dll注入到进程
上一篇 / 下一篇 2007-11-24 05:00:22 / 个人分类:回收站
#include <windows.h>
#include <winsvc.h>
#include <tlhelp32.h>
// DLL注入函数
bool LoadLib(DWORD dwProcessId, LPWSTR lpszLibName) =
{
HANDLE hProcess = NULL;
HANDLE hThread = NULL;
LPWSTR lpszRemoteFile = NULL;
// 打开远程进程
hProcess = OpenProcess(PROCESS_CREATE_THREAD
| PROCESS_VM_OPERATION
| PROCESS_VM_WRITE,
FALSE,
dwProcessId);
if (hProcess == NULL)
{
MessageBox(NULL, "OpenProcess failed with error " , "Error",
MB_ICONINFORMATION + MB_OK);
return FALSE;
}
// 在远程进程中分配存贮DLL文件名的空间
lpszRemoteFile = (LPWSTR)VirtualAllocEx(hProcess, NULL,
sizeof(WCHAR) * lstrlenW(lpszLibName) + 1,
MEM_COMMIT, PAGE_READWRITE);
if (lpszRemoteFile == NULL)
{
MessageBox(NULL, "VirtualAllocEx failed with error " , "Error",
MB_ICONINFORMATION + MB_OK);
return FALSE;
}
// 复制DLL文件名到远程刚分配的进程空间
if (!WriteProcessMemory(hProcess, lpszRemoteFile,
(PVOID)lpszLibName, sizeof(WCHAR) * lstrlenW(lpszLibName) + 1,
NULL))
{
MessageBox(NULL, "WriteProcessMemory failed with error " , "Error",
MB_ICONINFORMATION + MB_OK);
return FALSE;
}
// 取得LoadLibrary函数在Kennel32.dll中的地址
PTHREAD_START_ROUTINE pfnThreadRtn =
(PTHREAD_START_ROUTINE)GetProcAddress(
GetModuleHandle("Kernel32.dll"),"LoadLibraryW");
if (pfnThreadRtn == NULL)
MessageBox(NULL, "GetProcAddress failed with error " , "Error",
MB_ICONINFORMATION + MB_OK);
return FALSE;
}
// 创建远程线程
hThread = CreateRemoteThread(hProcess,
NULL,
0,
pfnThreadRtn, // LoadLibrary地址
lpszRemoteFile, // 要加载的DLL名
0,
NULL);
if (hThread == NULL)
{
MessageBox(NULL, "CreateRemoteThread failed with error " , "Error",
MB_ICONINFORMATION + MB_OK);
return FALSE;
}
// 等待线程返回
WaitForSingleObject(hThread, INFINITE);
// 释放进程空间中的内存
VirtualFreeEx(hProcess, lpszRemoteFile, 0, MEM_RELEASE);
// 关闭句柄
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}
void main()
{
LPWSTR m_szDllFile = L"D://FileHook//APIHook_Dll//Debug//APIHook_Dll.dll";
DWORD m_dwProcessId = 0;
PROCESSENTRY32 pe;
// 创建快照句柄
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
// 先搜索系统中第一个进程的信息
Process32First(hSnapshot, &pe);
// 下面对系统中的所有进程进行枚举,并保存其信息
do{
if(strcmp(pe.szExeFile,"explorer.exe") == 0 )
{
m_dwProcessId =pe.th32ProcessID;
break;
}
}
while (Process32Next(hSnapshot, &pe));
// 关闭快照句柄
CloseHandle(hSnapshot);
LoadLib(m_dwProcessId, m_szDllFile);