// InjectDemo.cpp: 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include<Windows.h>
int main(int argc,char* argv[])
{
BOOL bRet = FALSE;
HANDLE hProcess = INVALID_HANDLE_VALUE;
BYTE* pbProcessAddr = nullptr;
do
{
DWORD dwPID = 0;
scanf("%d", &dwPID);
// open process
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
if (INVALID_HANDLE_VALUE==hProcess)
{
break;
}
char szDllPath[MAX_PATH] = { 0 };
GetCurrentDirectoryA(MAX_PATH, szDllPath);
strcat(szDllPath, "\\DemoDll.dll");
int nPathLen = strlen(szDllPath) + 1;
// allocate space
pbProcessAddr = (BYTE*)VirtualAllocEx(hProcess, NULL, nPathLen, MEM_COMMIT, PAGE_READWRITE);
if (!pbProcessAddr)
{
break;
}
// write memory process
if (0==WriteProcessMemory(hProcess, pbProcessAddr, szDllPath, nPathLen, nullptr))
{
break;
}
// open an remote thread and run
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("Kernel32"), "LoadLibraryA");
if (!pfnStartAddr)
{
break;
}
// create remote thread
HANDLE hThread = CreateRemoteThread(hProcess, nullptr, 0, pfnStartAddr, pbProcessAddr, 0, NULL);
if (!hThread)
{
break;
}
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
bRet = true;
} while (false);
if (!bRet)
{
printf("Error Code:%d", GetLastError());
}
if (pbProcessAddr)
{
VirtualFreeEx(hProcess, pbProcessAddr, 0, MEM_RELEASE);
}
if (INVALID_HANDLE_VALUE != hProcess)
{
CloseHandle(hProcess);
}
return 0;
}
DLL:
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"
class MyHookClass {
public:
MyHookClass()
{
m_pfnOld = nullptr;
ZeroMemory(m_bNewBytes, 5);
ZeroMemory(m_bOldBytes, 5);
}
~MyHookClass()
{
UnHook();
}
/*
* Hook function
* @param szModuleName,Module name
* @param szFuncName ,function name
* @param pHookFunc , address of function
* @return
*/
BOOL Hook(char* szModuleName, char* szFuncName, PROC pHookFunc)
{
BOOL bRet = FALSE;
do
{
m_pfnOld = GetProcAddress(GetModuleHandleA(szModuleName), szFuncName);
if (!m_pfnOld)
{
break;
}
DWORD dwNum = 0;
ReadProcessMemory(GetCurrentProcess(), m_pfnOld, m_bOldBytes, 5, &dwNum);
m_bNewBytes[0] = '\xe9';
*(DWORD*)(m_bNewBytes + 1) = (DWORD)pHookFunc - (DWORD)m_pfnOld - 5;
WriteProcessMemory(GetCurrentProcess(), m_pfnOld, m_bNewBytes, 5, &dwNum);
bRet = true;
} while (FALSE);
return bRet;
}
void UnHook()
{
if (m_pfnOld != nullptr)
{
DWORD dwNum = 0;
WriteProcessMemory(GetCurrentProcess(), m_pfnOld, m_bOldBytes, 5, &dwNum);
}
}
bool ReHook()
{
BOOL bRet = false;
if (m_pfnOld != nullptr)
{
DWORD dwNum = 0;
WriteProcessMemory(GetCurrentProcess(), m_pfnOld, m_bNewBytes, 5, &dwNum);
bRet = true;
}
return bRet;
}
private:
PROC m_pfnOld;
BYTE m_bOldBytes[5];
BYTE m_bNewBytes[5];
};
MyHookClass g_Hook ;
BOOL WINAPI MyGetMessageW(_Out_ LPMSG lpMsg, _In_opt_ HWND hWnd, _In_ UINT wMsgFilterMin, _In_ UINT wMsgFilterMax)
{
MessageBoxW(hWnd, L"Hook Success", L"Hook", MB_OK);
return true;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
char szUser32[MAXBYTE] = "User32.dll";
char szGetMessageFunc[MAXBYTE] = "GetMessageW";
g_Hook.Hook(szUser32, szGetMessageFunc, (PROC)MyGetMessageW);
}
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}