// 让指定的进程加载DLL
//进程ID 动态库名称
BOOL LoadDll(DWORD dwProcessId, LPSTR lpszDllName)
{
HANDLE hProcess = NULL;
HANDLE hThread = NULL;
PSTR pszDllFile = NULL;
// 打开进程
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if (hProcess == NULL)
{
printf("打开进程 %d 失败!\n\n", dwProcessId);
return FALSE;
}
printf("打开进程 %d 成功!\n\n", dwProcessId);
// 分配远程空间
int cch = 1 + strlen(lpszDllName);
pszDllFile = (PSTR)VirtualAllocEx(hProcess,
NULL,
cch,
MEM_COMMIT,
PAGE_READWRITE);
if (pszDllFile == NULL)
return FALSE;
printf("分配远程空间成功!\n\n");
// 把DLL的名字变量地址写入到远程空间中
if ((WriteProcessMemory(hProcess,
(PVOID)pszDllFile,
(PVOID)lpszDllName,
cch,
NULL)) == FALSE)
{
return FALSE;
}
printf("写远程内存成功!\n\n");
// 获取远程进程地址空间中LoadLibrary函数的地址
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("kernel32"), "LoadLibraryA");
//因为在同一个系统中,这这LoadLibraryA地址是一样的,这下面这种都可行
//PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)LoadLibraryA;
if (pfnThreadRtn == NULL)
return FALSE;
printf("获取LoadLibrary函数地址成功!\n\n");
// 创建远程线程
hThread = CreateRemoteThread(hProcess,
NULL,
0,
pfnThreadRtn,
(PVOID)pszDllFile,
0,
NULL);
if (hThread == NULL)
return FALSE;
printf("创建远程线程成功!\n\n");
// 等待远程线程执行结束,并非必要
//system("pause");
WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hProcess, (PVOID)pszDllFile, 0, MEM_RELEASE);
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}
//将需要实现的代码写入dllmain中的DLL_PROCESS_ATTACH
备注:简单的动态库注入实现,只做学习参考