|
#2
Janlex2007-11-26 15:35
#include “stdafx.h”
#include “tlhelp32.h” #define PROCESSNAME “NOTEPAD.EXE” #define DLLPATH “D:\\dustbin.dll” LPVOID pathAddress; //根据进程名查找进程ID DWORD FindProcess(LPCTSTR str) { DWORD id = 0; PROCESSENTRY32 processEntry; HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); processEntry.dwSize = sizeof(PROCESSENTRY32); BOOL bRet = Process32First(hProcessSnap, &processEntry); while (bRet) { if ( !strcmp(processEntry.szExeFile, str) ) { id = processEntry.th32ProcessID; break; } bRet = Process32Next(hProcessSnap, &processEntry); } return id; } //向远程线程写数据 HANDLE WriteStringToProcess(LPCTSTR pathStr, DWORD id, DWORD size) { size = strlen(pathStr) + 1; HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, id); if (NULL == hProcess) { CloseHandle(hProcess); return NULL; } pathAddress = VirtualAllocEx(hProcess, NULL, size, MEM_COMMIT, PAGE_READWRITE); if (NULL == pathAddress) { CloseHandle(hProcess); return NULL; } DWORD dwJudge = NULL; BOOL iYON = WriteProcessMemory(hProcess, pathAddress, (LPVOID)pathStr, size, &dwJudge); if (0 == iYON || 0 == dwJudge) { CloseHandle(hProcess); return NULL; } return hProcess; } //主函数 int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { DWORD dwProcessID = FindProcess(PROCESSNAME); if (!dwProcessID) { MessageBox(0, “error with find process!”, “fail”, MB_OK); return 1; } DWORD dwSize = 0; HANDLE hProcess = WriteStringToProcess(DLLPATH, dwProcessID, dwSize); if (!hProcess) { MessageBox(0, “error with writing!”, “fail”, MB_OK); return 1; } HANDLE tRemoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, pathAddress, 0, 0); WaitForSingleObject(tRemoteThread, INFINITE); VirtualFreeEx(hProcess, pathAddress, dwSize, MEM_DECOMMIT); CloseHandle(tRemoteThread); CloseHandle(hProcess); return 0; } |
下面的代码就可以实现dll的注入
CDllInjector m_diDllInjector;
m_diDllInjector.OpenProcess(dwProcessId, FALSE) ; // or m_diDllInjector.OpenProcess(szExecName, FALSE)
m_diDllInjector.RemoteVirtualAlloc();
m_diDllInjector.SetInjectDll(strDllName);
m_diDllInjector.SyncInject();
m_diDllInjector.RemoteVirtualFree();
感兴趣的可以看一看
由于现在论坛的附件大小限制的实在太厉害20.48k!!??
, 没办法传截图了, 为了减小附件大小传上来, 项目里面也少了一个资源文件DllInjector.ico.自己添加一个就可以编译了. 
