一、获取要注入的dll路径和被注入的进程ID
LPCTSTR lpstrFilter="*.exe;*.EXE;*.DLL;*.SYS;.scr;.drv";
char szBuffer[1024] = { 0 };
memset(&ofName,0,sizeof(OPENFILENAME));
ofName.lStructSize=sizeof(OPENFILENAME);
ofName.lpstrFilter=lpstrFilter;
ofName.lpstrFile = szBuffer;//存放文件的缓冲区
ofName.Flags = OFN_PATHMUSTEXIST | OFN_FILEMUSTEXIST;
ofName.hwndOwner=hWnd;
ofName.nMaxFile=MAX_PATH;
GetOpenFileName(&ofName);
unsigned long processId=GetSelectProcessId(GetDlgItem(hWnd,IDC_LIST_PROCESS));
二、通过远程内存地址写入,把要注入的dll路径写入到被注入进程内存中
bool LoadDll(DWORD ProcessId,LPSTR dllPath)
{
HANDLE hProcess;//进程句柄
DWORD DllLength;//dll路径字符串长度
PDWORD DllAddr;//dll地址字符串分配的虚拟地址
HMODULE hModule;//kernel32.dll 句柄
PDWORD FuncAddr;//LoadLibrary() 函数句柄
hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, ProcessId);
if (hProcess == NULL)
{
return false;
}
DllLength = (wcslen((unsigned short *)dllPath)+1)*2;
//申请指定进程中的内存
DllAddr = (PDWORD)VirtualAllocEx(hProcess, NULL, DllLength, MEM_COMMIT, PAGE_READWRITE);
if (DllAddr == NULL)
return false;
printf("%x", DllAddr);
//写入dll路径
WriteProcessMemory(hProcess, DllAddr, dllPath, DllLength, NULL);
//获取Kernel32.dll的句柄
hModule = GetModuleHandle("Kernel32.dll");
if (hModule == NULL)
return false;
//从module中获取loadlabrary函数地址
FuncAddr =(PDWORD) GetProcAddress(hModule, "LoadLibraryA");
// 7、注入到指定进程中进行加载内存中申请的DLL信息,把LoadLibraryA的地址作为函数 来加载addr,也就是DLL的路径
CreateRemoteThread(hProcess, NULL, 0, LPTHREAD_START_ROUTINE(FuncAddr), DllAddr, 0, NULL);
return true;
}