windows目标进程注入dll

在别的程序注入dll

步骤：
1，获取目标进程ID，CreateToolhelp32Snapshot()函数;
2，获取目标进程句柄，OpenProcess()函数;
3，目标进程要一块内存，VirtualAllocEx()函数，不是VirtualAlloc()函数；
4，往要来的目标内存写入要注入的dll文件名，WriteProcessMemory;
5，拿到kernel32模块句柄，GetModuleHandle()函数;
6，拿到kernel32模块里LoadLibraryA()函数地址，GetProcAddress()函数;
7，把dll注入目标进程，CreateRemoteThread()函数

获取进程ID的方法：

DWORD GetPid(const TCHAR* pDest)
{
    HANDLE hProcessHandle;
    PROCESSENTRY32 pe32 = {0};

    hProcessHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
    if (hProcessHandle == INVALID_HANDLE_VALUE)
    {
        return FALSE;
    }
    pe32.dwSize = sizeof(PROCESSENTRY32);

    while (Process32Next(hProcessHandle,&pe32))
    {
        //printf("%s
", pe32.szExeFile);
        if (wcscmp(pe32.szExeFile,pDest)==0)
        {    
            CloseHandle(hProcessHandle);
            return pe32.th32ProcessID;
            wcout << pe32.szExeFile << ":" << pe32.th32ProcessID << endl;
        }
        
    }
    return 0;

}

注入过程，封装个方法：

BOOL LoadDll(DWORD pID,const TCHAR* pName)
{
    HANDLE hDestProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID);

    DWORD pLEN = wcslen(pName)+1;
    LPVOID lpStart =  VirtualAllocEx(hDestProcess, NULL, pLEN, MEM_COMMIT, PAGE_READWRITE);
    BOOL bRET = WriteProcessMemory(hDestProcess, lpStart, pName, pLEN, NULL);
    if (!bRET)
    {
        cout << "writeprocessmemory failed error : %d" << GetLastError() << endl;
        CloseHandle(hDestProcess);
        return FALSE;
    }
    HMODULE hModule = GetModuleHandle(TEXT("Kernel32.dll"));
    if (!hModule)
    {
        cout << "get kernel32 failed error :" << GetLastError() << endl;
        CloseHandle(hDestProcess);
        return FALSE;
    }
    DWORD f = (DWORD)GetProcAddress(hModule, "LoadLibraryA");
    if (!f)
    {
        cout << "get loadLibraryA failed error :" << GetLastError() << endl;
        CloseHandle(hDestProcess);
        CloseHandle(hModule);
        return FALSE;
    }
    CreateRemoteThread(hDestProcess,NULL,0, (LPTHREAD_START_ROUTINE)f,lpStart,NULL,NULL);
    CloseHandle(hDestProcess);
    CloseHandle(hModule);
    return TRUE;
}