远程DLL注入、卸载

Dll注入

//dwPid 为目标进程PID//szDllName 为要注入的DLL文件void CDllManageDlg::InjectDll(DWORD dwPid, CString szDllName){    if(dwPid == 0 || strlen(szDllName) == 0)        return;    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);    if(hProcess == NULL)        return;    //将CString转换为char *    char *DllName = szDllName.GetBuffer(szDllName.GetLength());    szDllName.ReleaseBuffer();    int nDllLen = strlen(DllName) + sizeof(char);    //在目标进程申请内存，返回目标进程申请到的内存块的起始地址    LPVOID pDllAddr = VirtualAllocEx(hProcess, NULL, nDllLen, MEM_COMMIT, PAGE_READWRITE);    if(pDllAddr == NULL)    {        CloseHandle(hProcess);        AfxMessageBox("注入失败！");        return;    }    //将要注入的Dll文件写入目标进程    DWORD dwWriteNum = 0;    WriteProcessMemory(hProcess, pDllAddr, DllName, nDllLen, &dwWriteNum);    //检索指定的动态链接库(DLL)中的输出库函数地址    LPVOID pFunAddr = LoadLibraryA;    //创建一个远程线程    HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunAddr,                                         pDllAddr, 0, NULL);    // 等待LoadLibrary加载完毕    WaitForSingleObject(hThread, INFINITE);    // 释放目标进程中申请的空间      VirtualFreeEx( hProcess, NULL, nDllLen, MEM_DECOMMIT );     CloseHandle(hThread);    CloseHandle(hProcess);}

Dll卸载

void CDllManageDlg::UnInjectDll(DWORD dwPid, char *szDllName){    // 使目标进程调用GetModuleHandle，获得DLL在目标进程中的句柄      DWORD dwHandle;    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);    LPVOID pFunc = GetModuleHandleA;      char lpBuf[MAXBYTE];    HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0,         (LPTHREAD_START_ROUTINE)pFunc, lpBuf, 0, &dwPid );    // 等待GetModuleHandle运行完毕      WaitForSingleObject( hThread, INFINITE );      // 获得GetModuleHandle的返回值      GetExitCodeThread( hThread, &dwHandle );    // 释放目标进程中申请的空间      int dwSize = strlen(szDllName) + sizeof(char);    VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );      CloseHandle( hThread );      // 使目标进程调用FreeLibrary，卸载DLL      pFunc = FreeLibrary;      hThread = CreateRemoteThread( hProcess, NULL, 0,      (LPTHREAD_START_ROUTINE)pFunc,  (LPVOID)dwHandle, 0, &dwPid );     // 等待FreeLibrary卸载完毕      WaitForSingleObject( hThread, INFINITE );      CloseHandle( hThread );      CloseHandle( hProcess );  }

得到进程ID

DWORD CDllManageDlg::GetSelectPid(CString PName){    //获取当前进程快照    HANDLE  snapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0 );    //查询进程    PROCESSENTRY32  processInfo;    CString strProcessName = "";    DWORD nProcessID = 0;    int nProcessTerminate = 0;    //这句很重要，否则就无法获取到进程信息    processInfo.dwSize = sizeof( PROCESSENTRY32 );    //获取第一个进程    BOOL status = Process32First( snapShot, &processInfo );    while( status )    {       //获取进程名字       strProcessName = processInfo.szExeFile;       //查询比较是否选中的进程       if( strProcessName.CompareNoCase( PName ) == 0 )       {            //获取进程ID           nProcessID = processInfo.th32ProcessID;           break;       }       //获取下一个进程       status = Process32Next( snapShot, &processInfo );        }    return nProcessID;}

Dll注入按钮

void CDllManageDlg::OnButtonInject() {    // TODO: Add your control notification handler code here    UpdateData(TRUE);    ProcessName = m_PName;  //进程名    dwPid = GetSelectPid(ProcessName);  //进程ID    szDllName = m_DLL;  //Dll路径及名字    InjectDll(dwPid, m_DLL);}

Dll卸载按钮

void CDllManageDlg::OnButtonUninject() {    // TODO: Add your control notification handler code here    //将CString转换为char *    char *DllName = szDllName.GetBuffer(szDllName.GetLength());    szDllName.ReleaseBuffer();    UnInjectDll(dwPid, DllName);}