#include "windows.h"
#include "tlhelp32.h"
#pragma comment(lib,"th32.lib")
const char *pkill="fundll.dll"; //用到的DLL文件的路径,最好写成绝对路径
//这个路径是相对于目标进程的,而不是自身进程
char *process="test.exe"; //要注入的进程名(目标进程名)
int main()
{
HANDLE hSnap; //对本机现在运行的所有进程进行拍照,用于查找指定进程
HANDLE hkernel32; //被注入进程的句柄
PROCESSENTRY32 pe; //进程体
BOOL bNext;
HANDLE hToken;
TOKEN_PRIVILEGES tp;//进程的权限信息
LUID Luid;//一长串数字,好像比较烦
LPVOID p;
FARPROC pfn;
//获得进程访问令牌的句柄
if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
return 1;
}
//获得LUID
if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&Luid))
{
return 1;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = Luid;
//修改权限
if (!AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
{
return 1;
}
pe.dwSize = sizeof(pe);
hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
bNext=Process32First(hSnap,&pe);
while(bNext)
{
if(!stricmp(pe.szExeFile,prosess))
{
hkernel32=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_WRITE|PROCESS_VM_OPERATION,1,pe.th32ProcessID);
break;
}
bNext=Process32Next(hSnap, &pe);
}
CloseHandle(hSnap);
//在主进程中申请一块内存空间,用来写入DLL代码
p=VirtualAllocEx(hkernel32,NULL,strlen(pkill),MEM_COMMIT,PAGE_READWRITE);
WriteProcessMemory(hkernel32,p,pkill,strlen(pkill),NULL);
pfn=GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
CreateRemoteThread(hkernel32,NULL,0,pfn,p,NULL,0);
return 0;
}
将指定DLL程序写入任意进程内存空间中
最新推荐文章于 2022-08-02 12:30:29 发布