APC注入:Asynchronous Procedure Call，異步過程調用，每個線程都有一個APC隊列，在用戶模式下，當線程調用SleepEx,WaitForSingleObjectEx等進入"Alterable Wait Status.
?此時系統會遍歷APC隊列，先進先出地處理其中函數（QueueUserAPC)
?優：比較隱蔽 缺：實現的條件苛刻

//負責注入的exe #include <Windows.h>DWORD APCInject(PCHAR sProcName,PCHAR sDllName) {DWORD dRet=0;OutputDebugStringA("[+] APCInject enter !");//創建bufferHANDLE hFile=CreateFileMapping(INVALID_HANDLE_VALUE,NULL,PAGE_READWRITE,0,strlen(sDllName)+1,NULL);if(!hFile){OutputDebugStringA("[-] APCInject CreateFileMapping error!");return -2;}PCHAR hView=(PCHAR)MapViewOfFile(hFile,FILE_MAP_ALL_ACCESS,0,0,0);if(!hView){OutputDebugStringA("[-] APCInject MapViewOfFile error!");CloseHandle(hFile);return -3;}else{//給buffer設置待注入的dll路徑strcpy_s(hView,strlen(sDllName)+1,sDllName);}// 啟動目標進程PROCESS_INFORMATION pi;STARTUPINFOA st;ZeroMemory(&pi,sizeof(pi));ZeroMemory(&st,sizeof(st));st.cb=sizeof(STARTUPINFO);//以suspend方式創建進程if(CreateProcessA(sProcName,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&st,&pi)){LPVOID RemoteString=NULL;ULONG ViewSize=0;void * lpDllName = NULL;/////目標進程地址空間分配待注入dll路徑空間lpDllName = VirtualAllocEx(pi.hProcess, NULL, (strlen(sDllName) + 1), MEM_COMMIT, PAGE_READWRITE); if(lpDllName){//把待注入dll路徑寫入目標進程空間if(WriteProcessMemory(pi.hProcess, lpDllName, sDllName,strlen(sDllName), NULL)){LPVOID nLoadLibrary=(LPVOID)GetProcAddress(GetModuleHandleA("kernel32.dll"),"LoadLibraryA");//調用QueueUserAPC向遠線程插入一個APC，這個APC就是LoadLibraryif(!QueueUserAPC((PAPCFUNC)nLoadLibrary,pi.hThread,(ULONG_PTR)lpDllName)){OutputDebugStringA("[-] APCInject QueueUserAPC call error!");dRet=-6;}}else{OutputDebugStringA("[-] APCInject WriteProcessMemory call error!");dRet=-5;}}else{OutputDebugStringA("[-] APCInject VirtualAllocEx call error!");dRet=-4;}//恢復主線程ResumeThread(pi.hThread);CloseHandle(pi.hThread);CloseHandle(pi.hProcess);}else{OutputDebugStringA("[-] APCInject CreateProcess error!");dRet=-4;}UnmapViewOfFile(hView);CloseHandle(hFile);OutputDebugStringA("[+] APCInject exit !");return dRet; }void main(int argc, char **argv) {APCInject(argv[1],argv[2]); }

?

//被注入的DLL #include <Windows.h>BOOL APIENTRY DllMain( HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved) {switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:MessageBoxA(NULL, "the simple inject success", "Dll Inject", MB_OKCANCEL);break;case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH:case DLL_PROCESS_DETACH:break;}return TRUE; }

?

測試如下：

\Debug>Test.exe C:\Windows\System32\notepad.exe WaiGua.dll

測試結果：

總結

以上是生活随笔為你收集整理的注入（一）：APC注入的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。