闲话不说,看代码吧:
//
RmtDLL.cpp : Defines the entry point for the console application.
//
#include " stdafx.h "
#include < windows.h >
#include < stdlib.h >
#include < stdio.h >
#include " psapi.h "
// #include "PSAPI.H"
// #pragma comment( lib, "PSAPI.LIB" )
DWORD ProcessToPID( char * ); // 将进程名转换为PID的函数
void CheckError ( int , int , char * ); // 出错处理函数
void usage ( char * ); // 使用说明函数
PDWORD pdwThreadId;
HANDLE hRemoteThread, hRemoteProcess;
DWORD fdwCreate, dwStackSize, dwRemoteProcessId;
PWSTR pszLibFileRemote = NULL;
void main( int argc, char ** argv)
{
int iReturnCode;
char lpDllFullPathName[MAX_PATH];
WCHAR pszLibFileName[MAX_PATH] = { 0 };
// 处理命令行参数
/*
argv[0]="F:/TestTempProgramming/RmtDLL/Debug/RmtDLL.exe";
argv[1]="explorer.exe";
argv[2]="F:/TestTempProgramming/TestDLL/Debug/TestDLL.dll";
*/
if (argc != 3 ) usage( " Parametes number incorrect! " );
else {
// 如果输入的是进程名,则转化为PID
if (isdigit( * argv[ 1 ])) dwRemoteProcessId = atoi(argv[ 1 ]);
else dwRemoteProcessId = ProcessToPID(argv[ 1 ]);
// 判断输入的DLL文件名是否是绝对路径
if (strstr(argv[ 2 ], " :/ " ) != NULL)
strncpy(lpDllFullPathName,argv[ 2 ] , MAX_PATH);
else
{ // 取得当前目录,将相对路径转换成绝对路径
iReturnCode = GetCurrentDirectory(MAX_PATH, lpDllFullPathName);
CheckError(iReturnCode, 0 , " GetCurrentDirectory " );
strcat(lpDllFullPathName, " / " );
strcat(lpDllFullPathName, argv[ 2 ]);
printf( " Convert DLL filename to FullPathName: %s " ,
lpDllFullPathName);
}
// 判断DLL文件是否存在
iReturnCode = ( int )_lopen(lpDllFullPathName, OF_READ);
// iReturnCode =0;
CheckError(iReturnCode, HFILE_ERROR, " DLL File not Exist " );
// 将DLL文件全路径的ANSI码转换成UNICODE码
iReturnCode = MultiByteToWideChar(CP_ACP, MB_ERR_INVALID_CHARS,
lpDllFullPathName, strlen(lpDllFullPathName),pszLibFileName, MAX_PATH);
CheckError(iReturnCode, 0 , " MultByteToWideChar " );
// 输出最后的操作参数
wprintf(L " Will inject %s " , pszLibFileName);
printf( " into process:%s PID=%d " , argv[ 1 ], dwRemoteProcessId);
}
// 打开远程进程
hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD | // 允许创建线程
PROCESS_VM_OPERATION | // 允许VM操作
PROCESS_VM_WRITE, // 允许VM写
FALSE, dwRemoteProcessId );
CheckError( ( int ) hRemoteProcess, NULL,
" Remote Process not Exist or Access Denied! " );
// 计算DLL路径名需要的内存空间
int cb = ( 1 + lstrlenW(pszLibFileName)) * sizeof (WCHAR);
pszLibFileRemote = (PWSTR) VirtualAllocEx( hRemoteProcess, NULL, cb,
MEM_COMMIT, PAGE_READWRITE);
CheckError(( int )pszLibFileRemote, NULL, " VirtualAllocEx " );
// 将DLL的路径名复制到远程进程的内存空间
iReturnCode = WriteProcessMemory(hRemoteProcess,
pszLibFileRemote, (PVOID) pszLibFileName, cb, NULL);
CheckError(iReturnCode, false , " WriteProcessMemory " );
// 计算LoadLibraryW的入口地址
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT( " Kernel32 " )), " LoadLibraryW " );
