1.准备dll--->生成dll
*.h 文件
extern "C" _declspec(dllexport) int Add(int plus1, int plus2);
extern "C" _declspec(dllexport) void Msg();
.cpp文件
#include "*.h"
#include "stdio.h"
#include <time.h>
#include <windows.h>
#include <io.h>
#pragma comment(lib, "user32")
int Add(int plus1, int plus2)
{
int add_result = plus1 + plus2;
return add_result;
}
void Msg()
{
MessageBox(NULL, "Hello", "Tips", NULL);
}
BOOL WINAPI DllMain(HINSTANCE hInstDll,DWORD dwReason,LPVOID lpReserved)
{
if(DLL_PROCESS_ATTACH == dwReason)
{
MessageBox(NULL,"Entry","tip",MB_OK);
printf("Entry");
}
else if(DLL_PROCESS_DETACH == dwReason)
{
printf("Leave");
MessageBox(NULL,"Leave","tip",MB_OK);
}
return TRUE;
}
2.编写win32
*.cpp文件
//#include "stdafx.h"
//cl *.cpp /Fexx.exe
#include "stdio.h"
#include <time.h>
#include <windows.h>
#include "tlhelp32.h"
#include <tchar.h>
#include "Psapi.h"
#pragma comment (lib,"Psapi.lib")
#pragma comment(lib, "user32")
#include <io.h>
#pragma comment(lib, "shell32.lib") //ShellExecuteEx
//#pragma comment(linker,"/subsystem:windows /entry:mainCRTStartup") //隐藏窗体
#define DSHOW SW_SHOW
char g_homeDir = 0;
//不通过注入来运行dll
typedef int (*DllAdd)(int plus1, int plus2);
typedef void (*DllMsg)(void);
void DirectRunDll()
{
HINSTANCE hInstLibrary = LoadLibrary("*.dll");
if (hInstLibrary)
{
printf("OK");
break;
}else
printf("failed");
}
//注入程序
void WinExecWaitKernel(char* pCmd, char* pCmdParam, int sw_parame, bool isWait = false)
{
//运行程序
SHELLEXECUTEINFO ShExecInfo = {0};
ShExecInfo.cbSize = sizeof(SHELLEXECUTEINFO);
ShExecInfo.fMask = SEE_MASK_NOCLOSEPROCESS;
ShExecInfo.hwnd = NULL;
ShExecInfo.lpVerb = NULL;
ShExecInfo.lpFile = pCmd;
ShExecInfo.lpParameters = pCmdParam;
ShExecInfo.lpDirectory = NULL;
ShExecInfo.nShow = sw_parame;
ShExecInfo.hInstApp = NULL;
ShellExecuteEx(&ShExecInfo);
//释放注入dll
Sleep(100); //保证注入成功
HANDLE hwnd = ShExecInfo.hProcess;
int err = GetLastError();
char *dllName = "*.dll";
printf("%s\r\n", dllName);
int len = strlen(dllName) + 1;
char *paramer = (char*)VirtualAllocEx(hwnd, NULL, len, MEM_COMMIT, PAGE_READWRITE); // 在目标进程空间中获得内存,允许读取和写入。
DWORD dwWrite;
bool ret = WriteProcessMemory(hwnd, paramer, dllName, len, &dwWrite); // 将本地进程中的dll写入到目标进程
if(ret)
{
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("Kernel32.dll"), "LoadLibraryA");
//将目标DLL注入到目标进程中
HANDLE hThread = CreateRemoteThread(hwnd, NULL, 0, pfnThreadRtn, paramer, 0, NULL);
if (hThread == NULL)
{
printf("failed dll\r\n");
return ;
}
}
printf("ok dll\r\n");
if(isWait)
{
WaitForSingleObject(ShExecInfo.hProcess,INFINITE);
}
}
void main(int argc, char *argv[])
{
WinExecWaitKernel(“notepad”, "", DSHOW);
//DirectRunDll();
}
------追加一个注入类库
特别注意:注入时要区分目标exe是x32 还是x64 ,根据目标exe的位数注入的DLL位数也要和其相对应,否则注入可能成功,但是注入的Dll却不能运行。
#include "stdafx.h"
#include "Inject.h"
#include"Tlhelp32.h"
#pragma comment(lib, "comdlg32") //getopenfilename
#pragma comment(lib, "shell32.lib") //ShellExecuteEx
#pragma comment(lib, "Advapi32") //CoInitialize
#pragma comment(lib, "user32.lib")
CInject::CInject()
{
}
CInject::~CInject()
{
}
//查找pid
bool _FindProcessPid(LPCWSTR ProcessName, DWORD& dwPid)
{
HANDLE hProcessSnap;
PROCESSENTRY32 pe32;
// Take a snapshot of all processes in the system.
