using System; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Diagnostics; using System.Drawing; using System.Linq; using System.Runtime.InteropServices; using System.Text; using System.Windows.Forms; namespace hooktest01 { public partial class Form1 : Form { [DllImport("kernel32.dll")] public static extern int VirtualAllocEx(IntPtr hwnd, Int32 lpaddress, int size, int type, Int32 tect); [DllImport("kernel32.dll")] public static extern Boolean WriteProcessMemory(IntPtr hwnd, int baseaddress, string buffer, int nsize, int filewriten); [DllImport("kernel32.dll")] public static extern int GetProcAddress(int hwnd, string lpname); [DllImport("kernel32.dll")] public static extern int GetModuleHandleA(string name); [DllImport("kernel32.dll")] public static extern IntPtr CreateRemoteThread(IntPtr hwnd, int attrib, int size, int address, int par, int flags, int threadid); [DllImport("kernel32.dll")] public static extern Int32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); [DllImport("kernel32.dll")] public static extern Boolean VirtualFree(IntPtr lpAddress, Int32 dwSize, Int32 dwFreeType); Process pname; UInt32 INFINITE = 0xFFFFFFFF; Int32 PAGE_EXECUTE_READWRITE = 0x40; Int32 MEM_COMMIT = 0x1000; Int32 MEM_RESERVE = 0x2000; Int32 MEM_RELEASE = 0x8000; Int32 AllocBaseAddress; IntPtr hwnd; string dllname; Int32 Pid; Boolean ok; Int32 loadaddr; IntPtr ThreadHwnd; public Form1() { InitializeComponent(); } private void button1_Click(object sender, EventArgs e) { try { if (textBox1.Text == "" || textBox1.Text == null) { MessageBox.Show("Pid is null"); return; } if (textBox2.Text == "" || textBox2.Text == null) { MessageBox.Show("dll name is null"); return; } Pid = Int32.Parse(textBox1.Text); dllname = textBox2.Text; } catch(Exception error) { MessageBox.Show(error.Message); return; } try { pname = Process.GetProcessById(Pid); hwnd = pname.Handle; } catch(Exception error) { //当标示pid的进程不存在时发生异常; MessageBox.Show (error.Message); return; } AllocBaseAddress= VirtualAllocEx(hwnd, 0, dllname.Length + 1, MEM_COMMIT+ MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (AllocBaseAddress == 0) { MessageBox.Show("virtualallocex fail"); return; } ok=WriteProcessMemory(hwnd, AllocBaseAddress, dllname, dllname.Length + 1,0); if (!ok) { MessageBox.Show("writeprocessmemory fail"); return; } loadaddr = GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA"); if (loadaddr == 0) { //取得LoadLibraryA的地址失败时返回 MessageBox.Show("get loadlibraryA fail"); return; } ThreadHwnd=CreateRemoteThread(hwnd, 0, 0, loadaddr, AllocBaseAddress,0, 0); if (ThreadHwnd ==IntPtr.Zero) { MessageBox.Show("createremotethread fail"); return; } WaitForSingleObject(ThreadHwnd, INFINITE); MessageBox.Show("ok ,you can check now!!!"); VirtualFree(hwnd, 0, MEM_RELEASE); //下面开始枚举模块列表; ProcessModuleCollection pmodule = pname.Modules; foreach (ProcessModule processm in pmodule) { listBox1.Items.Add(processm.FileName); } pname.Dispose(); } //进程 句柄 } }转自: http://blog.csdn.net/pandyer/archive/2009/01/06/3719836.aspx