话不多说,直接贴代码。
dll注入方式挺多,个人感觉比较方便的就是这个。效果很明显,编译运行阶段
就会被火绒拦截;手动添加信任才能正常运行。
需要注意的就是64位编译出来,远程注入的程序必须是64位,dll也必须是64位的;32位也必须统一。
还有就是注入系统进程貌似都是创建线程失败,错误为5,大概是权限不足吧。
这种方式框架就是这样,都是Win32API,只需要知道基本调用就好了。
#include <windows.h> #include <tlhelp32.h> #include <memoryapi.h> #include <iostream> using namespace std; string dllNamea; string procNamea; DWORD pid; char* wideCharToMultiByte(wchar_t* pWCStrKey) { //第一次调用确认转换后单字节字符串的长度,用于开辟空间 int pSize = WideCharToMultiByte(CP_UTF8, 0, pWCStrKey, wcslen(pWCStrKey), NULL, 0, NULL, NULL); char* pCStrKey = new char[pSize+1]; //第二次调用将双字节字符串转换成单字节字符串 WideCharToMultiByte(CP_UTF8, 0, pWCStrKey, wcslen(pWCStrKey), pCStrKey, pSize, NULL, NULL); pCStrKey[pSize] = '\0'; // qDebug()<<"cstrkey "<<pCStrKey; return pCStrKey; //如果想要转换成string,直接赋值即可 //string pKey = pCStrKey; } DWORD GetProcId(string procName) { BOOL bRet; PROCESSENTRY32 pe32; HANDLE hSnap; hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); pe32.dwSize = sizeof(pe32); bRet = Process32First(hSnap,&pe32); char* array; WCHAR* ff; string arr; while(bRet) { array = (char*)pe32.szExeFile; // array = wideCharToMultiByte(ff); cout<<"array = "<<array<<endl; arr = array; if(procName == arr) { cout<<"找到了"<<endl; return pe32.th32ProcessID; } bRet = Process32Next(hSnap,&pe32); } return 0; } void InjectDll(DWORD pid,string dllName) { if(pid==0||dllName.length()==0) { return; } char* pFunName = "LoadLibraryA"; HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid); if(hProcess==NULL) { return; } int dllLen = dllName.length(); PVOID pDllAddr = VirtualAllocEx(hProcess,NULL,dllLen,MEM_COMMIT,PAGE_READWRITE); if(pDllAddr ==NULL) { CloseHandle(hProcess); return; } cout<<"注入成功"<<endl; DWORD writeNum = 0; cout<<WriteProcessMemory(hProcess,(LPVOID)pDllAddr,(LPCVOID)dllName.c_str(),(SIZE_T)dllLen,(SIZE_T *)&writeNum)<<endl; FARPROC pFunAddr = GetProcAddress(GetModuleHandleA("kernel32.dll"),pFunName); cout<<pDllAddr<<endl; cout<<pFunAddr<<endl; HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunAddr,pDllAddr,0,NULL); cout<<"hthread = "<<hThread<<endl; if(hThread) { WaitForSingleObject(hThread,INFINITE); CloseHandle(hThread); } else { cout<<GetLastError()<<endl; } CloseHandle(hProcess); } void on_inject_clicked() { // dllNamea = "C:\\Users\\17724\\Desktop\\dll4\\dllTest.dll"; // dllNamea = "C:\\Users\\17724\\Desktop\\dll2\\dllTesta.dll"; // procNamea = "Everything.exe"; dllNamea = "C:\\Users\\17724\\Desktop\\dllTest\\myTest.dll"; procNamea = "test.exe"; pid = GetProcId(procNamea); cout<<"pid = "<<pid<<endl; InjectDll(pid,dllNamea); } void UninjectDll(DWORD pid, string dllName) { if(pid==0||dllName.length()==0) { return; } HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pid); MODULEENTRY32 me32; me32.dwSize = sizeof(me32); BOOL bRet = Module32Next(hSnap,&me32); char* array; WCHAR* ff; string arr; while(bRet) { array = (char*)me32.szExePath; arr = array; if(dllName == arr) { cout<<"也找到了"<<endl; break; } bRet = Module32Next(hSnap,&me32); } CloseHandle(hSnap); char* pFunName = "FreeLibrary"; HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid); if(hProcess==NULL) { return; } FARPROC pFunAddr = GetProcAddress(GetModuleHandleA("kernel32.dll"),pFunName); HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunAddr,me32.hModule,0,NULL); WaitForSingleObject(hThread,INFINITE); CloseHandle(hThread); CloseHandle(hProcess); } void on_detatch_clicked() { UninjectDll(pid,dllNamea); } int main() { on_inject_clicked(); int num; while(true) { cin>>num; if(num == 5) { on_detatch_clicked(); } } }