dll注入到进程（C++）

原理上是可以不用其他程序启动注入的

#include <windows.h>
#include "stdio.h" 
#include <tchar.h>

// 提升进程访问权限
bool enableDebugPriv()
{
    HANDLE  hToken;
    LUID    sedebugnameValue;
    TOKEN_PRIVILEGES tkp;
    if (!OpenProcessToken(GetCurrentProcess(),
        TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)
        )
    {
        return false;
    }
    if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
    {
        CloseHandle(hToken);
        return false;
    }
    tkp.PrivilegeCount = 1;
    tkp.Privileges[0].Luid = sedebugnameValue;
    tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
    {
        CloseHandle(hToken);
        return false;
    }
    return true;
}

// 注入dll D:\\c\\HookAddress\\Debug\\mydll.dll
void inject_dll(char* hook_address,HANDLE hProcess) 
{
    // 注入dll
    enableDebugPriv();
    HANDLE hThread;
    char    szLibPath[_MAX_PATH];  // The name of our "LibSpy.dll" module
                                   // (including full path!);
    void*   pLibRemote;   // The address (in the remote process) where 
                          // szLibPath will be copied to;
    DWORD   hLibModule;   // Base address of loaded module (==HMODULE);
    HMODULE hKernel32 = ::GetModuleHandle(TEXT("Kernel32"));

    // initialize szLibPath
    strcpy_s(szLibPath, hook_address);
    //...

    // 1. Allocate memory in the remote process for szLibPath
    // 2. Write szLibPath to the allocated memory
    pLibRemote = ::VirtualAllocEx(hProcess, NULL, sizeof(szLibPath),
        MEM_COMMIT, PAGE_READWRITE);
    ::WriteProcessMemory(hProcess, pLibRemote, (void*)szLibPath,
        sizeof(szLibPath), NULL);

    // Load "LibSpy.dll" into the remote process
    // (via CreateRemoteThread & LoadLibrary)
    hThread = ::CreateRemoteThread(hProcess, NULL, 0,
        (LPTHREAD_START_ROUTINE) ::GetProcAddress(hKernel32,
            "LoadLibraryA"),
        pLibRemote, 0, NULL);
    ::WaitForSingleObject(hThread, INFINITE);

    // Get handle of the loaded module
    ::GetExitCodeThread(hThread, &hLibModule);

    // Clean up
    ::CloseHandle(hThread);
    ::VirtualFreeEx(hProcess, pLibRemote, sizeof(szLibPath), MEM_RELEASE);
}


void _tmain(int argc, TCHAR *argv[])
{
    STARTUPINFO si;
    PROCESS_INFORMATION pi;

    ZeroMemory(&si, sizeof(si));
    si.cb = sizeof(si);
    ZeroMemory(&pi, sizeof(pi));

    if (argc != 2)
    {
        printf("Usage: %s [cmdline]\n", argv[0]);
        return;
    }

    // Start the child process. 
    if (!CreateProcess(NULL,   // No module name (use command line)
        argv[1],        // Command line
        NULL,           // Process handle not inheritable
        NULL,           // Thread handle not inheritable
        FALSE,          // Set handle inheritance to FALSE
        CREATE_SUSPENDED,              // 暂停标志
        NULL,           // Use parent's environment block
        NULL,           // Use parent's starting directory 
        &si,            // Pointer to STARTUPINFO structure
        &pi)           // Pointer to PROCESS_INFORMATION structure
        )
    {
        printf("CreateProcess failed (%d).\n", GetLastError());
        return;
    }
    int oep_reg = 0;
    __asm               // 获取oep
    {
        pop eax
        mov oep_reg, eax
        push eax
    }
    // do somethin g==============
    printf("[EIP]=%x\n", oep_reg);

    inject_dll("D:\\c\\HookAddress\\Debug\\mydll.dll", pi.hProcess);
    // resume
    ResumeThread(pi.hThread);

    // Wait until child process exits.
    WaitForSingleObject(pi.hProcess, INFINITE);

    // Close process and thread handles. 
    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);
}

vs2015生成项目，然后cmd里运行 C:\项目空间>xxx.exe test.exe(需要注入的进程) 也可以在属性->调试里设置启动参数。