CheckError(( int )pfnStartAddr, NULL, " GetProcAddress " );
// 启动远程线程,通过远程线程调用用户的DLL文件
hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0 , pfnStartAddr, pszLibFileRemote, 0 , NULL);
CheckError(( int )hRemoteThread, NULL, " Create Remote Thread " );
// 等待远程线程退出
WaitForSingleObject(hRemoteThread, INFINITE);
// 清场处理
if (pszLibFileRemote != NULL)
VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0 , MEM_RELEASE);
if (hRemoteThread != NULL) CloseHandle(hRemoteThread );
if (hRemoteProcess != NULL) CloseHandle(hRemoteProcess);
}
// 将进程名转换为PID的函数
DWORD ProcessToPID( char * InputProcessName)
{
DWORD aProcesses[ 1024 ], cbNeeded, cProcesses;
unsigned int i;
HANDLE hProcess;
HMODULE hMod;
char szProcessName[MAX_PATH] = " UnknownProcess " ;
// 计算目前有多少进程, aProcesses[]用来存放有效的进程PIDs
if ( ! EnumProcesses( aProcesses, sizeof (aProcesses), & cbNeeded ) ) return 0 ;
cProcesses = cbNeeded / sizeof (DWORD);
// 按有效的PID遍历所有的进程
for ( i = 0 ; i < cProcesses; i ++ )
{
// 打开特定PID的进程
hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
FALSE, aProcesses[i]);
// 取得特定PID的进程名
if ( hProcess )
{
if ( EnumProcessModules( hProcess, & hMod, sizeof (hMod), & cbNeeded) )
{
GetModuleBaseName( hProcess, hMod,
szProcessName, sizeof (szProcessName) );
// 将取得的进程名与输入的进程名比较,如相同则返回进程PID
if ( ! _stricmp(szProcessName, InputProcessName)){
CloseHandle( hProcess );
return aProcesses[i];
}
}
} // end of if ( hProcess )
} // end of for
// 没有找到相应的进程名,返回0
CloseHandle( hProcess );
return 0 ;
} // end of ProcessToPID
// 错误处理函数CheckError()
// 如果iReturnCode等于iErrorCode,则输出pErrorMsg并退出
void CheckError( int iReturnCode, int iErrorCode, char * pErrorMsg)
{
if (iReturnCode == iErrorCode) {
printf( " %s Error:%d " , pErrorMsg, GetLastError());
// 清场处理
if (pszLibFileRemote != NULL)
VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0 , MEM_RELEASE);
if (hRemoteThread != NULL) CloseHandle(hRemoteThread );
if (hRemoteProcess != NULL) CloseHandle(hRemoteProcess);
exit( 0 );
}
} // end of CheckError()
// 使用方法说明函数usage()
void usage( char * pErrorMsg)
{
printf( " %s " ,pErrorMsg);
printf( " Remote Process DLL by Shotgun " );
printf( " This program can inject a DLL into remote process " );
printf( " Email: " );
printf( " Shotgun@Xici.Net " );
printf( " HomePage: " );
printf( " http://It.Xici.Net " );
printf( " http://www.Patching.Net " );
printf( " USAGE: " );
printf( " RmtDLL.exe PID[|ProcessName] DLLFullPathName " );
printf( " Example: " );
printf( " RmtDLL.exe 1024 C:/WINNT/System32/MyDLL.dll " );
printf( " RmtDLL.exe Explorer.exe C:/MyDLL.dll " );
exit( 0 );
} // end of usage()
/附带“获得当前进程ID代码 ------> TestDLL.dll“和“启动进程代码”
// TestDLL.cpp : Defines the entry point for the DLL application.
