#include <T1Help32.h>
//宏定义进程名字
#define GET_NAME "WeChat.exe"
void GetProcessName(); //声明
获取PID进程函数
DWORD ProcessNamePID(LPCSTR ProcessName)
{
1.获得整个进程快照准备比对
HANDLE ProcessAll = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);//2获取整个进程快照
PROCESSENTRY32 processInfo ={0};//3初始化
processInfo。dwSize = sieof(PROCESSENTRY32); //4开辟一块对比
//循环找进程比对
do
{
//6这里操作比对到的进程
if(strcmp(ProcessName,processInfo.szExeFile) == 0)//如果成功返回0
{
return processInfo.th32ProcessID; //找到需要的进程PID
}
}while(Process32Next(processAll,&processInfo));//5拿到进程比对。第二个是指针要用取地址
CloseHandle(ProcessAll); //关闭句柄
}
//调用这个就能注入
void GetProcessName() //点击注入按钮的时候再事件里面调用
{
CHAR PathStr[0x100] = {"要注入自己写的DLL路径"};
DWORD PID = ProcessNamePID( GET_NAME(要注入的程序进程名字)); //调用进去找进程PID
if(PID == 0) //没有找到进程PID
{
MessageBox(NULL,"没有找到微信进程或者没有打开微信","错误",0);
return;
}
HANDLE hProcess =OpenPricess(PROCESS_ALL_ACCESS,FALSE,PID);//打开句柄 需要可读可写权限 获取到进程句柄
//进程打开失败 返回NULL
if(hProcess == NULL)
{
MessageBox(NULL,"进程打开失败 可能权限不足或者关闭了应用","错误",0);
return;
}
//打开成功申请内存 用来写入DLL路径
//1参数进程句柄,2分配空间位置为空就随机,3一个路径地址,4权限5可读可写
//成功返回类型是LPVOID
LPVOID DLLAdd=VirtualallocEx(hProcess,NULL,strlen(PathStr),MEM_COMMIT,PAGE_READWRITE);
//如果等于NULL内存分配失败
if(DLLAdd == NULL)
{
MessageBox(NULL,"内存分配失败","错误",0);
return;
}
//写入DLL路径到这个地址上面
if(WriteProcessMemory(hProcess,DLLAdd,PathStr,strlen(PathStr),NULL) == 0)
{
MessageBox(NULL,"路径写入失败","错误",0);
return;
}
//测试
// CHAR tex[0x100] ={0};
// sprintf_s(tex,"写入的地址 十六进制打印 = %p",DLLAdd)
// OutputDebugString(tex); //拿到地址的值
//注入成功后开线程操作
//CreateRemoteThread第四个参数需要拿自己的地址用 GetModuleHandle 获取Kernel32基址
HMODULE K32dll = GetModuleHandle("Kernel32.dll");
FARPROC LoadAdd = GetProcAddress(K32dll,"LoadLibraryA"); //看微信版本是多少W或A
HANDLE Exec = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)LoadAdd,DLLAdd ,0,NULL);
if(Exec == NULL)
{
MessageBox(NULL,"线程启动失败","错误",0);
return;
}
}
//卸载DLL 用到的函数
CreateToolhelp32Snapshot 获取进程快照PID
VirtualAllocEx 申请内存
WriteProcessMemory 用来写入DLL路径
GetProcAddress 获取加载DLL函数的地址
GetModuleHandle 获取Kernel32基址
CreateRemoteThread 再别人的进程执行加载dll函数
FreeLibrary(); 卸载DLL
LoadLibrary
卸载DLL与加载dll封装函数
bool CwmgjManagerDlg::InjectAssistModudel(HANDLE hProcess,CString strDll, bool bInject)
{
LPVOID pRemoteParam = ::VirtualAllocEx(hProcess,NULL,strDll.GetLength() + 1,
MEM_COMMIT,PAGE_READWRITE);
if( NULL == pRemoteParam) RETURN_FAIL("远程进程分配地址空间失败");
DWORD dwWritten = 0;
if (!::WriteProcessMemory(hProcess,pRemoteParam,strDll.GetBuffer(0),
strDll.GetLength(),&dwWritten))
{
::VirtualFreeEx(hProcess,pRemoteParam,strDll.GetLength(),MEM_DECOMMIT);
RETURN_FAIL("向远程进程写入数据失败");
}
HMODULE hMod = ::GetModuleHandleA("Kernel32.dll");
HANDLE hThread = NULL;
if ( bInject )(加载)
{
PTHREAD_START_ROUTINE pRemoteFunc = (PTHREAD_START_ROUTINE)::GetProcAddress(
hMod,"LoadLibraryA");
if( NULL == pRemoteFunc)
{
::VirtualFreeEx(hProcess,pRemoteParam,strDll.GetLength(),MEM_DECOMMIT);
RETURN_FAIL("获取LoadLibrary地址失败");
}
hThread = CreateRemoteThread(hProcess,NULL,0,pRemoteFunc,pRemoteParam,0,NULL);
if( NULL == hThread)
{
::VirtualFreeEx(hProcess,pRemoteParam,strDll.GetLength(),MEM_DECOMMIT);
RETURN_FAIL("远程线程地址失败");
}
}else(卸载)
{
PTHREAD_START_ROUTINE pRemoteFunc = (PTHREAD_START_ROUTINE)::GetProcAddress(
hMod,"GetModuleHandleA");
if( NULL == pRemoteFunc)
{
::VirtualFreeEx(hProcess,pRemoteParam,strDll.GetLength(),MEM_DECOMMIT);
RETURN_FAIL("获取GetModuleHandleA地址失败");
}
hThread = CreateRemoteThread(hProcess,NULL,0,pRemoteFunc,pRemoteParam,0,NULL);
if( NULL == hThread)
{
::VirtualFreeEx(hProcess,pRemoteParam,strDll.GetLength(),MEM_DECOMMIT);
RETURN_FAIL("远程线程地址失败");
}
WaitForSingleObject(hThread,INFINITE);
DWORD dwValue = 0;
GetExitCodeThread(hThread,&dwValue);
if(NULL == dwValue)
{
::VirtualFreeEx(hProcess,pRemoteParam,strDll.GetLength(),MEM_DECOMMIT);
RETURN_FAIL("获取辅助模块句柄失败");
}
pRemoteFunc = (PTHREAD_START_ROUTINE)::GetProcAddress(
hMod,"FreeLibrary");
if( NULL == pRemoteFunc)
{
::VirtualFreeEx(hProcess,pRemoteParam,strDll.GetLength(),MEM_DECOMMIT);
RETURN_FAIL("获取FreeLibrary地址失败");
}
hThread = CreateRemoteThread(hProcess,NULL,0,pRemoteFunc,(LPVOID)dwValue,0,NULL);
if( NULL == hThread)
{
::VirtualFreeEx(hProcess,pRemoteParam,strDll.GetLength(),MEM_DECOMMIT);
RETURN_FAIL("远程线程地址失败");
}
}
return true;
}