Windows的常规的DLL注入为以下步骤
1.获得要注入的进程的句柄
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,//PROCESS_ALL_ACCESS为权限
FALSE,dwRemoteProcessId);//dwRemoteProcessId为进程的PID
2.申请注入DLL的空间,得到申请的首地址(只要申请名字长度的空间即可)
DWORD dwDllPathLen = strlen(szDllPath) + sizeof(CHAR);
PVOID lpWriteDllAddress = VirtualAllocEx( hProcess,//进程句柄
NULL,//为空
dwDllPathLen,//DLL路径名长度
MEM_COMMIT,//申请空间的作用
PAGE_READWRITE);
3.把DLL的路径名复制到分配的地址中
BOOL bRet = WriteProcessMemory( hProcess,//进程句柄
lpWriteDllAddress,//申请的空间首地址
(LPCVOID)szDllPath,//DLL路径
dwDllPathLen,//路径长度
&dwWriten);//实际写入的字数
4.得到LoadLibraryW或LoadLibraryA函数(kernel32.dll)的实际地址
LPTHREAD_START_ROUTINE pFunStartAddr = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32"),"LoadLibraryA");
5.用CreateRemoteThread函数在远程进程中创建一个线程,让新线程调用正确的LoadLibrary函数
HANDLE hRemoteThread = CreateRemoteThread( hProcess,
NULL,
0,
pFunStartAddr,
lpWriteDllAddress,
0,
&dwThreadID);//创建的线程的PID
Windows的常规的DLL卸载为以下步骤
1.在进程中找到要卸载的DLL
2.获得要注入的进程的句柄
3.得到FreeLibrary函数(kernel32.dll)的实际地址
LPTHREAD_START_ROUTINE pFunStartAddr = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32"),"FreeLibrary");
4.用CreateRemoteThread函数在远程进程中创建一个线程,让新线程调用正确的FreeLibrary函数
下面献上全部代码
#include <stdio.h>
#include <windows.h>
#include <TlHelp32.h>
DWORD ProcessNameToId(LPCTSTR lpszProcessName)
{
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 Pe32;
Pe32.dwSize = sizeof(PROCESSENTRY32);
BOOL bRet = Process32First(hSnapshot,&Pe32);
BOOL flag = FALSE;
while(bRet)
{
if(!strcmp(lpszProcessName,Pe32.szExeFile))
{
flag = TRUE;
break;
}
bRet = Process32Next(hSnapshot,&Pe32);
}
if(!flag)
{
MessageBox(NULL,"Not Find the Process","Notice",MB_OK);
}
else
{
return Pe32.th32ProcessID;
}
return 0;
}
void InjectDll(DWORD dwRemoteProcessId,LPCSTR szDllPath)
{
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwRemoteProcessId);
if(hProcess == NULL)
{
MessageBox(NULL,"Open Process falied","Notice",MB_OK);
}
DWORD dwDllPathLen = strlen(szDllPath) + sizeof(CHAR);
PVOID lpWriteDllAddress = VirtualAllocEx( hProcess,
NULL,
dwDllPathLen,
MEM_COMMIT,
PAGE_READWRITE);
if(lpWriteDllAddress == NULL)
{
MessageBox(NULL,"Virtual Alloc falied","Notice",MB_OK);
return ;
}
DWORD dwWriten;
BOOL bRet = WriteProcessMemory( hProcess,
lpWriteDllAddress,
(LPCVOID)szDllPath,
dwDllPathLen,
&dwWriten);
if(bRet)
{
if(dwDllPathLen != dwWriten)
{
VirtualFreeEx(hProcess,lpWriteDllAddress,dwDllPathLen,MEM_DECOMMIT);
CloseHandle(hProcess);
}
}
else
{
MessageBox(NULL,"Write data to target process failed","Notice",MB_OK);
CloseHandle(hProcess);
}
LPTHREAD_START_ROUTINE pFunStartAddr = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32"),"LoadLibraryA");
DWORD dwThreadID;
HANDLE hRemoteThread = CreateRemoteThread( hProcess,
NULL,
0,
pFunStartAddr,
lpWriteDllAddress,
0,
&dwThreadID);
if(hRemoteThread == NULL)
{
MessageBox(NULL,"Inject DLL failed","Notice",MB_OK);
}
WaitForSingleObject(hRemoteThread,INFINITE);
VirtualFreeEx(hProcess,lpWriteDllAddress,dwDllPathLen,MEM_DECOMMIT);
CloseHandle(hRemoteThread);
CloseHandle(hProcess);
MessageBox(NULL,"Inject DLL Success. By H.W.J","Notice",MB_OK);
}
void UnInject(DWORD dwRemoteProcessId,LPCSTR szDllPath)
{
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwRemoteProcessId);
MODULEENTRY32 Me32;
Me32.dwSize = sizeof(MODULEENTRY32);
BOOL bRet = Module32First(hSnap,&Me32);
BOOL flag = FALSE;
while(bRet)
{
if(!strcmp(Me32.szExePath,szDllPath))
{
flag = TRUE;
break;
}
bRet = Module32Next(hSnap,&Me32);
}
if(!flag)
{
MessageBox(NULL,"Not Find The DLL","Notice",MB_OK);
return ;
}
CloseHandle(hSnap);
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwRemoteProcessId);
LPTHREAD_START_ROUTINE pFunStartAddr = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32"),"FreeLibrary");
DWORD dwThreadID;
HANDLE hRemoteThread = CreateRemoteThread( hProcess,
NULL,
0,
pFunStartAddr,
Me32.hModule,
0,
&dwThreadID);
if(hRemoteThread == NULL)
{
MessageBox(NULL,"Inject DLL failed","Notice",MB_OK);
}
WaitForSingleObject(hRemoteThread,INFINITE);
CloseHandle(hRemoteThread);
CloseHandle(hProcess);
MessageBox(NULL,"UnInject DLL Success. By H.W.J","Notice",MB_OK);
}
int main()
{
CHAR szProcessName[MAX_PATH] = "SoftWare.exe";//{0};
CHAR szDllPath[MAX_PATH] = "E:\\FirstDll.dll";
DWORD dwPid = ProcessNameToId(szProcessName);
InjectDll(dwPid,szDllPath);
getchar();
UnInject(dwPid,szDllPath);
}