15,471
社区成员
发帖
与我相关
我的任务
分享
BOOL WINAPI CInjectDlg::InjectLib(DWORD dwProcessId, PCSTR pLibFile)
{
//注入dll函数
//假定返回false
//本地库文件字符串缓存
PSTR pLibFileRemote=NULL;
HANDLE hProcess=NULL;
HANDLE hThread=NULL;
//下面获取注入目标进程的句柄,使用OpenProcess
hProcess=OpenProcess(PROCESS_CREATE_PROCESS |
PROCESS_VM_OPERATION |
PROCESS_VM_WRITE,NULL,dwProcessId);
if(hProcess==NULL)
{
MessageBox("获取目标进程句柄失败!");
return FALSE;
}
//在远程进程申请路径内存
int len=strlen(pLibFile)+1;
pLibFileRemote=(PSTR)VirtualAllocEx(hProcess,NULL,len,
MEM_COMMIT,PAGE_READWRITE);
if(pLibFileRemote==NULL)
{
MessageBox("在远程进程申请路径字符串内存空间失败!");
return FALSE;
}
//将本地字符串复制到远程进程中
if(!WriteProcessMemory(hProcess,pLibFileRemote,(PVOID)pLibFile,len,NULL))
{
MessageBox("向远程进程写字符串失败!");
return FALSE;
}
//获取Kernel32.dll中LoadLibrary的地址
LPTHREAD_START_ROUTINE pfnThreadRtn;
pfnThreadRtn=(LPTHREAD_START_ROUTINE)GetProcAddress(
GetModuleHandle("Kernel32"),"LoadLibraryA");
if(pfnThreadRtn==NULL)
{
MessageBox("获取LoadLibrary地址失败!");
return FALSE;
}
//创建远程线程,并且执行LoadLibrary(pLibFileRomete)
hThread=CreateRemoteThread(hProcess,NULL,0,pfnThreadRtn,
pLibFileRemote,0,NULL);
if(hThread==NULL)
{
MessageBox("创建远程执行线程失败!");
DWORD dwError=GetLastError();
LPSTR str=NULL;
BOOL rtn=::FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_ALLOCATE_BUFFER,NULL,dwError,0,
str,0,NULL);
if(rtn)
MessageBox(str);
return FALSE;
}
//等待远程线程执行完毕
WaitForSingleObject(hThread,INFINITE);
//完成清理工作
VirtualFreeEx(hProcess,pLibFileRemote,0,MEM_RELEASE);
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}
BOOL WINAPI DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved
)
{
if(fdwReason==DLL_PROCESS_ATTACH)
{
//cBuf定义所有要显示的信息
HWND hWnd;
hWnd=GetForegroundWindow();
char cBuf[MAX_PATH*100]={0};
LPBYTE pv=NULL;
MEMORY_BASIC_INFORMATION mbi;
while(sizeof(mbi)==VirtualQuery(pv,&mbi,sizeof(mbi)))
{
//定义模块名等信息
char cModName[MAX_PATH];
int nLen;
//如果在页面没有分配
if(mbi.State==MEM_FREE)
mbi.AllocationBase=mbi.BaseAddress;
//出现下面的情况都将nLen置为0
//1.这个页面是自己dll页面;
//2.这个block不是页面的起始;
//3.这个地址为空
if((mbi.AllocationBase==hinstDLL) ||
(mbi.AllocationBase!=mbi.BaseAddress)||
(mbi.AllocationBase==NULL))
nLen=0;
else
nLen=GetModuleFileName((HMODULE)mbi.AllocationBase,cModName,MAX_PATH);
//取得这个基地址所指模块的名字及长度
if(nLen>0)
//注意strchr的使用
sprintf(strchr(cBuf,0),"\n%p-%s",mbi.AllocationBase,cModName);
pv +=mbi.RegionSize;
}
//HWND hWnd;
//hWnd=GetForegroundWindow();
MessageBox(hWnd,cBuf,NULL,NULL);
}
return TRUE;
}
void CInjectDlg::OnBtnInject()
{
// TODO: Add your control notification handler code here
DWORD dwProcessId=::GetDlgItemInt(m_hWnd,IDC_EDIT_ProId,NULL,FALSE);
if(dwProcessId==0)
{
//如果是为0,则注入到自身的进程空间中
dwProcessId=GetCurrentProcessId();
}
char pLibFile[MAX_PATH];
GetModuleFileName(NULL,pLibFile,sizeof(pLibFile));
//注意这里使用的是strrchr,而不是strchr
strcpy(strrchr(pLibFile,'\\')+1,"MyDll.dll");
if(!InjectLib(dwProcessId,pLibFile))
{
MessageBox("注入dll失败!");
return;
}
if(!EjectLib(dwProcessId,pLibFile))
{
MessageBox("清理资源失败!");
return;
}
}