在别的程序注入dll
步骤: 1,获取目标进程ID,CreateToolhelp32Snapshot()函数; 2,获取目标进程句柄,OpenProcess()函数; 3,目标进程要一块内存,VirtualAllocEx()函数,不是VirtualAlloc()函数; 4,往要来的目标内存写入要注入的dll文件名,WriteProcessMemory; 5,拿到kernel32模块句柄,GetModuleHandle()函数; 6,拿到kernel32模块里LoadLibraryA()函数地址,GetProcAddress()函数; 7,把dll注入目标进程,CreateRemoteThread()函数
获取进程ID的方法:
DWORD GetPid(const TCHAR* pDest) { HANDLE hProcessHandle; PROCESSENTRY32 pe32 = {0}; hProcessHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); if (hProcessHandle == INVALID_HANDLE_VALUE) { return FALSE; } pe32.dwSize = sizeof(PROCESSENTRY32); while (Process32Next(hProcessHandle,&pe32)) { //printf("%s ", pe32.szExeFile); if (wcscmp(pe32.szExeFile,pDest)==0) { CloseHandle(hProcessHandle); return pe32.th32ProcessID; wcout << pe32.szExeFile << ":" << pe32.th32ProcessID << endl; } } return 0; }
注入过程,封装个方法:
BOOL LoadDll(DWORD pID,const TCHAR* pName) { HANDLE hDestProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID); DWORD pLEN = wcslen(pName)+1; LPVOID lpStart = VirtualAllocEx(hDestProcess, NULL, pLEN, MEM_COMMIT, PAGE_READWRITE); BOOL bRET = WriteProcessMemory(hDestProcess, lpStart, pName, pLEN, NULL); if (!bRET) { cout << "writeprocessmemory failed error : %d" << GetLastError() << endl; CloseHandle(hDestProcess); return FALSE; } HMODULE hModule = GetModuleHandle(TEXT("Kernel32.dll")); if (!hModule) { cout << "get kernel32 failed error :" << GetLastError() << endl; CloseHandle(hDestProcess); return FALSE; } DWORD f = (DWORD)GetProcAddress(hModule, "LoadLibraryA"); if (!f) { cout << "get loadLibraryA failed error :" << GetLastError() << endl; CloseHandle(hDestProcess); CloseHandle(hModule); return FALSE; } CreateRemoteThread(hDestProcess,NULL,0, (LPTHREAD_START_ROUTINE)f,lpStart,NULL,NULL); CloseHandle(hDestProcess); CloseHandle(hModule); return TRUE; }