#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
#include "Winbase.h"
typedef HANDLE (WINAPI *_OPENTHREAD)(DWORD,BOOL,DWORD);
_OPENTHREAD OpenThread=(_OPENTHREAD)GetProcAddress(GetModuleHandle(("Kernel32.dll")),"OpenThread");
#define def_buf_size 1024
char szFullpath[def_buf_size]={0};
int GetProcessPid(char *pProcessName)
{
HANDLE handle;
PROCESSENTRY32 pe;
BOOL bRet;
handle=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
bRet=Process32First(handle,&pe);
while (bRet)
{
if (strcmp(pProcessName,pe.szExeFile)==0)
{
return pe.th32ProcessID;
}
else
{
bRet=Process32Next(handle,&pe);
}
}
return -1;
}
bool injectModulToProcess(DWORD dwProcessid)
{
HANDLE handle;
LPVOID lpData;
DWORD dwResult;
bool bRet;
handle=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessid);
if (handle)
{
lpData=VirtualAllocEx(handle,NULL,sizeof(szFullpath)+1,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if (lpData)
{
bRet=WriteProcessMemory(handle,lpData,(LPVOID)szFullpath,sizeof(szFullpath)+1,&dwResult);
}
CloseHandle(handle);
}
if (!bRet)
{
return false;
}
THREADENTRY32 te={sizeof(THREADENTRY32)};
HANDLE handleSnap=CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,0);
if (handleSnap== INVALID_HANDLE_VALUE)
{
return false;
}
bool bStat=false;
if (Thread32First(handleSnap,&te))
{
do
{
if (te.th32OwnerProcessID==dwProcessid)
{
HANDLE handleThread=OpenThread(THREAD_ALL_ACCESS, FALSE, te.th32ThreadID);
if (handleThread)
{
dwResult=QueueUserAPC((PAPCFUNC)LoadLibraryA,handleThread,lpData);
if (dwResult>0)
{
bStat=true;
}
CloseHandle(handleThread);
}
}
} while (Thread32Next(handleSnap,&te));
}
CloseHandle(handleSnap);
return bStat;
}
int main()
{
GetCurrentDirectory(def_buf_size,szFullpath);
strcat(szFullpath,"\\Dlltest.dll");
char szProcessname[64]="explorer.exe";
if (!injectModulToProcess(GetProcessPid(szProcessname)))
{
printf("%s注入失败",szFullpath);
}
else
{
printf("%s注入成功",szFullpath);
}
return 0;
}
提示:
所谓DLL注入就是将一个DLL放进某个进程的地址空间里,让它成为那个进程的一部分。要实现DLL注入,首先需要打开目标进程。
OK,现在目标进程也认识pszLibFileRemote了,但是pfnStartAddr好像不好办,我怎么可能知道LoadLibraryA在目标进程中的地址呢?其实Windows为我们解决了这个问题,LoadLibraryA这个函数是在Kernel32.dll这个核心DLL里的,而这个DLL很特殊,不管对于哪个进程,Windows总是把它加载到相同的地址上去。因此你的进程中LoadLibraryA的地址和目标进程中LoadLibraryA的地址是相同的(其实,这个DLL里的所有函数都是如此)。至此,DLL注入结束了。