//The message value can be used when sending or posting messages.
static unsigned int WM_GOBABYGO = ::RegisterWindowMessage(L"Injector_GOBABYGO!");
static HHOOK _messageHookHandle;
//-----------------------------------------------------------------------------
//Spying Process functions follow
//-----------------------------------------------------------------------------
void Injector::Launch(System::IntPtr windowHandle, System::Reflection::Assembly^ assembly, System::String^ className, System::String^ methodName) {
    System::String^ assemblyClassAndMethod = assembly->Location + "$" + className + "$" + methodName;
    //convert String to local wchar_t* or char*
    pin_ptr<const wchar_t> acmLocal = PtrToStringChars(assemblyClassAndMethod);
    //Maps the specified executable module into the address space of the calling process.
    HINSTANCE hinstDLL = ::LoadLibrary((LPCTSTR) _T("ManagedInjector.dll"));
    if (hinstDLL)
    {
        DWORD processID = 0;
        //get the process id and thread id
        DWORD threadID = ::GetWindowThreadProcessId((HWND)windowHandle.ToPointer(), &processID);
        if (processID)
        {
            //get the target process object (handle)
            HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, processID);
            if (hProcess)
            {
                int buffLen = (assemblyClassAndMethod->Length + 1) * sizeof(wchar_t);
                //Allocates physical storage in memory or in the paging file on disk for the specified reserved memory pages.
                //The function initializes the memory to zero.
                //The return value is the base address of the allocated region of pages.
                void* acmRemote = ::VirtualAllocEx(hProcess, NULL, buffLen, MEM_COMMIT, PAGE_READWRITE);
                if (acmRemote)
                {
                    //copies the data(the assemblyClassAndMethod string)
                    //from the specified buffer in the current process
                    //to the address range of the target process
                    ::WriteProcessMemory(hProcess, acmRemote, acmLocal, buffLen, NULL);
               
                    //Retrieves the address of MessageHookProc method from the hintsDLL
                    HOOKPROC procAddress = (HOOKPROC)GetProcAddress(hinstDLL, "MessageHookProc");
                    //install a hook procedure to the target thread(before the system sends the messages to the destination window procedure)
                    _messageHookHandle = ::SetWindowsHookEx(WH_CALLWNDPROC, procAddress, hinstDLL, threadID);
                    if (_messageHookHandle)
                    {
                        //send our custom message to the target window of the target process
                        ::SendMessage((HWND)windowHandle.ToPointer(), WM_GOBABYGO, (WPARAM)acmRemote, 0);
                        //removes the hook procedure installed in a hook chain by the SetWindowsHookEx function.
                        ::UnhookWindowsHookEx(_messageHookHandle);
                    }
                    //removes a hook procedure installed in a hook chain by the SetWindowsHookEx function.
                    ::VirtualFreeEx(hProcess, acmRemote, buffLen, MEM_RELEASE);
                }
                ::CloseHandle(hProcess);
            }
        }
        //Decrements the reference count of the loaded DLL
        ::FreeLibrary(hinstDLL);
    }
}
__declspec( dllexport )
// The procedure for hooking, this will be called back after hooked
int __stdcall MessageHookProc(int nCode, WPARAM wparam, LPARAM lparam) {
    //HC_ACTION: indicate that there are argments in wparam and lparam
    if (nCode == HC_ACTION)
    {
        CWPSTRUCT* msg = (CWPSTRUCT*)lparam;
        //when the target window received our custom message
        if (msg != NULL && msg->message == WM_GOBABYGO)
        {
            //get the argument passed by the message
            //actually, the argument is the base address (a pointer)
            //of the assemblyClassAndMethod string in the target process memory
            wchar_t* acmRemote = (wchar_t*)msg->wParam;
            //gcnew: creates an instance of a managed type (reference or value type) on the garbage collected heap
            System::String^ acmLocal = gcnew System::String(acmRemote);
            //split the string into substring array with $. Under this context:
            //acmSplit[0]:the assembly's location
            //acmSplit[1]:className;
            //acmSplit[2]:methodName
            //we use these infomation to reflect the method in the source assembly, and invoke it in the target process
            cli::array<System::String^>^ acmSplit = acmLocal->Split('$');
            //refect the method, and invoke it
            System::Reflection::Assembly^ assembly = System::Reflection::Assembly::LoadFile(acmSplit[0]);
            if (assembly != nullptr)
            {
                System::Type^ type = assembly->GetType(acmSplit[1]);
                if (type != nullptr)
                {
                    System::Reflection::MethodInfo^ methodInfo =
                        type->GetMethod(acmSplit[2], System::Reflection::BindingFlags::Static | System::Reflection::BindingFlags::Public);
                    if (methodInfo != nullptr)
                    {
                        methodInfo->Invoke(nullptr, nullptr);
                    }
                }
            }
        }
    }
    return CallNextHookEx(_messageHookHandle, nCode, wparam, lparam);
}接下来,做个DEMO尝试一下: 

如何实现.net程序的进程注入  

  解决方案中的InjectorDemo就是我们上述的源进程,它会利用Injector将下面这段代码注入到Target进程中并执行:

public static void DoSomethingEvie()
{
    vartargetWindow = Application.Current.MainWindow;

    if(targetWindow != null)
    {
        varlb = newLabel{Content = "haha, i caught you :)"};
        targetWindow.Content = lb;
    }
}

  也就是说InjectorDemo进程会将InjectTargetApp进程的主窗口的内容修改成"haha, i caught you"这样的一个Label.

  运行程序: 

   如何实现.net程序的进程注入

    图片看不清楚?请点击这里查看原图(大图)。 

  上面的两个窗口分别处于不同的进程中, 点击 "Inject it" 按钮, 其辉调用如下代码:

ManagedInjector.Injector.Launch(targetProcess.MainWindowHandle, typeof(InjectorWindow).Assembly, typeof(InjectorWindow).FullName, "DoSomethingEvie");

  然后:

如何实现.net程序的进程注入

 

    图片看不清楚?请点击这里查看原图(大图)。 

分享:浅谈使用ASP.NET Global.asax 文件
Global.asax文件,有时候叫做ASP.NET应用程序文件,提供了一种在一个中心位置响应应用程序级或模块级事件的方法。你可以使用这个文件实现应用程序安全性以及其它一些任务。下面让我们详细看一下如何在应用程序开发工作中使用这个文件。 概述 Global.asax位于

发表评论 共有条评论
用户名: 密码:
验证码: 匿名发表