dll远程注入

/****************************************************************
* 函数名称: InjectDll
* 功能描述: 远程注入Dll
* 参数列表: sProcName  --- 进程名称
            strDll     --- Dll路径名称
* 返回结果: 0:失败
****************************************************************/
BOOL CRemoteDll::InjectDll(char *sProcName, char *sDllName)
{
 char *strProcess = sProcName;
 char *strDll = sDllName;

 m_dwSize = lstrlenA(strDll) + 1;
    DWORD lv_dwProcessID = GetTargetProcId(strProcess);
 if (lv_dwProcessID == 0)
 {
  MessageBox(NULL, "找不到该进程", "信息", MB_OK);
        return FALSE;
 }

 m_hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION
  | PROCESS_VM_WRITE, FALSE, lv_dwProcessID);//打开目标进程

 LPVOID lv_lpBuf = (PWSTR)VirtualAllocEx(m_hProcess, NULL, m_dwSize, MEM_COMMIT, PAGE_READWRITE);//在目标进程中开辟空间
 if(NULL == lv_lpBuf)
 {
  CloseHandle(m_hProcess);
        return FALSE;
 }

 DWORD lv_dwWritten;
 if (WriteProcessMemory(m_hProcess, lv_lpBuf, (LPVOID)strDll, m_dwSize, &lv_dwWritten))
 {
  if (lv_dwWritten != m_dwSize)
  {
   VirtualFreeEx(m_hProcess, lv_lpBuf, m_dwSize, MEM_DECOMMIT);

   CloseHandle(m_hProcess);
            return FALSE;
  }
 }
 else
 {
  CloseHandle(m_hProcess);
  return FALSE;
 }

 PTHREAD_START_ROUTINE pfnEndAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");

 // 使目标进程调用LoadLibrary，加载DLL
 DWORD dwID;
 HANDLE hThread = CreateRemoteThread( m_hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pfnEndAddr, lv_lpBuf, 0, &dwID );
 
 // 等待LoadLibrary加载完毕
 WaitForSingleObject( hThread, INFINITE );
 
 // 释放目标进程中申请的空间
 VirtualFreeEx( m_hProcess, lv_lpBuf, m_dwSize, MEM_DECOMMIT );
 CloseHandle( hThread );
 CloseHandle( m_hProcess );

 return FALSE;
}

/****************************************************************
* 函数名称: GetTarget
* 功能描述: 查找进程
* 参数列表: sProcName  --- 进程名称
* 返回结果: 返回进程ID
****************************************************************/
DWORD CRemoteDll::GetTargetProcId(char *sProcName)
{
    DWORD dwRet = 0;
 
    HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0);//进程快照
 
    PROCESSENTRY32 pe32;
    pe32.dwSize = sizeof( PROCESSENTRY32 );
 
    BOOL lv_return = Process32First( hSnapshot, &pe32 );
    while(lv_return)
    {
        if (0 == strcmp(pe32.szExeFile, sProcName))
        {
            dwRet = pe32.th32ProcessID;
            break;
        }
  
  lv_return = Process32Next(hSnapshot, &pe32);
    }
 
    CloseHandle(hSnapshot);

 return dwRet;
}

 

此代码仅作技术交流，请勿用于非法传播。