//
#include " stdafx.h "
#include < windows.h >
#include < stdlib.h >
#include < stdio.h >
BOOL APIENTRY DllMain( HANDLE hModule, DWORD reason, LPVOID lpReserved)
{
char szProcessId[ 64 ];
switch (reason)
{
case (DLL_PROCESS_ATTACH):
{
PROCESS_INFORMATION pi;
STARTUPINFO si;
memset( & si, 0 , sizeof (si));
si.cb = sizeof (si);
si.wShowWindow = SW_SHOW;
si.dwFlags = STARTF_USESHOWWINDOW;
bool fRet = CreateProcess( " E:/downLoad/vcfans/thread/thread/Release/ThreadDemo1.exe " ,
NULL,NULL,FALSE,NULL,NULL,NULL,NULL, & si, & pi);
if (fRet)
{
MessageBox(NULL, " 启动进程成功! " , " ^_^ " ,MB_OK);
}
else
{
MessageBox(NULL, " 进程启动失败! " , " T_T " ,MB_OK);
}
// 获得当前进程ID
_itoa(GetCurrentProcessId(),szProcessId, 10 );
MessageBox(NULL,szProcessId, " RemoteDLL " ,MB_OK);
}
default :
return TRUE;
}
}
//
#include " stdafx.h "
#include < windows.h >
#include < stdlib.h >
#include < stdio.h >
#include " psapi.h "
// #include "PSAPI.H"
// #pragma comment( lib, "PSAPI.LIB" )
DWORD ProcessToPID( char * ); // 将进程名转换为PID的函数
void CheckError ( int , int , char * ); // 出错处理函数
void usage ( char * ); // 使用说明函数
PDWORD pdwThreadId;
HANDLE hRemoteThread, hRemoteProcess;
DWORD fdwCreate, dwStackSize, dwRemoteProcessId;
PWSTR pszLibFileRemote = NULL;
void main( int argc, char ** argv)
{
int iReturnCode;
char lpDllFullPathName[MAX_PATH];
WCHAR pszLibFileName[MAX_PATH] = { 0 };
// 处理命令行参数
/*
argv[0]="F:/TestTempProgramming/RmtDLL/Debug/RmtDLL.exe";
argv[1]="explorer.exe";
argv[2]="F:/TestTempProgramming/TestDLL/Debug/TestDLL.dll";
*/
if (argc != 3 ) usage( " Parametes number incorrect! " );
else {
// 如果输入的是进程名,则转化为PID
if (isdigit( * argv[ 1 ])) dwRemoteProcessId = atoi(argv[ 1 ]);
else dwRemoteProcessId = ProcessToPID(argv[ 1 ]);
// 判断输入的DLL文件名是否是绝对路径
if (strstr(argv[ 2 ], " :/ " ) != NULL)
strncpy(lpDllFullPathName,argv[ 2 ] , MAX_PATH);
else
{ // 取得当前目录,将相对路径转换成绝对路径
iReturnCode = GetCurrentDirectory(MAX_PATH, lpDllFullPathName);
CheckError(iReturnCode, 0 , " GetCurrentDirectory " );
strcat(lpDllFullPathName, " / " );
strcat(lpDllFullPathName, argv[ 2 ]);
printf( " Convert DLL filename to FullPathName: %s " ,
lpDllFullPathName);
}
// 判断DLL文件是否存在
iReturnCode = ( int )_lopen(lpDllFullPathName, OF_READ);
// iReturnCode =0;
CheckError(iReturnCode, HFILE_ERROR, " DLL File not Exist " );
// 将DLL文件全路径的ANSI码转换成UNICODE码
iReturnCode = MultiByteToWideChar(CP_ACP, MB_ERR_INVALID_CHARS,
lpDllFullPathName, strlen(lpDllFullPathName),pszLibFileName, MAX_PATH);
CheckError(iReturnCode, 0 , " MultByteToWideChar " );
// 输出最后的操作参数
wprintf(L " Will inject %s " , pszLibFileName);
printf( " into process:%s PID=%d " , argv[ 1 ], dwRemoteProcessId);
}
// 打开远程进程
hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD | // 允许创建线程
PROCESS_VM_OPERATION | // 允许VM操作
PROCESS_VM_WRITE, // 允许VM写
FALSE, dwRemoteProcessId );
CheckError( ( int ) hRemoteProcess, NULL,
" Remote Process not Exist or Access Denied! " );
// 计算DLL路径名需要的内存空间
int cb = ( 1 + lstrlenW(pszLibFileName)) * sizeof (WCHAR);
pszLibFileRemote = (PWSTR) VirtualAllocEx( hRemoteProcess, NULL, cb,
MEM_COMMIT, PAGE_READWRITE);
CheckError(( int )pszLibFileRemote, NULL, " VirtualAllocEx " );
// 将DLL的路径名复制到远程进程的内存空间
iReturnCode = WriteProcessMemory(hRemoteProcess,
pszLibFileRemote, (PVOID) pszLibFileName, cb, NULL);
CheckError(iReturnCode, false , " WriteProcessMemory " );
// 计算LoadLibraryW的入口地址
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT( " Kernel32 " )), " LoadLibraryW " );
