DLL injection

#define ArrLen(arr) (sizeof(arr)/sizeof(arr[0]))

int main(int argc, char *argv[])
{
    // Open process with 
    HANDLE processHandle = OpenProcess(PROCESS_QUERY_INFORMATION        // 
                                       | PROCESS_CREATE_THREAD            // Required by 'CreateRemoteThread()'.
                                       | PROCESS_VM_OPERATION            // Required by 'VirtualAllocEx()'.
                                       | PROCESS_VM_WRITE,                // Required by 'WriteProcessMemory()'.
                                       FALSE, 1234);

    // Allocate memory at remote processs.
    char *remoteMem = static_cast<char *>(VirtualAllocEx(processHandle, nullptr, 64, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE));

    // All processes use "kernel32.dll" in the same location, we get the offset of 'LoadLibraryA()' and use it in remote process. 
    // (There is no function named 'LoadLibrary'!)
    PTHREAD_START_ROUTINE funcLoadLibrary = reinterpret_cast<PTHREAD_START_ROUTINE>(GetProcAddress(GetModuleHandle("kernel32"), "LoadLibraryA"));

    // Write argument to remote process for 'LoadLibraryA()'.
    const char buf[64] = "youDll.dll";
    WriteProcessMemory(processHandle, remoteMem, buf, ArrLen(buf), nullptr);

    // Create remote thread, and run the 'LoadLibraryA()'.
    // You can write your code at the 'case DLL_PROCESS_ATTACH' in dll.
    HANDLE hThread = CreateRemoteThread(processHandle, nullptr, 0, funcLoadLibrary, remoteMem, 0, nullptr);
    // Wait for completion of the remote task.
    WaitForSingleObject(hThread, INFINITE);

    return 0;
}

转载于:https://www.cnblogs.com/walfud/archive/2012/10/23/2735070.html