#include "windows.h" #include "string.h" #include<iostream> using namespace std; int main() { char* DllPath = "C://Documents and Settings//Administrator//桌面//Temp//apihook.dll"; BOOL bRet = FALSE; //提权 HANDLE hToken; TOKEN_PRIVILEGES tkp; tkp.PrivilegeCount = 1; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if(OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken)) { if(LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid)) { bRet = AdjustTokenPrivileges(hToken,FALSE,&tkp,sizeof(tkp),NULL,NULL); } } if(bRet) cout<<"提权success"<<endl; bRet = FALSE; //取得进程 char* sWindow = "计算器"; DWORD pID = NULL; HWND hWnd = FindWindow(NULL,sWindow); GetWindowThreadProcessId(hWnd,&pID); HANDLE hProc = ::OpenProcess(PROCESS_ALL_ACCESS,FALSE,pID); if(pID == NULL) cout<<"failed get window!"<<endl; else cout<<"Windows PID :"<<pID<<endl; //寻找LoadLibrary地址 PTHREAD_START_ROUTINE pfnThreadProc = (PTHREAD_START_ROUTINE)::GetProcAddress(GetModuleHandle("kernel32"),"LoadLibraryA"); cout<<"Get LoadLibrary address:"<<pfnThreadProc<<endl; //写入dll路径 DWORD cb = 1 + strlen(DllPath); PVOID pszThreadParam = VirtualAllocEx(hProc,NULL,cb,MEM_COMMIT,PAGE_READWRITE); bRet = ::WriteProcessMemory(hProc,pszThreadParam,DllPath,cb,NULL); if(bRet) cout<<"WriteProcessMemory success!"<<endl; else cout<<"WriteProcessMemory failed!Code:"<<GetLastError()<<endl; bRet = FALSE; cout<<"DllPath in memory:"<<DllPath<<endl; //创建远程线程 HANDLE hThread = CreateRemoteThread(hProc,NULL,0,pfnThreadProc,pszThreadParam,0,NULL); if(hThread == NULL) cout<<"Remote create failed"<<endl; else cout<<"success"<<endl; bRet = FALSE; //收尾了 if(WaitForSingleObject(hThread,INFINITE) == STATUS_WAIT_0) cout<<"finish"<<endl; return 0; } 这个是注入程序的代码 DLl文件代码自己发挥,写什么都看你有多邪恶了啊