注入dll到一个进程里面

下面代码亲测没有问题：

// Injector.cpp : 定义控制台应用程序的入口点。//#include "stdafx.h"#include <Windows.h>int _tmain(int argc, _TCHAR* argv[]){//获得被插进程的绝对路径char IePath[MAX_PATH] = "c:\\1.exe"; char DllFullPath[MAX_PATH] = "c:\\tt.dll";//进程启动返回的参数   PROCESS_INFORMATION pi = {0};//进程启动时需要的参数STARTUPINFO si = {0};ZeroMemory(&si,sizeof(si));si.cb = sizeof(si);si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;si.wShowWindow = SW_HIDE;si.lpDesktop = "WinSta0\\Default"; pi.hProcess =  SW_HIDE;BOOL ret = CreateProcess(NULL,IePath, NULL, NULL, 0, CREATE_SUSPENDED,NULL, NULL, &si, &pi);if (!ret){int e = GetLastError();return FALSE;}//申请远程进程内存char *pszLibFileRemote = (char *) VirtualAllocEx( pi.hProcess, NULL, lstrlen(DllFullPath)+1, MEM_COMMIT, PAGE_READWRITE);if(pszLibFileRemote == NULL)return FALSE;//写入远程内存if( WriteProcessMemory(pi.hProcess,pszLibFileRemote,(void*)DllFullPath,lstrlen(DllFullPath)+1,NULL) == 0)return FALSE;//获得LoadLibraryA函数地址PTHREAD_START_ROUTINE pfnStartAddr=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");if(pfnStartAddr == NULL)return FALSE;//创建远程线程HANDLE hRemoteThread;if( (hRemoteThread=CreateRemoteThread(pi.hProcess,NULL,0,pfnStartAddr,pszLibFileRemote,0,NULL)) == NULL){return FALSE;}return 0;}

拿来做测试的dll:

<pre name="code" class="cpp">// dllmain.cpp : 定义 DLL 应用程序的入口点。#include "stdafx.h"#include <stdio.h>#include <Windows.h>BOOL APIENTRY DllMain( HMODULE hModule,                       DWORD  ul_reason_for_call,                       LPVOID lpReserved ){switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:{while (1){FILE *p = fopen("c:\\1.txt","wb+");char test[100]={0};SYSTEMTIME st;GetSystemTime(&st);_snprintf(test,100,"%d-%d-%d\r\n",st.wYear,st.wMonth,st.wDay);fwrite(test,strlen(test),1,p);fclose(p);Sleep(1000);}break;}case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH:case DLL_PROCESS_DETACH:break;}return TRUE;}