获取PID懒得搞了,无非就是多调用几个API,我是直接看任务栏管理器直接写的哈哈
//远程线程注入
DWORD RemoteThreadInject(DWORD dwPID) {
//获取LoadLibrary地址
PVOID funAddr = LoadLibraryA;
//注入模块的名字
BYTE dllName[] = "InjectDll.dll";
DWORD dwNameSize = strlen(dllName) + 1;
HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, 0, dwPID);
if (!processHandle) {
printf("processHandle1\n");
return;
}
//申请内存地址,写入
PVOID pWritePosition = VirtualAllocEx(processHandle, 0, dwNameSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!pWritePosition) {
printf("VirtualAllocEx1\n");
return;
}
if (!WriteProcessMemory(processHandle, pWritePosition, dllName, dwNameSize, 0)) {
printf("WriteProcessMemory1\n");
return;
}
HANDLE threadHandle = CreateRemoteThread(processHandle, 0, 0, funAddr, pWritePosition, 0, 0);
if (!threadHandle) {
printf("CreateRemoteThread1\n");
return;
}
WaitForSingleObject(threadHandle, INFINITE);
DWORD dwExitCode = 0;
if (!GetExitCodeThread(threadHandle, &dwExitCode)) {
printf("GetExitCodeThread1\n");
return;
}
if (!VirtualFreeEx(processHandle, pWritePosition, 0, MEM_RELEASE)) {
printf("VirtualFreeEx\n");
return;
}
CloseHandle(threadHandle);
printf("Library handle:%08x\n", dwExitCode);
return dwExitCode;
}```
卸载的时候使用freelibrary
```c
//远程线程卸载
VOID RemoteThreadFree(DWORD dwPID,HANDLE hLibrary){
//FreeLibrary返回值为4字节,参数也是4字节,系统函数stdcall,可以作为线程回调函数传参
PVOID funAddr = FreeLibrary;
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwPID);
if (!hProcess) {
printf("OpenProcess\n");
return;
}
HANDLE hThread = CreateRemoteThread(hProcess, 0, 0, FreeLibrary, hLibrary, 0, 0);
if (!hThread) {
printf("CreateRemoteThread\n");
return;
}
CloseHandle(hThread);
}