// 这几天没日没夜的做一个项目,涉及到消息钩子、线程注入还有数据加密,
// 经过不断地学习,消息钩子和线程注入模块均已实现,将核心代码贡献出来,
// 希望大家能与大家共同进步,如哪位大虾有更好的方法,请多多指点,呵呵。
// 不要用在病毒上面哦,VC6.0测试通过
#include <winsock2.h>
#include <stdio.h>
#include <tlhelp32.h>
#pragma comment (lib,"Advapi32.lib")
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// 查找notepad.exe进程的pid //
DWORD pid;
HANDLE hSnapshot = NULL;
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
PROCESSENTRY32 pe;
pe.dwSize = sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe);
do
{
if(stricmp(pe.szExeFile,"notepad.exe")==0) //写要注入的进程名
{
pid = pe.th32ProcessID;
break;
}
}
while(Process32Next(hSnapshot,&pe)==TRUE);
CloseHandle (hSnapshot);
// 把dll注入notepad.exe进程 //
PWSTR pszLibFileRemote = NULL;
HANDLE hRemoteProcess = NULL,hRemoteThread = NULL;
hRemoteProcess = OpenProcess(
PROCESS_QUERY_INFORMATION | // Required by Alpha
PROCESS_CREATE_THREAD | // For CreateRemoteThread
PROCESS_VM_OPERATION | // For VirtualAllocEx/VirtualFreeEx
PROCESS_VM_WRITE, // For WriteProcessMemory
FALSE, pid);
if(hRemoteProcess==NULL)
{
::MessageBox(NULL,"无法打开该进程!",NULL,MB_OK);
return 0;
}
else
::MessageBox(NULL,"已打开该进程!",NULL,MB_OK);
char CurPath[256];
GetCurrentDirectory(256,CurPath);
strcat(CurPath,"//NoProcessDll.dll");
int len = (strlen(CurPath)+1)*2;
WCHAR wCurPath[256];
MultiByteToWideChar(CP_ACP,0,CurPath,-1,wCurPath,256);
pszLibFileRemote = (PWSTR)
VirtualAllocEx(hRemoteProcess, NULL, len, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hRemoteProcess, pszLibFileRemote,
(PVOID) wCurPath, len, NULL);
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
hRemoteThread = CreateRemoteThread(hRemoteProcess, NULL, 0,
pfnThreadRtn, pszLibFileRemote, 0, NULL);
return 0;
}