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
return(FALSE);
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if (!Process32First(hProcessSnap, &pe32))
{
CloseHandle(hProcessSnap); // clean the snapshot object
return(FALSE);
}
BOOL bRet = FALSE;
do
{
if (!lstrcmpW(ProcessName, pe32.szExeFile))
{
dwPid = pe32.th32ProcessID;
bRet = TRUE;
break;
}
} while (Process32Next(hProcessSnap, &pe32));
CloseHandle(hProcessSnap);
return bRet;
}
#include <Wtsapi32.h>
#pragma comment(lib, "Wtsapi32.lib")
szModel DLL的地址 nProcessID目标进程的ID
BOOL Ingect(LPCTSTR szModel, DWORD nProcessID)
{
HANDLE open = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_WRITE |
PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION,
FALSE, nProcessID);
if (!open)
{
return FALSE;
}
int cbyte = (_tcslen(szModel) + 1)*sizeof(TCHAR);
LPVOID pAddr = VirtualAllocEx(open, NULL, cbyte, MEM_COMMIT, PAGE_READWRITE);
if (!pAddr || !WriteProcessMemory(open, pAddr, szModel, cbyte, NULL))
{
return FALSE;
}
#ifdef _UNICODE
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
#else
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
#endif
if (!pfnStartAddr)
{
return FALSE;
}
DWORD threadID;
HANDLE thread = CreateRemoteThread(open, NULL, 0, pfnStartAddr, pAddr, 0, &threadID);
int err = GetLastError();
WaitForSingleObject(thread, INFINITE);
VirtualFreeEx(open, pAddr, cbyte, MEM_COMMIT);
CloseHandle(thread);
CloseHandle(open);
return !err;
}
//注入程序--未打开
void WinExecWaitKernel(TCHAR* pCmd, TCHAR* pCmdParam, int sw_parame, bool isWait = false)
{
char *dllName = "D:\\workDocument\\Debug\\b.dll"; //需要绝对路径
运行程序
SHELLEXECUTEINFO ShExecInfo = { 0 };
ShExecInfo.cbSize = sizeof(SHELLEXECUTEINFO);
ShExecInfo.fMask = SEE_MASK_NOCLOSEPROCESS;
ShExecInfo.hwnd = NULL;
ShExecInfo.lpVerb = NULL;
ShExecInfo.lpFile = pCmd;
ShExecInfo.lpParameters = pCmdParam;
ShExecInfo.lpDirectory = NULL;
ShExecInfo.nShow = sw_parame;
ShExecInfo.hInstApp = NULL;
ShellExecuteEx(&ShExecInfo);
//释放注入dll
Sleep(100); //保证注入成功
HANDLE hwnd = ShExecInfo.hProcess;
printf("%s\r\n", dllName);
int len = strlen(dllName) + 1;
char *paramer = (char*)VirtualAllocEx(hwnd, NULL, len, MEM_COMMIT, PAGE_READWRITE);// PROCESS_CREATE_THREAD | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION);// PAGE_READWRITE); // 在目标进程空间中获得内存,允许读取和写入。
int err = GetLastError();
// DWORD dwWrite;
SIZE_T dwWrite;
bool ret = WriteProcessMemory(hwnd, paramer, dllName, len, &dwWrite); // 将本地进程中的dll写入到目标进程
if (ret)
{
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"Kernel32.dll"), "LoadLibraryA");
//将目标DLL注入到目标进程中
HANDLE hThread =
CreateRemoteThread(hwnd, NULL, 0, pfnThreadRtn, paramer, 0, NULL);
int err = GetLastError();
if (hThread == NULL)
{
printf("failed dll\r\n");
return;
}
// 等待LoadLibraryA加载完毕
WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hTargetProcess, hThread, dwThreadSize, MEM_COMMIT);
CloseHandle(hRemoteThread);
CloseHandle(hTargetProcess);
}
}
typedef bool(*ifWait)();
void DirectRunDll(wchar_t * dllPath)
{
HINSTANCE hInstLibrary = LoadLibrary(dllPath);
if (hInstLibrary)
{
ifWait t_wait = (ifWait)GetProcAddress(hInstLibrary, "ifWait");
if (t_wait != NULL)
{
while (t_wait())
{
Sleep(1000);
}
}
FreeLibrary(hInstLibrary);
}
else
printf("failed");
}
void CInject::Inject(wchar_t *WdllName, wchar_t* appName)
{
DWORD dwPid = 0;
while (1)
{
if (!_FindProcessPid(appName, dwPid)) //wininit explorer
{
Sleep(1000);
}
else
break;
}
//WCHAR WdllName[] = L"c:\\test.dll"; //需要绝对路径
if (!Ingect(WdllName, dwPid))
{
DirectRunDll(WdllName);
}
}