C++ 实现DLL注入(一)实现
2016-06-06 11:28
183 查看
直接上代码了//FMethod.h
#pragma once
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
int FMethod(char * c_str);
BOOL LoadDll(DWORD dwProcessId,LPTSTR lpszDllName);//FMethod.cpp
#include "FMethod.h"
int FMethod(char * c_str)
{
//打开 c_str 指定名字的进程,如calc.exe计算器
ShellExecute(NULL,"open",c_str,NULL,NULL,SW_NORMAL);
//指定要加载的DLL,之前要先写好
char lpDllName[MAX_PATH] = TEXT("helloword.dll");
// 枚举进程,得到指定进程ID
PROCESSENTRY32 ProcessEntry = { 0 };
HANDLE hProcessSnap;
ProcessEntry.dwSize = sizeof(PROCESSENTRY32);
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
BOOL bRet = Process32First(hProcessSnap,&ProcessEntry);
while(bRet)
{ // 判断进程是否为 calc.exe
if(strcmp(c_str,ProcessEntry.szExeFile) == 0)
{
// 让指定的进程加载DLL
LoadDll(ProcessEntry.th32ProcessID,lpDllName);
break;
}
bRet = Process32Next(hProcessSnap,&ProcessEntry);
}
return 0;
}
// 让指定的进程加载DLL
BOOL LoadDll(DWORD dwProcessId,LPTSTR lpszDllName)
{
HANDLE hProcess = NULL;
HANDLE hThread = NULL;
PSTR pszDllFile = NULL;
// 打开进程
hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessId);
if(hProcess == NULL)
{
printf("打开进程 %d 失败!\n\n",dwProcessId);
return FALSE;
}
printf("打开进程 %d 成功!\n\n",dwProcessId);
// 分配远程空间
int cch = 1 + strlen(lpszDllName);
pszDllFile = (PSTR)VirtualAllocEx(hProcess,
NULL,
cch,
MEM_COMMIT,
PAGE_READWRITE);
if(pszDllFile == NULL)
return FALSE;
printf("分配远程空间成功!\n\n");
// 把DLL的名字变量地址写入到远程空间中
if((WriteProcessMemory(hProcess,
(PVOID)pszDllFile,
(PVOID)lpszDllName,
cch,
NULL)) == FALSE)
{
return FALSE;
}
printf("写远程内存成功!\n\n");
// 获取远程进程地址空间中LoadLibrary函数的地址
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32"),"LoadLibraryA");
//因为在同一个系统中,这这LoadLibraryA地址是一样的,这下面这种都可行
//PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)LoadLibraryA;
if(pfnThreadRtn == NULL)
return FALSE;
printf("获取LoadLibrary函数地址成功!\n\n");
// 创建远程线程
hThread = CreateRemoteThread(hProcess,
NULL,
0,
pfnThreadRtn,
(PVOID)pszDllFile,
0,
NULL);
if(hThread == NULL)
return FALSE;
printf("创建远程线程成功!\n\n");
// 等待远程线程执行结束,并非必要
//system("pause");
WaitForSingleObject(hThread,INFINITE);
VirtualFreeEx(hProcess,(PVOID)pszDllFile,0,MEM_RELEASE);
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}
//main.cpp
#include <stdio.h>
#include "FMethod.h"
int main()
{
// 要注入的进程
FMethod("calc.exe");
system("pause");
return 0;
}
#pragma once
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
int FMethod(char * c_str);
BOOL LoadDll(DWORD dwProcessId,LPTSTR lpszDllName);//FMethod.cpp
#include "FMethod.h"
int FMethod(char * c_str)
{
//打开 c_str 指定名字的进程,如calc.exe计算器
ShellExecute(NULL,"open",c_str,NULL,NULL,SW_NORMAL);
//指定要加载的DLL,之前要先写好
char lpDllName[MAX_PATH] = TEXT("helloword.dll");
// 枚举进程,得到指定进程ID
PROCESSENTRY32 ProcessEntry = { 0 };
HANDLE hProcessSnap;
ProcessEntry.dwSize = sizeof(PROCESSENTRY32);
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
BOOL bRet = Process32First(hProcessSnap,&ProcessEntry);
while(bRet)
{ // 判断进程是否为 calc.exe
if(strcmp(c_str,ProcessEntry.szExeFile) == 0)
{
// 让指定的进程加载DLL
LoadDll(ProcessEntry.th32ProcessID,lpDllName);
break;
}
bRet = Process32Next(hProcessSnap,&ProcessEntry);
}
return 0;
}
// 让指定的进程加载DLL
BOOL LoadDll(DWORD dwProcessId,LPTSTR lpszDllName)
{
HANDLE hProcess = NULL;
HANDLE hThread = NULL;
PSTR pszDllFile = NULL;
// 打开进程
hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessId);
if(hProcess == NULL)
{
printf("打开进程 %d 失败!\n\n",dwProcessId);
return FALSE;
}
printf("打开进程 %d 成功!\n\n",dwProcessId);
// 分配远程空间
int cch = 1 + strlen(lpszDllName);
pszDllFile = (PSTR)VirtualAllocEx(hProcess,
NULL,
cch,
MEM_COMMIT,
PAGE_READWRITE);
if(pszDllFile == NULL)
return FALSE;
printf("分配远程空间成功!\n\n");
// 把DLL的名字变量地址写入到远程空间中
if((WriteProcessMemory(hProcess,
(PVOID)pszDllFile,
(PVOID)lpszDllName,
cch,
NULL)) == FALSE)
{
return FALSE;
}
printf("写远程内存成功!\n\n");
// 获取远程进程地址空间中LoadLibrary函数的地址
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32"),"LoadLibraryA");
//因为在同一个系统中,这这LoadLibraryA地址是一样的,这下面这种都可行
//PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)LoadLibraryA;
if(pfnThreadRtn == NULL)
return FALSE;
printf("获取LoadLibrary函数地址成功!\n\n");
// 创建远程线程
hThread = CreateRemoteThread(hProcess,
NULL,
0,
pfnThreadRtn,
(PVOID)pszDllFile,
0,
NULL);
if(hThread == NULL)
return FALSE;
printf("创建远程线程成功!\n\n");
// 等待远程线程执行结束,并非必要
//system("pause");
WaitForSingleObject(hThread,INFINITE);
VirtualFreeEx(hProcess,(PVOID)pszDllFile,0,MEM_RELEASE);
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}
//main.cpp
#include <stdio.h>
#include "FMethod.h"
int main()
{
// 要注入的进程
FMethod("calc.exe");
system("pause");
return 0;
}
相关文章推荐
- 程序自我复制(c++)
- 汉诺塔实现程序(C++)
- C++面试笔记--继承和接口
- C++和C的不同
- C#调用C++结构体内存数据不对问题
- C/C++编译器错误代码大全
- C++中的 .h 和 .cpp 区别详解
- C++第7次作业
- 用C语言扩展Python的功能
- C++面试笔记--面向对象
- sizeof与strlen的主意事项
- 重新学习《C++Primer5》第13章-拷贝控制
- C++字符串操作2
- 《Visual C++ 2010程序设计案例教程[精品]》-笔记
- C++字符串操作
- C++ String的实现
- 线性表--单链表(C++)
- c++常用字符串操作函数
- 【JNI】Java与C++中文字串的传递
- C++程序设计语言练习6.10 字符串函数的写法