- dll文件(自定义函数)
1 _declspec(dllexport) void autoadd() 2 { 3 int *p = (int*)0xdc0c4d0; 4 *p = 5048; 5 }
- dll文件DLLMain函数
1 BOOL APIENTRY DllMain( HMODULE hModule, 2 DWORD ul_reason_for_call, 3 LPVOID lpReserved 4 ) 5 { 6 switch (ul_reason_for_call) 7 { 8 case DLL_PROCESS_ATTACH: 9 autoadd(); 10 //注射到进程的时候执行 11 case DLL_THREAD_ATTACH: 12 //注射到进程,当作线程启动的时候 13 case DLL_THREAD_DETACH: 14 //线程结束 15 case DLL_PROCESS_DETACH: 16 //进程结束的操作 17 break; 18 } 19 return TRUE; 20 }
自动注射
- 以非独占的方式打开一个进程
1 //以非独占的方式打开这个进程 2 HANDLE hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwprocessid);
- 获取路径长度并分配内存
1 int length = strlen(dllpath) + 1; 2 //在其他进程内部分配内存,可以读写 3 LPVOID lpremotedllname = VirtualAllocEx(hprocess, NULL, length, MEM_COMMIT, PAGE_READWRITE);
- 将路径写入到进程
1 //将路径写入到进程 2 if (WriteProcessMemory(hprocess, lpremotedllname,dllpath,length,NULL)==FALSE) 3 { 4 printf("内存写入无效"); 5 return; 6 }
- 获取系统dll接口,并获取函数的接口
1 //获取系统dll接口 2 HMODULE hmodule = GetModuleHandleA("kernel32.dll"); 3 //获取函数接口 4 LPTHREAD_START_ROUTINE fnstart = (LPTHREAD_START_ROUTINE)GetProcAddress(hmodule, "LoadLibraryA");
- 开启一个远程线程
1 //开启一个远程线程 2 HANDLE hremoteThread = CreateRemoteThread(hprocess, NULL,0, fnstart, dllpath, 0, NULL);
- 关闭句柄,释放内存
1 CloseHandle(hremoteThread); 2 CloseHandle(hmodule); 3 CloseHandle(hprocess);
main函数
1 //获取当前路径 2 GetCurrentDirectoryA(1024, dllpath); 3 //连接到字符串 4 strcat(dllpath, "\new.dll");//链接 5 6 inject(5016);
完整代码
1 #define _CRT_SECURE_NO_WARNINGS 2 #include<Windows.h> 3 #include<string.h> 4 #include<stdio.h> 5 6 //dll路径 7 char dllpath[1024] = { 0 }; 8 //根据线程id号注射 9 void inject(DWORD dwprocessid) 10 { 11 if (dwprocessid==0) 12 { 13 printf("进程编号无效"); 14 return; 15 } 16 //以非独占的方式打开这个进程 17 HANDLE hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwprocessid); 18 //如果打开失败 19 if (hprocess==NULL) 20 { 21 printf("进程打开无效"); 22 return; 23 } 24 //获取路径长度并分配内存 25 int length = strlen(dllpath) + 1; 26 //在其他进程内部分配内存,可以读写 27 LPVOID lpremotedllname = VirtualAllocEx(hprocess, NULL, length, MEM_COMMIT, PAGE_READWRITE); 28 //判断是否分配成功 29 if (lpremotedllname==NULL) 30 { 31 printf("进程分配内存无效"); 32 return; 33 } 34 //将路径写入到进程 35 if (WriteProcessMemory(hprocess, lpremotedllname,dllpath,length,NULL)==FALSE) 36 { 37 printf("内存写入无效"); 38 return; 39 } 40 //获取系统dll接口 41 HMODULE hmodule = GetModuleHandleA("kernel32.dll"); 42 //获取函数接口 43 LPTHREAD_START_ROUTINE fnstart = (LPTHREAD_START_ROUTINE)GetProcAddress(hmodule, "LoadLibraryA"); 44 if ((DWORD)fnstart==0) 45 { 46 printf("获取地址失败"); 47 return; 48 } 49 //开启一个远程线程 50 HANDLE hremoteThread = CreateRemoteThread(hprocess, NULL,0, fnstart, dllpath, 0, NULL); 51 if (hremoteThread == NULL) 52 { 53 printf("开启线程失败"); 54 return; 55 } 56 //等待 57 if (WaitForSingleObject(hremoteThread,INFINITE)!=WAIT_OBJECT_0) 58 { 59 printf("线程等待失败"); 60 return; 61 } 62 63 CloseHandle(hremoteThread); 64 CloseHandle(hmodule); 65 CloseHandle(hprocess); 66 } 67 void main() 68 { 69 //获取当前路径 70 GetCurrentDirectoryA(1024, dllpath); 71 //连接到字符串 72 strcat(dllpath, "\new.dll");//链接 73 74 inject(5016); 75 76 system("pause"); 77 }