DLL注入notepad.exe

新建一个dll的工程，但是不要选择空项目，这样会自动生成一些简单的.h和.cpp文件，我这里自动生成了

stdafx.h、targetver.h、dllmain.cpp、simple_dll.cpp、stdafx.cpp，修改dllmain.cpp，修改为：

// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"
#include <Windows.h>
#include <stdlib.h>

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	char szId[10];
	DWORD id;
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		id = GetCurrentProcessId();
		itoa(id, szId, 10);
		MessageBoxA(NULL, szId, "DLL_PROCESS_ATTACH", MB_OK);
		break;
	case DLL_THREAD_ATTACH:
		id = GetCurrentThreadId();
		itoa(id, szId, 10);
		MessageBoxA(NULL, szId, "DLL_THREAD_ATTACH", MB_OK);
		break;
	case DLL_THREAD_DETACH:
		id = GetCurrentThreadId();
		itoa(id, szId, 10);
		MessageBoxA(NULL, szId, "DLL_THREAD_DETACH", MB_OK);
		break;
	case DLL_PROCESS_DETACH:
		id = GetCurrentProcessId();
		itoa(id, szId, 10);
		MessageBoxA(NULL, szId, "DLL_PROCESS_DETACH", MB_OK);
		break;
	}
	return TRUE;
}

VS2010里似乎要用MessageBoxA，我用MessageBox会出现问题。

然后生成simple_dll，这样，就生成了simple_dll.dll。

然后让notepad.exe进程里注入simple_dll.dll，先要打开一个记事本程序。注入程序如下：

#include <Windows.h>
#include <TlHelp32.h>
#include <stdio.h>
#include <shlwapi.h>

DWORD GetTargetProcessID(const char *processExeName)
{
	if (processExeName == NULL) {
		return 0;
	}

	HANDLE hSnapshot;

	hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (INVALID_HANDLE_VALUE == hSnapshot) {
		printf("%d\n", GetLastError());
		return 0;
	}

	PROCESSENTRY32 pe;
	BOOL bRet = FALSE;

	pe.dwSize = sizeof (PROCESSENTRY32);
	bRet = Process32First(hSnapshot, &pe);
	while (bRet) {
		if (strstr(processExeName, pe.szExeFile)) {
			return pe.th32ProcessID;
		} else {
			ZeroMemory(&pe, sizeof (PROCESSENTRY32));
			pe.dwSize = sizeof (PROCESSENTRY32);
			bRet = Process32Next(hSnapshot, &pe);
		}
	}

	return 0;
}

BOOL InjectDll(const char *DllFullPath, const DWORD dwRemoteProcessId)
{
	if (DllFullPath == NULL) {
		return FALSE;
	}
	if (dwRemoteProcessId <= 0) {
		return FALSE;
	}
	HANDLE hRemoteProcess;

	hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwRemoteProcessId);
	if (NULL == hRemoteProcess) {
		printf("OpenProcess:%d\n", GetLastError());
		return FALSE;
	}

	char *pRemoteAddr;
	int len = strlen(DllFullPath) + 1;
	pRemoteAddr = (char *)VirtualAllocEx(hRemoteProcess, NULL, len, MEM_COMMIT, PAGE_READWRITE);
	if (NULL == pRemoteAddr) {
		printf("VirtualAllocEx:%d\n", GetLastError());
		goto error;
	}

	if (!WriteProcessMemory(hRemoteProcess, pRemoteAddr, DllFullPath, len, NULL)) {
		printf("WriteProcessMemory:%d\n", GetLastError());
		goto error;
	}

	HMODULE hModule;
	char LoadLibraryA[] = "LoadLibraryA";
	
	hModule = GetModuleHandle("kernel32.dll");

	FARPROC LoadLibraryAAddr;
	LoadLibraryAAddr = GetProcAddress(hModule, LoadLibraryA);
	if (NULL == LoadLibraryAAddr) {
		printf("GetProcAddress:%d\n", GetLastError());
		goto error;
	}

	HANDLE remoteThread;
	remoteThread = CreateRemoteThread(hRemoteProcess, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibraryAAddr, pRemoteAddr, 0, NULL);
	if (NULL == remoteThread) {
		printf("CreateRemoteThread:%d\n", GetLastError());
		goto error;
	}

	WaitForSingleObject(hRemoteProcess, INFINITE);
	VirtualFreeEx(hRemoteProcess, pRemoteAddr, len, MEM_DECOMMIT);

	CloseHandle(hRemoteProcess);
	CloseHandle(remoteThread);
	return TRUE;

error:
	CloseHandle(hRemoteProcess);
	return FALSE;
}

int main()
{
	char noteped[] = "notepad.exe";
	DWORD pid;

	pid = GetTargetProcessID(noteped);
	char dllPath[] = "D:\\My Documents\\Visual Studio 2010\\Projects\\test\\Release\\simple_dll.dll";
	InjectDll(dllPath, pid);
	
	return 0;
}

运行结果：

360弹出来了，允许操作后，看到任务栏上右边有个记事本样子的东西：

然后点击一下：

关闭记事本后，又出现：