CheckError(( int )pfnStartAddr, NULL, " GetProcAddress " );
// 启动远程线程,通过远程线程调用用户的DLL文件
hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0 , pfnStartAddr, pszLibFileRemote, 0 , NULL);
CheckError(( int )hRemoteThread, NULL, " Create Remote Thread " );
// 等待远程线程退出
WaitForSingleObject(hRemoteThread, INFINITE);
// 清场处理
if (pszLibFileRemote != NULL)
VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0 , MEM_RELEASE);
if (hRemoteThread != NULL) CloseHandle(hRemoteThread );
if (hRemoteProcess != NULL) CloseHandle(hRemoteProcess);
}
// 将进程名转换为PID的函数
DWORD ProcessToPID( char * InputProcessName)
{
DWORD aProcesses[ 1024 ], cbNeeded, cProcesses;
unsigned int i;
HANDLE hProcess;
HMODULE hMod;
char szProcessName[MAX_PATH] = " UnknownProcess " ;
// 计算目前有多少进程, aProcesses[]用来存放有效的进程PIDs
if ( ! EnumProcesses( aProcesses, sizeof (aProcesses), & cbNeeded ) ) return 0 ;
cProcesses = cbNeeded / sizeof (DWORD);
// 按有效的PID遍历所有的进程
for ( i = 0 ; i < cProcesses; i ++ )
{
// 打开特定PID的进程
hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
FALSE, aProcesses[i]);
// 取得特定PID的进程名
if ( hProcess )
{
if ( EnumProcessModules( hProcess, & hMod, sizeof (hMod), & cbNeeded) )
{
GetModuleBaseName( hProcess, hMod,
szProcessName, sizeof (szProcessName) );
// 将取得的进程名与输入的进程名比较,如相同则返回进程PID
if ( ! _stricmp(szProcessName, InputProcessName)){
CloseHandle( hProcess );
return aProcesses[i];
}
}
} // end of if ( hProcess )
} // end of for
// 没有找到相应的进程名,返回0
CloseHandle( hProcess );
return 0 ;
} // end of ProcessToPID
// 错误处理函数CheckError()
// 如果iReturnCode等于iErrorCode,则输出pErrorMsg并退出
void CheckError( int iReturnCode, int iErrorCode, char * pErrorMsg)
{
if (iReturnCode == iErrorCode) {
printf( " %s Error:%d " , pErrorMsg, GetLastError());
// 清场处理
if (pszLibFileRemote != NULL)
VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0 , MEM_RELEASE);
if (hRemoteThread != NULL) CloseHandle(hRemoteThread );
if (hRemoteProcess != NULL) CloseHandle(hRemoteProcess);
exit( 0 );
}
} // end of CheckError()
// 使用方法说明函数usage()
void usage( char * pErrorMsg)
{
printf( " %s " ,pErrorMsg);
printf( " Remote Process DLL by Shotgun " );
printf( " This program can inject a DLL into remote process " );
printf( " Email: " );
printf( " Shotgun@Xici.Net " );
printf( " HomePage: " );
printf( " http://It.Xici.Net " );
printf( " http://www.Patching.Net " );
printf( " USAGE: " );
printf( " RmtDLL.exe PID[|ProcessName] DLLFullPathName " );
printf( " Example: " );
printf( " RmtDLL.exe 1024 C:/WINNT/System32/MyDLL.dll " );
printf( " RmtDLL.exe Explorer.exe C:/MyDLL.dll " );
exit( 0 );
} // end of usage()
/附带“获得当前进程ID代码 ------> TestDLL.dll“和“启动进程代码”
// TestDLL.cpp : Defines the entry point for the DLL application.
//
#include " stdafx.h "
#include < windows.h >
#include < stdlib.h >
#include < stdio.h >
BOOL APIENTRY DllMain( HANDLE hModule, DWORD reason, LPVOID lpReserved)
{
char szProcessId[ 64 ];
switch (reason)
{
case (DLL_PROCESS_ATTACH):
{
PROCESS_INFORMATION pi;
STARTUPINFO si;
memset( & si, 0 , sizeof (si));
si.cb = sizeof (si);
si.wShowWindow = SW_SHOW;
si.dwFlags = STARTF_USESHOWWINDOW;
bool fRet = CreateProcess( " E:/downLoad/vcfans/thread/thread/Release/ThreadDemo1.exe " ,
NULL,NULL,FALSE,NULL,NULL,NULL,NULL, & si, & pi);
if (fRet)
{
MessageBox(NULL, " 启动进程成功! " , " ^_^ " ,MB_OK);
}
else
{
MessageBox(NULL, " 进程启动失败! " , " T_T " ,MB_OK);
}
// 获得当前进程ID
_itoa(GetCurrentProcessId(),szProcessId, 10 );
MessageBox(NULL,szProcessId, " RemoteDLL " ,MB_OK);
}
default :
return TRUE;
}
}