初学c++注入

1.准备dll--->生成dll

    *.h 文件 

extern "C" _declspec(dllexport) int Add(int plus1, int plus2);


extern "C" _declspec(dllexport) void Msg();
   .cpp文件
    #include "*.h" 
#include "stdio.h" 
#include <time.h> 
#include <windows.h>
#include <io.h>
#pragma comment(lib, "user32")
 


int Add(int plus1, int plus2)
{
int add_result = plus1 + plus2; 
return add_result;
}


void Msg()
{
MessageBox(NULL, "Hello", "Tips", NULL);
}

 


BOOL WINAPI DllMain(HINSTANCE hInstDll,DWORD dwReason,LPVOID lpReserved)  
{  
    if(DLL_PROCESS_ATTACH == dwReason)  
     { 
MessageBox(NULL,"Entry","tip",MB_OK); 
printf("Entry");  
}
    else if(DLL_PROCESS_DETACH == dwReason)  
    { 
 printf("Leave");  
 MessageBox(NULL,"Leave","tip",MB_OK); 
}
  
    return TRUE;  
}  

2.编写win32

*.cpp文件

//#include "stdafx.h"
//cl *.cpp /Fexx.exe
#include "stdio.h" 
#include <time.h> 
#include <windows.h>
#include "tlhelp32.h"
#include <tchar.h>
#include "Psapi.h"
#pragma comment (lib,"Psapi.lib")
#pragma comment(lib, "user32")
#include <io.h>
 
#pragma comment(lib, "shell32.lib") //ShellExecuteEx 


//#pragma comment(linker,"/subsystem:windows /entry:mainCRTStartup") //隐藏窗体 
#define DSHOW SW_SHOW 


char g_homeDir = 0;
 
//不通过注入来运行dll
typedef int (*DllAdd)(int plus1, int plus2);
typedef void (*DllMsg)(void);
void DirectRunDll()
{ 
HINSTANCE hInstLibrary = LoadLibrary("*.dll");
if (hInstLibrary)
{  
printf("OK");
break;
}else
printf("failed"); 
}


//注入程序
void WinExecWaitKernel(char* pCmd, char* pCmdParam, int sw_parame, bool isWait = false)
{   
//运行程序
SHELLEXECUTEINFO ShExecInfo = {0};


ShExecInfo.cbSize = sizeof(SHELLEXECUTEINFO);


ShExecInfo.fMask = SEE_MASK_NOCLOSEPROCESS;


ShExecInfo.hwnd = NULL;


ShExecInfo.lpVerb = NULL;


ShExecInfo.lpFile = pCmd;


ShExecInfo.lpParameters = pCmdParam;


ShExecInfo.lpDirectory = NULL;


ShExecInfo.nShow = sw_parame;


ShExecInfo.hInstApp = NULL;


ShellExecuteEx(&ShExecInfo);
   
//释放注入dll  
Sleep(100); //保证注入成功  
HANDLE hwnd = ShExecInfo.hProcess;
int err = GetLastError(); 
char *dllName = "*.dll";   
printf("%s\r\n", dllName); 
int len = strlen(dllName) + 1;
char *paramer = (char*)VirtualAllocEx(hwnd, NULL, len, MEM_COMMIT, PAGE_READWRITE); // 在目标进程空间中获得内存，允许读取和写入。
DWORD dwWrite;  
bool ret = WriteProcessMemory(hwnd, paramer, dllName, len, &dwWrite);  // 将本地进程中的dll写入到目标进程 
if(ret)
{
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("Kernel32.dll"), "LoadLibraryA"); 
    //将目标DLL注入到目标进程中
HANDLE hThread = CreateRemoteThread(hwnd, NULL, 0, pfnThreadRtn, paramer, 0, NULL);  
if (hThread == NULL) 
{ 
printf("failed dll\r\n"); 
return ; 
}
}
printf("ok dll\r\n");
if(isWait)
{
WaitForSingleObject(ShExecInfo.hProcess,INFINITE); 
}
}
  
void main(int argc, char *argv[])
{     
       WinExecWaitKernel(“notepad”, "", DSHOW);  
      //DirectRunDll();
}

------追加一个注入类库

       特别注意：注入时要区分目标exe是x32 还是x64 ，根据目标exe的位数注入的DLL位数也要和其相对应，否则注入可能成功，但是注入的Dll却不能运行。

#include "stdafx.h"
#include "Inject.h"



#include"Tlhelp32.h"   
#pragma comment(lib, "comdlg32") //getopenfilename
#pragma comment(lib, "shell32.lib") //ShellExecuteEx
#pragma comment(lib, "Advapi32")  //CoInitialize
#pragma comment(lib, "user32.lib") 

CInject::CInject()
{
}


CInject::~CInject()
{
}


//查找pid
bool _FindProcessPid(LPCWSTR ProcessName, DWORD& dwPid)
{
	HANDLE hProcessSnap;
	PROCESSENTRY32 pe32;

	// Take a snapshot of all processes in the system.
	hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (hProcessSnap == INVALID_HANDLE_VALUE)
	{
		return(FALSE);
	}
	 
	pe32.dwSize = sizeof(PROCESSENTRY32);

	if (!Process32First(hProcessSnap, &pe32))
	{
		CloseHandle(hProcessSnap);          // clean the snapshot object
		return(FALSE);
	}

