/****************************************************************
* 函数名称: InjectDll
* 功能描述: 远程注入Dll
* 参数列表: sProcName --- 进程名称
strDll --- Dll路径名称
* 返回结果: 0:失败
****************************************************************/
BOOL CRemoteDll::InjectDll(char *sProcName, char *sDllName)
{
char *strProcess = sProcName;
char *strDll = sDllName;
m_dwSize = lstrlenA(strDll) + 1;
DWORD lv_dwProcessID = GetTargetProcId(strProcess);
if (lv_dwProcessID == 0)
{
MessageBox(NULL, "找不到该进程", "信息", MB_OK);
return FALSE;
}
m_hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION
| PROCESS_VM_WRITE, FALSE, lv_dwProcessID);//打开目标进程
LPVOID lv_lpBuf = (PWSTR)VirtualAllocEx(m_hProcess, NULL, m_dwSize, MEM_COMMIT, PAGE_READWRITE);//在目标进程中开辟空间
if(NULL == lv_lpBuf)
{
CloseHandle(m_hProcess);
return FALSE;
}
DWORD lv_dwWritten;
if (WriteProcessMemory(m_hProcess, lv_lpBuf, (LPVOID)strDll, m_dwSize, &lv_dwWritten))
{
if (lv_dwWritten != m_dwSize)
{
VirtualFreeEx(m_hProcess, lv_lpBuf, m_dwSize, MEM_DECOMMIT);
CloseHandle(m_hProcess);
return FALSE;
}
}
else
{
CloseHandle(m_hProcess);
return FALSE;
}
PTHREAD_START_ROUTINE pfnEndAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
// 使目标进程调用LoadLibrary,加载DLL
DWORD dwID;
HANDLE hThread = CreateRemoteThread( m_hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pfnEndAddr, lv_lpBuf, 0, &dwID );
// 等待LoadLibrary加载完毕
WaitForSingleObject( hThread, INFINITE );
// 释放目标进程中申请的空间
VirtualFreeEx( m_hProcess, lv_lpBuf, m_dwSize, MEM_DECOMMIT );
CloseHandle( hThread );
CloseHandle( m_hProcess );
return FALSE;
}
/****************************************************************
* 函数名称: GetTarget
* 功能描述: 查找进程
* 参数列表: sProcName --- 进程名称
* 返回结果: 返回进程ID
****************************************************************/
DWORD CRemoteDll::GetTargetProcId(char *sProcName)
{
DWORD dwRet = 0;
HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0);//进程快照
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof( PROCESSENTRY32 );
BOOL lv_return = Process32First( hSnapshot, &pe32 );
while(lv_return)
{
if (0 == strcmp(pe32.szExeFile, sProcName))
{
dwRet = pe32.th32ProcessID;
break;
}
lv_return = Process32Next(hSnapshot, &pe32);
}
CloseHandle(hSnapshot);
return dwRet;
}
此代码仅作技术交流,请勿用于非法传播。