远程DLL注入、卸载
2016-01-04 16:15
232 查看
Dll注入
Dll卸载
得到进程ID
Dll注入按钮
Dll卸载按钮
//dwPid 为目标进程PID //szDllName 为要注入的DLL文件 void CDllManageDlg::InjectDll(DWORD dwPid, CString szDllName) { if(dwPid == 0 || strlen(szDllName) == 0) return; HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid); if(hProcess == NULL) return; //将CString转换为char * char *DllName = szDllName.GetBuffer(szDllName.GetLength()); szDllName.ReleaseBuffer(); int nDllLen = strlen(DllName) + sizeof(char); //在目标进程申请内存,返回目标进程申请到的内存块的起始地址 LPVOID pDllAddr = VirtualAllocEx(hProcess, NULL, nDllLen, MEM_COMMIT, PAGE_READWRITE); if(pDllAddr == NULL) { CloseHandle(hProcess); AfxMessageBox("注入失败!"); return; } //将要注入的Dll文件写入目标进程 DWORD dwWriteNum = 0; WriteProcessMemory(hProcess, pDllAddr, DllName, nDllLen, &dwWriteNum); //检索指定的动态链接库(DLL)中的输出库函数地址 LPVOID pFunAddr = LoadLibraryA; //创建一个远程线程 HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunAddr, pDllAddr, 0, NULL); // 等待LoadLibrary加载完毕 WaitForSingleObject(hThread, INFINITE); // 释放目标进程中申请的空间 VirtualFreeEx( hProcess, NULL, nDllLen, MEM_DECOMMIT ); CloseHandle(hThread); CloseHandle(hProcess); }
Dll卸载
void CDllManageDlg::UnInjectDll(DWORD dwPid, char *szDllName) { // 使目标进程调用GetModuleHandle,获得DLL在目标进程中的句柄 DWORD dwHandle; HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid); LPVOID pFunc = GetModuleHandleA; char lpBuf[MAXBYTE]; HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, lpBuf, 0, &dwPid ); // 等待GetModuleHandle运行完毕 WaitForSingleObject( hThread, INFINITE ); // 获得GetModuleHandle的返回值 GetExitCodeThread( hThread, &dwHandle ); // 释放目标进程中申请的空间 int dwSize = strlen(szDllName) + sizeof(char); VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT ); CloseHandle( hThread ); // 使目标进程调用FreeLibrary,卸载DLL pFunc = FreeLibrary; hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, (LPVOID)dwHandle, 0, &dwPid ); // 等待FreeLibrary卸载完毕 WaitForSingleObject( hThread, INFINITE ); CloseHandle( hThread ); CloseHandle( hProcess ); }
得到进程ID
DWORD CDllManageDlg::GetSelectPid(CString PName) { //获取当前进程快照 HANDLE snapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0 ); //查询进程 PROCESSENTRY32 processInfo; CString strProcessName = ""; DWORD nProcessID = 0; int nProcessTerminate = 0; //这句很重要,否则就无法获取到进程信息 processInfo.dwSize = sizeof( PROCESSENTRY32 ); //获取第一个进程 BOOL status = Process32First( snapShot, &processInfo ); while( status ) { //获取进程名字 strProcessName = processInfo.szExeFile; //查询比较是否选中的进程 if( strProcessName.CompareNoCase( PName ) == 0 ) { //获取进程ID nProcessID = processInfo.th32ProcessID; break; } //获取下一个进程 status = Process32Next( snapShot, &processInfo ); } return nProcessID; }
Dll注入按钮
void CDllManageDlg::OnButtonInject() { // TODO: Add your control notification handler code here UpdateData(TRUE); ProcessName = m_PName; //进程名 dwPid = GetSelectPid(ProcessName); //进程ID szDllName = m_DLL; //Dll路径及名字 InjectDll(dwPid, m_DLL); }
Dll卸载按钮
void CDllManageDlg::OnButtonUninject() { // TODO: Add your control notification handler code here //将CString转换为char * char *DllName = szDllName.GetBuffer(szDllName.GetLength()); szDllName.ReleaseBuffer(); UnInjectDll(dwPid, DllName); }
相关文章推荐
- 磁盘阵列raid技术比较
- 119_素数算法之 埃氏筛
- UGUI ScrollRect滚动优化:无限循环利用Item
- iOS判断输入框不为空格以及空
- 【第三章】 DI 之 3.3 更多DI的知识 ——跟我学spring3
- R语言 我要如何开始R语言
- weblogic环境,应用上传图片报Could not initialize class sun.awt.X11.XToolkit
- Android 关闭软键盘
- 11.2.0.2以上升级12c
- 使用微信内置浏览器点击下拉框出现页面乱跳转现象(iphone),该怎么办
- java 代码中如何预防空指针异常
- 开发中的Bean和Dao类
- yuv 4:2:2 编码为 bt1120
- include“libavformat/avformat.h” file not found
- 获取css外部样式的方法及兼容代码
- 2015年中项目总结下
- ASP.NET 生命周期
- plist存储
- Android SDK Manager国内更新代理
- Java并发编程:同步容器