#include <tlhelp32.h>//快照需要的头文件
//快照判断进程是否已经注入
BOOL InjectModuleInto(DWORD dwProcessId)
{
BOOL bFound = NULL;
HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
MODULEENTRY32 me32;
hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
if (hModuleSnap == INVALID_HANDLE_VALUE)
{
return(FALSE);
}
me32.dwSize = sizeof(MODULEENTRY32);
if (!Module32First(hModuleSnap, &me32))
{
CloseHandle(hModuleSnap);
return(FALSE);
}
do
{
if (_stricmp(me32.szModule, "MyDll.dll") == 0)//dll名 模块名
{
bFound = TRUE;
break;
}
} while (Module32Next(hModuleSnap, &me32));
CloseHandle(hModuleSnap);
if (bFound) //如果已经加载了返回false
{
return FALSE;
}
return TRUE;
}
void StartInject(char* szDllName, HWND GameHandle)
{
DWORD dwPid = 0;
DWORD dwSize = 0;
DWORD dwWritten = 0;
GetWindowThreadProcessId(GameHandle, &dwPid);
if (dwPid == 0 || strlen(szDllName) == 0 || InjectModuleInto(dwPid)==FALSE)
return;
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
if (!hProcess)
return;
dwSize = strlen(szDllName) + 1;
LPVOID lpBuf = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
if (!WriteProcessMemory(hProcess, lpBuf, (LPVOID)szDllName, dwSize, (SIZE_T*)&dwWritten))
{
VirtualFreeEx(hProcess, lpBuf, dwSize, MEM_DECOMMIT);
CloseHandle(hProcess);
return;
}
/*LPVOID pFun = GetProcAddress(GetModuleHandle("Kernel32"), "GetModuleHandleA");*/
LPVOID pFun = LoadLibraryA;
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFun,
lpBuf, 0, NULL);
if (hThread == NULL)
{
CloseHandle(hProcess);
return;
}
WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hProcess, lpBuf, dwSize, MEM_DECOMMIT);
CloseHandle(hThread);
CloseHandle(hProcess);
}
void StopInject(char* szDllName, HWND GameHandle)
{
DWORD dwPid = 0;
DWORD dwSize = 0;
DWORD dwWritten = 0;
DWORD dwHandle = 0;
GetWindowThreadProcessId(GameHandle, &dwPid);
if (dwPid == 0 || strlen(szDllName) == 0 || InjectModuleInto(dwPid) == TRUE)
return;
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
if (!hProcess)
return;
dwSize = strlen(szDllName) + 1;
LPVOID lpBuf = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
if (!WriteProcessMemory(hProcess, lpBuf, (LPVOID)szDllName, dwSize, (SIZE_T*)&dwWritten))
{
VirtualFreeEx(hProcess, lpBuf, dwSize, MEM_DECOMMIT);
CloseHandle(hProcess);
return;
}
/*LPVOID pFun = GetProcAddress(GetModuleHandle("Kernel32"), "GetModuleHandleA");*/
LPVOID pFun = GetModuleHandleA;
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFun,
lpBuf, 0, NULL);
if (hThread == NULL)
{
CloseHandle(hProcess);
return;
}
WaitForSingleObject(hThread, INFINITE);
GetExitCodeThread(hThread, &dwHandle);
VirtualFreeEx(hProcess, lpBuf, dwSize, MEM_DECOMMIT);
CloseHandle(hThread);
pFun = GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibraryAndExitThread");
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFun,
(LPVOID)dwHandle, 0, NULL);
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
CloseHandle(hProcess);
}
远程线程注入与卸载 修改版
最新推荐文章于 2023-01-12 23:55:17 发布