#include <windows.h>
#include <string>
#include "stdio.h"
#include <iostream>
using namespace std;
#define DEF_BUF_SIZE 1024
// 用於存儲注入模塊DLL的路徑全名
char szDllPath[DEF_BUF_SIZE] = {0} ;
// 使用遠程線程向指定ID的進程注入模塊
BOOL InjectModuleToProcessById ( DWORD dwProcessId )
{
if ( dwProcessId == 0 )
return FALSE ;
// 打開進程
HANDLE hProcess = OpenProcess ( PROCESS_ALL_ACCESS, FALSE, dwProcessId ) ;
if ( hProcess == NULL )
return FALSE ;
//申請存放文件名的空間
UINT nLen = (UINT)strlen ( szDllPath ) + 1;
LPVOID lpRemoteDllName = VirtualAllocEx ( hProcess, NULL, nLen, MEM_COMMIT, PAGE_READWRITE ) ;
if ( lpRemoteDllName == NULL )
{
printf ( "[ERROR]VirtualAllocEx(%d)/n", GetLastError() );
return FALSE ;
}
//把dll文件名寫入申請的空間
if ( WriteProcessMemory ( hProcess, lpRemoteDllName, szDllPath, nLen, NULL) == FALSE )
{
printf ( "[ERROR]WriteProcessMemory(%d)/n", GetLastError() );
return FALSE ;
}
//獲取動態鏈接庫函數地址
HMODULE hModule = GetModuleHandle ( L"kernel32.dll" ) ;
LPTHREAD_START_ROUTINE fnStartAddr = ( LPTHREAD_START_ROUTINE )GetProcAddress(hModule,"LoadLibraryA") ;
if ( (DWORD)fnStartAddr == 0 )
{
printf ( "[ERROR]GetProcAddress(%d)/n", GetLastError() );
return FALSE ;
}
//創建遠程線程
HANDLE hRemoteThread = CreateRemoteThread ( hProcess, NULL, 0,fnStartAddr, lpRemoteDllName, 0, NULL ) ;
if ( hRemoteThread == NULL )
{
printf ( "[ERROR]CreateRemoteThread(%d)/n", GetLastError() );
return FALSE ;
}
// 等待遠程線程結束
if ( WaitForSingleObject ( hRemoteThread, INFINITE ) != WAIT_OBJECT_0 )
{
printf ( "[ERROR]WaitForSingleObject(%d)/n", GetLastError() );
return FALSE ;
}
CloseHandle ( hRemoteThread ) ;
CloseHandle ( hModule ) ;
CloseHandle ( hProcess ) ;
return TRUE ;
}
int _tmain(int argc, _TCHAR* argv[])
{
// 取得當前工作目錄路徑
GetCurrentDirectoryA ( DEF_BUF_SIZE, szDllPath ) ;
// 生成注入模塊DLL的路徑全名
strcat ( szDllPath, "//DLL.dll" ) ;
DWORD dwProcessId = 0 ;
// 接收用戶輸入的目標進程ID
while ( printf ( "請輸入目標進程ID:" ) && cin >> dwProcessId && dwProcessId > 0 )
{
BOOL bRet = InjectModuleToProcessById ( dwProcessId ) ;
printf ( bRet ? "注入成功!/n":"注入失敗!/n") ;
}
return 0;
}