远程DLL注入、卸载

//dwPid 为目标进程PID
//szDllName 为要注入的DLL文件
void CDllManageDlg::InjectDll(DWORD dwPid, CString szDllName)
{
if(dwPid == 0 || strlen(szDllName) == 0)
return;

HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
if(hProcess == NULL)
return;

//将CString转换为char *
char *DllName = szDllName.GetBuffer(szDllName.GetLength());
szDllName.ReleaseBuffer();
int nDllLen = strlen(DllName) + sizeof(char);

//在目标进程申请内存，返回目标进程申请到的内存块的起始地址
LPVOID pDllAddr = VirtualAllocEx(hProcess, NULL, nDllLen, MEM_COMMIT, PAGE_READWRITE);
if(pDllAddr == NULL)
{
CloseHandle(hProcess);
AfxMessageBox("注入失败！");
return;
}

//将要注入的Dll文件写入目标进程
DWORD dwWriteNum = 0;
WriteProcessMemory(hProcess, pDllAddr, DllName, nDllLen, &dwWriteNum);

//检索指定的动态链接库(DLL)中的输出库函数地址
LPVOID pFunAddr = LoadLibraryA;

//创建一个远程线程
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunAddr,
pDllAddr, 0, NULL);

// 等待LoadLibrary加载完毕
WaitForSingleObject(hThread, INFINITE);

// 释放目标进程中申请的空间
VirtualFreeEx( hProcess, NULL, nDllLen, MEM_DECOMMIT );

CloseHandle(hThread);
CloseHandle(hProcess);

}

void CDllManageDlg::UnInjectDll(DWORD dwPid, char *szDllName)
{
// 使目标进程调用GetModuleHandle，获得DLL在目标进程中的句柄
DWORD dwHandle;
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
LPVOID pFunc = GetModuleHandleA;
char lpBuf[MAXBYTE];
HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)pFunc, lpBuf, 0, &dwPid );

// 等待GetModuleHandle运行完毕
WaitForSingleObject( hThread, INFINITE );

// 获得GetModuleHandle的返回值
GetExitCodeThread( hThread, &dwHandle );

// 释放目标进程中申请的空间
int dwSize = strlen(szDllName) + sizeof(char);
VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );
CloseHandle( hThread );

// 使目标进程调用FreeLibrary，卸载DLL
pFunc = FreeLibrary;
hThread = CreateRemoteThread( hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)pFunc,  (LPVOID)dwHandle, 0, &dwPid );

// 等待FreeLibrary卸载完毕
WaitForSingleObject( hThread, INFINITE );
CloseHandle( hThread );
CloseHandle( hProcess );
}

DWORD CDllManageDlg::GetSelectPid(CString PName)
{
//获取当前进程快照
HANDLE  snapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0 );

//查询进程
PROCESSENTRY32  processInfo;
CString strProcessName = "";
DWORD nProcessID = 0;
int nProcessTerminate = 0;

//这句很重要，否则就无法获取到进程信息
processInfo.dwSize = sizeof( PROCESSENTRY32 );

//获取第一个进程
BOOL status = Process32First( snapShot, &processInfo );
while( status )
{
//获取进程名字
strProcessName = processInfo.szExeFile;

//查询比较是否选中的进程
if( strProcessName.CompareNoCase( PName ) == 0 )
{
//获取进程ID
nProcessID = processInfo.th32ProcessID;
break;
}
//获取下一个进程
status = Process32Next( snapShot, &processInfo );
}
return nProcessID;
}

void CDllManageDlg::OnButtonInject()
{
// TODO: Add your control notification handler code here

UpdateData(TRUE);
ProcessName = m_PName;  //进程名
dwPid = GetSelectPid(ProcessName);  //进程ID
szDllName = m_DLL;  //Dll路径及名字
InjectDll(dwPid, m_DLL);
}

void CDllManageDlg::OnButtonUninject()
{
// TODO: Add your control notification handler code here

//将CString转换为char *
char *DllName = szDllName.GetBuffer(szDllName.GetLength());
szDllName.ReleaseBuffer();
UnInjectDll(dwPid, DllName);
}