	BOOL    bRet = FALSE;
	do
	{
		if (!lstrcmpW(ProcessName, pe32.szExeFile))
		{
			dwPid = pe32.th32ProcessID;
			bRet = TRUE;
		 	break;
		}

	} while (Process32Next(hProcessSnap, &pe32));

	CloseHandle(hProcessSnap);
	return bRet;
}
#include <Wtsapi32.h>

#pragma comment(lib, "Wtsapi32.lib") 
szModel DLL的地址 nProcessID目标进程的ID
BOOL Ingect(LPCTSTR szModel, DWORD nProcessID)
{ 
	HANDLE open = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_WRITE |
		PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION,
		FALSE, nProcessID);
	if (!open)
	{
		return FALSE;
	}
	int cbyte = (_tcslen(szModel) + 1)*sizeof(TCHAR);
	LPVOID pAddr = VirtualAllocEx(open, NULL, cbyte, MEM_COMMIT, PAGE_READWRITE);
	if (!pAddr || !WriteProcessMemory(open, pAddr, szModel, cbyte, NULL))
	{
		return FALSE;
	}

#ifdef _UNICODE
	PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
#else
	PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
#endif
	if (!pfnStartAddr)
	{
		return FALSE;
	}
	DWORD threadID;
	HANDLE thread = CreateRemoteThread(open, NULL, 0, pfnStartAddr, pAddr, 0, &threadID);
	int err = GetLastError();
	WaitForSingleObject(thread, INFINITE);
	VirtualFreeEx(open, pAddr, cbyte, MEM_COMMIT);
	CloseHandle(thread);
	CloseHandle(open);
	return !err;
} 

//注入程序--未打开
void WinExecWaitKernel(TCHAR* pCmd, TCHAR* pCmdParam, int sw_parame, bool isWait = false)
{ 
	 
	char *dllName = "D:\\workDocument\\Debug\\b.dll"; //需要绝对路径
	运行程序
	SHELLEXECUTEINFO ShExecInfo = { 0 };


	ShExecInfo.cbSize = sizeof(SHELLEXECUTEINFO);


	ShExecInfo.fMask = SEE_MASK_NOCLOSEPROCESS;


	ShExecInfo.hwnd = NULL;


	ShExecInfo.lpVerb = NULL;


	ShExecInfo.lpFile = pCmd;


	ShExecInfo.lpParameters = pCmdParam;


	ShExecInfo.lpDirectory = NULL;


	ShExecInfo.nShow = sw_parame;


	ShExecInfo.hInstApp = NULL;


	ShellExecuteEx(&ShExecInfo); 
	//释放注入dll  
	Sleep(100); //保证注入成功  
	HANDLE hwnd = ShExecInfo.hProcess;

	printf("%s\r\n", dllName);
	int len = strlen(dllName) + 1;
	char *paramer = (char*)VirtualAllocEx(hwnd, NULL, len, MEM_COMMIT, PAGE_READWRITE);// PROCESS_CREATE_THREAD | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION);// PAGE_READWRITE); // 在目标进程空间中获得内存，允许读取和写入。
		int err = GetLastError();
	//	DWORD dwWrite;
	SIZE_T dwWrite;
	bool ret = WriteProcessMemory(hwnd, paramer, dllName, len, &dwWrite); // 将本地进程中的dll写入到目标进程 
	if (ret)
	{
		PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"Kernel32.dll"), "LoadLibraryA");
		//将目标DLL注入到目标进程中
		HANDLE hThread =
			CreateRemoteThread(hwnd, NULL, 0, pfnThreadRtn, paramer, 0, NULL);
		int err = GetLastError();
		if (hThread == NULL)
		{
			printf("failed dll\r\n");
			return;
		}
		// 等待LoadLibraryA加载完毕
		WaitForSingleObject(hThread, INFINITE);
		VirtualFreeEx(hTargetProcess, hThread, dwThreadSize, MEM_COMMIT);
		CloseHandle(hRemoteThread);
		CloseHandle(hTargetProcess);
	}
}


typedef bool(*ifWait)();
void DirectRunDll(wchar_t * dllPath)
{
	HINSTANCE hInstLibrary = LoadLibrary(dllPath);
	if (hInstLibrary)
	{
		ifWait t_wait = (ifWait)GetProcAddress(hInstLibrary, "ifWait");
		if (t_wait != NULL)
		{
			while (t_wait())
			{
				Sleep(1000);
			}
		}
		FreeLibrary(hInstLibrary);
	}
	else
		printf("failed");
}
  

void CInject::Inject(wchar_t *WdllName, wchar_t* appName)
{   
	DWORD dwPid = 0;
	while (1)
	{
		if (!_FindProcessPid(appName, dwPid))   //wininit  explorer
		{
			Sleep(1000);
		}
		else
				break;
	}
	//WCHAR WdllName[] = L"c:\\test.dll"; //需要绝对路径
	if (!Ingect(WdllName, dwPid))
	{
		DirectRunDll(WdllName);
	}
}