InjectDll

<span style="font-size:12px;"><span style="font-size:12px;">功能：注入DLL文件，参数要求：进程号，待注入DLL文件路径//InjectDll.cpp#include "windows.h"#include "tchar.h"BOOL InjectDll(DWORD dwPID, LPCTSTR szDllPath){HANDLE hProcess = NULL, hThread = NULL;HMODULE hMod = NULL;LPVOID pRemoteBuf = NULL;DWORD dwBufSize = (DWORD)(_tcslen(szDllPath)+1) * sizeof(TCHAR);LPTHREAD_START_ROUTIME pThreadProc;//#1. 使用dwPID获取目标进程(notepad.exe) 句柄if(!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)){_tprintf(L"OpenProcess(%d) failed!!! [%d]\n",dwPID,GetLastError());return FALSE;}//#2. 在目标进程(notepad.exe)内存中分配szDllName大小的内存pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT,PAGE_READWRITE);//#3. 将myhack.dll路径写入分配的内存WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllPath, dwBufSize, NULL);//#4. 获取LoadLibraryW() API的地址hMod = GetModuleHandle(L"kernel32.dll");pThreadProc = (LPTHREAD_START_ROUTIME)GetProcAddress(hMod,"LoadLibraryW");//#5. 在notepad.exe进程中运行线程hThread = CreateRemoteThread(hProcess,//hProcessNULL,//lpThreadAttributes0,//dwStackSizepThreadProc,//lpStartAddresspRemoteBuf,//lpParameter0,//dwCreationFlagsNULL);//lpThreadIdWaitForSingleObject(hThread, INFINITE);CloseHandle(hThread);CloseHandle(hProcess);return TRUE;}int _tmain(int argc, TCHAR *argv[]){if(argc != 3){_tprintf(L"USAGE: %s pid dll_path\n",argv[0]);return 1;}//inject dllif(InjectDll((DWORD)_tstol(argv[1]),argv[2]))_tprintf(L"InjectDll(\"%s\") success!!!\n",argv[2]);else_tprintf(L"InjectDll(\"%s\") failed!!!\n",argv[2]);return 0;}</span></span>

<span style="font-size:12px;">//原来那个在内核版本6以上不适用，因为在内核为6中，在API内部创建远程线程时采用挂起模式，若远程进程属于会话0，则不会“恢复运行”//而是直接返回错误typedef DWORD (WINAPI *PFNTCREATETHREADEX){PHANDLE ThreadHandle,ACCESS_MASK DesireAccess,LPVOID ObjectAttributes,HANDLE ProcessHandle,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,BOOL CreateSuspended,DWORD dwStackSize,DWORD dw1,DWORD dw2,LPVOID Unknown};BOOL IsVistaOrLater(){OSVERSIONINFO osvi;ZeroMemory(&osvi, sizeof(OSVERSIONINFO));osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);GetVersionEx(&osvi);//检查内核版本是否为6以上if(osvi.dwMajorVersion == 6)return TRUE;return FALSE;}BOOL MyCreateRemoteThread(HANDLE hProcess, LPTHREAD_START_ROUTINE pThreadProc, LPVOID pRemoteBuf){HANDLE hThread = NULL;FARPROC pFunc = NULL;//检查OS是否为Vista以上if(IsVistaOrLater()) //vista,7,8{pFunc = GetProcAddress(GetModuleHandle(L"ntdll.dll"),"NtCreateThreadEx");if(pFunc == NULL){printf("GetProcAddress(\"NtCreateThreadEx\") failed!!![%d]\n",GetLastError());return FALSE;}//调用NtCreateThreadEx()((PFNTCREATETHREADEX)pFunc)(&hThread,0x1FFFFF,NULL,hProcess,pThreadProc,pRemoteBuf,FALSE,NULL,NULL,NULL,NULL);if(hThread == NULL){printf("NtCreateThreadEx() failed!!![%d]\n",GetLastError());return FALSE;}}else   //2000,XP,Server2003{hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, pRemoteBuf, 0, NULL);if(hThread == NULL){printf("CreateRemoteThread() failed!!![%d]\n",GetLastError());return FALSE;}}if(WAIT_FAILED == WaitForSingleObject(hThread, INFINITE)){printf("WaitForSingleObject() failed!!![%d]\n",GetLastError());return FALSE;}return TRUE;}BOOL InjectDll(DWORD dwPID, char* szDllName){HANDLE hProcess = NULL;LPVOID pRemoteBuf = NULL;FARPROC pThreadProc = NULL;DWORD dwBufSize = strlen(szDllName)+1;if(!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID))){printf("OpenProcess(%d) failed!!![%d]\n",dwPID,GetLastError());return FALSE;}pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE);WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllName, dwBufSize, NULL);pThreadProc = GetProcAddress(GetModuleHandle(L"kernel32.dll","LoadLibraryA"));if(!MyCreateRemoteThread(hProcess, (LPTHREAD_START_ROUTINE)pThreadProc, pRemoteBuf)){printf("MyCreateRemoteThread() failed!!!\n");return FALSE;}VirtualFreeEx(hProcess, pRemoteBuf, 0, MEM_RELEASE);CloseHandle(hProcess);return TRUE;}</span>