dll注入工具

今天因为测试东西，所以写了一个向别进程注入dll的小程序,代码比较简单,方法也很单一,不过有时候搞测试的时候又找不到这样的工具,所以写了一个.

使用方法:
/p [进程名]
/pid [进程id]
/d [要注入的dll]
/w [等待时间]

/p 和/pid 后面可以同时跟多个参数,用,连接,例如
/p notepad.exe,explorer.exe

/pid 1232,1345

/p 和 /pid 不要同时使用，不然最前面的不能被注入

下载

同时贴出源代码:
#include <Windows.h>
#include <tlhelp32.h>
#include <stdio.h>

DWORD* FindTarget( LPCTSTR lpszProcess )
{
 char* pSzcmd = new char [strlen(lpszProcess)+1];
 strcpy(pSzcmd,lpszProcess);
 char* pszcmdbak = pSzcmd;
 char* pvlist[100];
 int b = 0;
 pvlist[0] = 0;
 for (int i=0;pSzcmd[i] != 0;i++)
 {
  if (pSzcmd[i] == 0x2C)
  {
   pSzcmd[i] = 0;
   pvlist[b] = pSzcmd;
   b++;
   pSzcmd = pSzcmd+i+1;
  }
 }
 pvlist[b] = pSzcmd;
 pvlist[b+1] = 0;
 DWORD* pdwPids = new DWORD [100];
 pdwPids[0] = 0;
 DWORD pdwI = 0;
 HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
 PROCESSENTRY32 pe32;
 pe32.dwSize = sizeof( PROCESSENTRY32 );
 Process32First( hSnapshot, &pe32 );
 do
 {
  for (int i=0;pvlist[i] !=0;i++)
  {
   if ( strcmpi( pe32.szExeFile, pvlist[i] ) == 0 )
   {
    if (pdwI > 99)
     break;
    pdwPids[pdwI] = pe32.th32ProcessID;
    pdwI++;
    pdwPids[pdwI] = 0;
   }
  }
 } while ( Process32Next( hSnapshot, &pe32 ) );
 CloseHandle( hSnapshot );
 delete pszcmdbak;
 return pdwPids;
}

 

void main(int argc, char* argv[])
{

 if (argc < 3)
 {
  printf("Need process name and dll name to inject!\n"
   "explame:inject.exe /pid 1210 /d c:\\inject.dll");
  return;
 }
 /*
 HANDLE phFile = CreateFile(argv[2], GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
 if (phFile == INVALID_HANDLE_VALUE)
 {
  printf("");
 }
 */
 DWORD* pPids = new DWORD [100];
 DWORD* pProcessIDs = 0;
 char *pszDLL = 0;
 DWORD pWait = 1000;
 for (int i=0;i<argc;i++)
 {
  if (strcmpi(argv[i],"/pid") == 0)
  {
   int a = 0;
   char* pszids = new char [strlen(argv[i+1])+1];
   strcpy(pszids,argv[i+1]);
   char* ps2 = pszids;

   for (int x = 0;ps2[x] != 0;x++)
   {
    if (ps2[x] == 0x2C)
    {
     ps2[x] = 0;
     pPids[a] = atol(ps2);
     ps2 = ps2+x+1;
     x = 0;
     a++;
    }
   }
   pPids[a] = atol(ps2);
   pPids[a+1] = 0;
   pProcessIDs = pPids;
   delete pszids;
   continue;
  }
  if (strcmpi(argv[i],"/p") == 0)
  {
   pProcessIDs=FindTarget(argv[i+1]);
   continue;
  }
  if (strcmpi(argv[i],"/d") == 0)
  {
   pszDLL = argv[i+1];
   continue;
  }
  if (strcmpi(argv[i],"/w") == 0)
  {
   pWait = atol(argv[i+1]);
   continue;
  }
 }
 if (pProcessIDs == 0 || pProcessIDs[0] == 0)
 {
  printf("Not find anyone process!");
  return;
 }
 if (pszDLL == 0)
 {
  printf("must have a dll for inject!");
  return;
 }
 for (int i=0;pProcessIDs[i] != 0;i++)
 {
  HANDLE phProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, pProcessIDs[i]);
  if (phProcess == INVALID_HANDLE_VALUE)
  {
   printf("Error while open process!");
   return;
  }

  DWORD dwSize, dwWritten;
  dwSize = lstrlenA( pszDLL ) + 1;
  LPVOID lpBuf = VirtualAllocEx( phProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE );
  if ( NULL == lpBuf )
  {
   printf("Error while Alloc memory!");
   CloseHandle( phProcess );
   return;
  }
  if ( WriteProcessMemory( phProcess, lpBuf, (LPVOID)pszDLL, dwSize, &dwWritten ) )
  {
   if ( dwWritten != dwSize )
   {
    VirtualFreeEx( phProcess, lpBuf, dwSize, MEM_DECOMMIT );
    CloseHandle( phProcess );
    printf("Error while Write data to memory!");
    return;
   }
  }
  else
  {
   CloseHandle( phProcess );
   printf("Error while Write data to memory!");
   return;
  }

  DWORD dwID;
  LPVOID pFunc = LoadLibraryA;
  HANDLE hThread = CreateRemoteThread( phProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, lpBuf, 0, &dwID );

  WaitForSingleObject(hThread,pWait);
  VirtualFreeEx( phProcess, lpBuf, dwSize, MEM_DECOMMIT );
  CloseHandle( hThread );
  CloseHandle(phProcess);
 }
 delete pProcessIDs;
 return;
}

转载于:https://www.cnblogs.com/lifeengines/archive/2006/11/21/566791.html