修改EIP注入DLL入的一个示例

HWND hWnd=::FindWindow(NULL,L"窗口标题");

if(hWnd==NULL)

{

MessageBox(L"未获取窗口句柄！",L"失败",MB_OK);

return;

}

DWORD pid,tid;

tid=GetWindowThreadProcessId(hWnd,&pid);

if(tid<=0)

{

MessageBox(L"未获取线程ID",L"失败");

return;

}

if(pid<=0)

{

MessageBox(L"未获取进程ID",L"失败");

return;

}

HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);

if(hProcess <= 0)

{

MessageBox(L"未获取进程句柄",L"失败");

return;

}

HANDLE hThread=OpenThread(THREAD_ALL_ACCESS,FALSE,tid);

if(hThread <= 0)

{

MessageBox(L"未获取线程ID",L"失败");

return;

}

SuspendThread(hThread);

CONTEXT ct={0};

ct.ContextFlags = CONTEXT_CONTROL;

GetThreadContext(hThread,&ct);

DWORD dwSize = sizeof(WCHAR)*1024;

BYTE *pProcessMem = (BYTE *)::VirtualAllocEx(hProcess,NULL,dwSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE);

DWORD dwWrited = 0;

::WriteProcessMemory(hProcess, (pProcessMem + 0x100), pDllPath, (wcslen(pDllPath) + 1) * sizeof(WCHAR), &dwWrited);

FARPROC pLoadLibraryW = (FARPROC)::GetProcAddress(::GetModuleHandle(L"Kernel32"), "LoadLibraryW");

BYTE ShellCode[32] = { 0 };

DWORD *pdwAddr = NULL;

ShellCode[0] = 0x60; // pushad

ShellCode[1] = 0x9c; // pushfd

ShellCode[2] = 0x68; // push

pdwAddr = (DWORD *)&ShellCode[3]; // ShellCode[3/4/5/6]

*pdwAddr = (DWORD)(pProcessMem + 0x100);

ShellCode[7] = 0xe8;//call

pdwAddr = (DWORD *)&ShellCode[8]; // ShellCode[8/9/10/11]

*pdwAddr = (DWORD)pLoadLibraryW - (DWORD)(pProcessMem + 7) - 5;

ShellCode[12] = 0x9d; // popfd

ShellCode[13] = 0x61; // popad

ShellCode[14] = 0xe9; // jmp

pdwAddr = (DWORD *)&ShellCode[15]; // ShellCode[15/16/17/18]

*pdwAddr = ct.Eip - (DWORD)(pProcessMem + 14) - 5;

::WriteProcessMemory(hProcess, pProcessMem, ShellCode, sizeof(ShellCode), &dwWrited);

ct.Eip = (DWORD)pProcessMem;

::SetThreadContext(hThread, &ct);

::ResumeThread(hThread);

::CloseHandle(hProcess);

::CloseHandle(hThread);