这里做个备忘。
远程注入Dll:
Exe部分:
CString GetCurrWorkingDir()
{//获取当前目录
CString strPath;
GetCurrentDirectory(MAX_PATH,strPath.GetBuffer(MAX_PATH));
strPath.ReleaseBuffer();
return strPath;
}
void C进程注入EXEDlg::OnBnClickedButton1()
{//按下按钮执行注入
// TODO: 在此添加控件通知处理程序代码
CString str;
this->m_ProcessName.GetWindowTextW(str);//读取编辑框中输入的目标窗口标题
HWND hStart = ::FindWindow(NULL,str);
DWORD PID, TID;
TID = ::GetWindowThreadProcessId (hStart, &PID);//根据hwnd获取进程ID
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,false,PID); // 打开目标进程
CString dllname;
this->m_DllName.GetWindowTextW(dllname);//读取编辑框中输入的要注入的Dll的名字(dll在当前目录下)
CString dllpath=GetCurrWorkingDir()+dllname;
USES_CONVERSION;//使用T 2A 之前需要用这一句,否则报错
LPSTR lpszDll=T 2A (dllpath);
DWORD dwSize, dwWritten;
dwSize = lstrlenA( lpszDll ) + 1;
LPVOID lpBuf = VirtualAllocEx( hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE );
if ( NULL == lpBuf )
{
CloseHandle( hProcess );
// 失败处理
MessageBox(_T("NULL == lpBuf"));
}
if ( WriteProcessMemory( hProcess, lpBuf, (LPVOID)lpszDll, dwSize, &dwWritten ) )
{
// 要写入字节数与实际写入字节数不相等,仍属失败
if ( dwWritten != dwSize )
{
VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );
CloseHandle( hProcess );
// 失败处理
MessageBox(_T("要写入字节数与实际写入字节数不相等"));
}
// 使目标进程调用LoadLibrary,加载DLL
DWORD dwID;
//LPVOID pFunc =GetProcAddress(GetModuleHandle (_T("Kernel32")), "LoadLibraryA"); //搞不懂,非要使用LoadLibraryA,使用LoadLibraryW就不能注入
LPVOID pFunc = LoadLibraryA;
HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, lpBuf, 0, &dwID )