windows 注入dll

// dllmain.cpp : 定义 DLL 应用程序的入口点。#include "stdafx.h"#include "windows.h"#include "tchar.h"#include "Urlmon.h"#pragma comment(lib, "urlmon.lib")#define DEF_URL "http://biancheng.dnbcw.info/c/158628.html"#define DEF_FILE_NAME "index.html"HMODULE g_hMod= NULL;DWORD WINAPI ThreadProc(LPVOID lParam){char szPath[MAX_PATH] = {0};if (!GetModuleFileName(g_hMod, szPath, MAX_PATH)){return FALSE;}OutputDebugString(szPath);char *p = strrchr(szPath, '\\');if (!p){return FALSE;}strcpy_s(p+1, MAX_PATH, DEF_FILE_NAME);OutputDebugString(szPath);URLDownloadToFile(NULL, DEF_URL, szPath, 0, NULL);return 0;}BOOL APIENTRY DllMain( HMODULE hModule,                       DWORD  ul_reason_for_call,                       LPVOID lpReserved ){HANDLE hThread = NULL;g_hMod = hModule;switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:{OutputDebugString("注入成功，开始下载Url!");hThread = CreateThread(NULL, 0, ThreadProc, NULL, 0, NULL);CloseHandle(hThread);}break;case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH:case DLL_PROCESS_DETACH:break;}return TRUE;}

// remotethread.cpp : 定义控制台应用程序的入口点。//#include "stdafx.h"#include "windows.h"#include "tchar.h"BOOL InjrctDll(DWORD dwPid, LPCTSTR szDllPath){HANDLE hProcess = NULL, hThread = NULL;HMODULE hMod = NULL;LPVOID pRemoteBuf = NULL;DWORD dwBufSize = strlen(szDllPath) +1;LPTHREAD_START_ROUTINE pThreadProc;//#1 使用进程ID获取进程句柄if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid))){printf("open process %d failed!!! [%d]\n", dwPid, GetLastError());return FALSE;}//#2 在目标进程分配dll大小的内存pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE);if (!pRemoteBuf){printf("pRemoteBuf\n");return FALSE;}//#3 将dll路径写入分配的内存if (!WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllPath, dwBufSize, NULL)){printf("WriteProcessMemory\n");return FALSE;}//#4 获取loadlibrary API的地址hMod = GetModuleHandle("kernel32.dll");if (!hMod){printf("hMod\n");return FALSE;}pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hMod, "LoadLibraryA");if (!pThreadProc){printf("pThreadProc\n");return 0;}hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, pRemoteBuf, 0, NULL);if(!hThread){printf("hThread\n");return 0;}WaitForSingleObject(hThread, INFINITE);CloseHandle(hThread);CloseHandle(hProcess);return TRUE;}int _tmain(int argc, _TCHAR* argv[]){if (InjrctDll(42448, "E:\\qt_test\\creatremotethread\\remotethread\\Debug\\dll.dll")){printf("succeed!!!\n");}else{printf("error!!!\n");}while(1);return 0;}