14. DLL injection : remote thread
LoadLibaray의 실제 주소를 획득
Wide Character Version
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT(“Kernel32”)),
“LoadlibraryW”);
HANDLE hThread = CreateRemoteThread(hProcessRemote, NULL, 0,
LoadLibraryW, L”C:MyLib.dll”, 0, NULL);
15. DLL injection : remote thread
사실은 문자열의 주소값
Wide Character Version
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT(“Kernel32”)),
“LoadlibraryW”);
HANDLE hThread = CreateRemoteThread(hProcessRemote, NULL, 0,
LoadLibraryW, L”C:MyLib.dll”, 0, NULL);
16. DLL injection : remote thread
VirtualAllocEx과 VirtualFreeEx를 사용하면
다른 프로세스 공간 상에 Vmemory Alloc 가능.
ReadProcessMemory와 WriteProcessMemory를 사용하면…
이름만 봐도 알지?