// Test_Inject_Dll.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <windows.h>
#include <TLHELP32.H>
int EnableDebugPriv(char szName[]);
// 远程插入线程
// char szDllFullPath[] DLL文件完整路径.
// DWORD dwRemoteProcessID 要插入的进程ID号
// 返回: TRUE 插入进程成功
// FALSE 失败
BOOL InjectDll(char szDllFullPath[],DWORD dwRemoteProcessID)
{
HANDLE hRemoteProcess;
if(EnableDebugPriv(SE_DEBUG_NAME) == 0)
{
return FALSE;
}
// 打开远程线程
if((hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION | PROCESS_VM_WRITE,FALSE,dwRemoteProcessID))==
NULL)
{
return FALSE;
}
char * pszLibFileRemote;
//使用VirtualAllocEx函数在远程进程内存地址空间分配DLL文件名缓冲区
pszLibFileRemote = (char *)VirtualAllocEx(
hRemoteProcess,NULL,lstrlen(szDllFullPath)+1,MEM_COMMIT,PAGE_READWRITE);
if(pszLibFileRemote == NULL)
{
return FALSE;
}
if(WriteProcessMemory(hRemoteProcess,pszLibFileRemote,(void
*)szDllFullPath,lstrlen(szDllFullPath)+1,NULL) == 0)
{
return FALSE;
}
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle("Kernel32"),"LoadLibraryA");
if(pfnStartAddr == NULL)
{
return FALSE;
}
// 通过建立远程连接的地址:pfnStartAddr
// 传递参数 pszLibFileRemote 远程启动DLL
// 启动远程线程 LoadLibraryA 通过远程线程调用用户的DLL文件
HANDLE hRemoteThread;
if((hRemoteThread =
CreateRemoteThread(hRemoteProcess,NULL,0,pfnStartAddr,pszLibFileRemote,0,NULL))
== NULL)
{
return FALSE;
}
return TRUE;
}
// 获取进程ID号
// 如无此进程则返回 0;
// char szProcName[] 进程名: .exe文件.
DWORD GetProcID(char szProcName[])
{
HANDLE th = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 pe = {sizeof(pe)};
DWORD dwProcID = 0;
BOOL bOK=Process32First(th,&pe);
while(bOK)
{
bOK = Process32Next(th,&pe);
LPCTSTR lpszExeFile = strrchr(pe.szExeFile,'//');
if(lpszExeFile == NULL)
lpszExeFile = pe.szExeFile;
else
lpszExeFile++;
if(strcmp(szProcName,lpszExeFile) == 0)
{
dwProcID = pe.th32ProcessID;
break;
}
}
return dwProcID;
}
// 提升系统权限到DEBUG模式
int EnableDebugPriv(char szName[])
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
// 打开进程环令牌
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
return 0;
}
if(!LookupPrivilegeValue(NULL,szName,&luid))
{
return 0;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = luid;
// 调整权限
if(!AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
{
return 0;
}
return 1;
}
int main(int argc, char* argv[])
{
InjectDll("DLL注入测试.dll",GetProcID("notepad.exe"));
return 0;
}
一个注入dll到进程中的工程
最新推荐文章于 2020-11-29 12:58:43 发布