DLL注入的一个问题

bffeey 2010-06-19 06:21:10

// DLL
#include <windows.h>

BOOL APIENTRY DllMain( HANDLE hModule, DWORD dwReason, LPVOID lpReserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
{
MessageBox(NULL,"成功！",NULL,0);break;
}
case DLL_PROCESS_DETACH:break;
case DLL_THREAD_ATTACH:break;
case DLL_THREAD_DETACH:break;
}
return TRUE;
}

// exe

#include<stdio.h>
#include<windows.h>
#include<tlhelp32.h>
#include <string>
#include <iostream>

void ToLower(std::string& rkStr)
{
for(int i = 0;i < (int)rkStr.size();++i)
{
rkStr[i] = tolower(rkStr[i]);
}
}

DWORD idProcess = 0;;
HANDLE hProcessHandle = 0;

//枚举进程，反回指定进程名的pid
DWORD GetPid(const std::string& rkProcess)
{
PROCESSENTRY32 kPe32={ sizeof(PROCESSENTRY32) };
HANDLE hProcessShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hProcessShot==INVALID_HANDLE_VALUE)
{
return 0;
}
if(Process32First(hProcessShot,&kPe32))
{
std::string kExeFile;
do
{
kExeFile = kPe32.szExeFile;
ToLower(kExeFile);
if(kExeFile == rkProcess)
{
return kPe32.th32ProcessID;
}
}while(Process32Next(hProcessShot,&kPe32));
}
return 0;
}

// 远程插入DLL，成功返回1，失败返回0
int insert()
{

TOKEN_PRIVILEGES kTkp;
HANDLE hToken = NULL;

if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken))
{
// 修改进程权限
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&kTkp.Privileges[0].Luid );
kTkp.PrivilegeCount=1;
kTkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

// 通知系统修改进程权限
AdjustTokenPrivileges(hToken,FALSE,&kTkp,sizeof(TOKEN_PRIVILEGES),NULL,NULL);
}

//将要注入的DLL
std::string kDllPath = "setdll.dll";
int iDllPathSize = kDllPath.size() + 1;

// 我老家的一个游戏平台呵呵
std::string kExeFile = "ZSWLGame.exe";
ToLower(kExeFile);

//要注入的exe文件
idProcess = GetPid(kExeFile);
if(!idProcess)
{
std::cout<<"Can not find process!"<<std::endl;
return 0;
}

// 打开进程
hProcessHandle = OpenProcess(PROCESS_ALL_ACCESS,FALSE,idProcess);
if(hProcessHandle==NULL)
{
std::cout<<"OpenProcess error!"<<std::endl<<"ProcessID:"<<idProcess<<std::endl;
return 0;
}

// 向进程中申请空间
LPVOID pRemoteDllName = VirtualAllocEx(hProcessHandle,NULL,iDllPathSize,MEM_COMMIT,PAGE_READWRITE);
if(pRemoteDllName==NULL)
{
std::cout<<"VirtualAllocEx error!"<<std::endl;
return 0;
}

// 向进程写入DLL的路径
DWORD dwWrittenSize = 0;
if(!WriteProcessMemory(hProcessHandle,pRemoteDllName,(LPVOID)kDllPath.c_str(),(DWORD)kDllPath.size(),&dwWrittenSize))
{
std::cout<<"WriteProcessMemory error!"<<std::endl;
return 0;
}

//远程注入
DWORD dwThreadId = 0;
LPVOID pfFunc = &LoadLibraryA;
HANDLE hRemoteThread = CreateRemoteThread(hProcessHandle,NULL,0,(LPTHREAD_START_ROUTINE)pfFunc,pRemoteDllName,0,&dwThreadId);
if(!hRemoteThread)
{
std::cout<<"CreateRemoteThread error!"<<std::endl;
return 0;
}

//等到远程进程结束
DWORD dwRet = WaitForSingleObject(hRemoteThread,INFINITE);
VirtualFreeEx(hProcessHandle,pRemoteDllName,iDllPathSize,MEM_DECOMMIT);
CloseHandle(hRemoteThread);
CloseHandle(hProcessHandle);

return 1;
}

int main()
{
insert() ? std::cout<<"注入成功"<<std::endl : std::cout<<"注入失败"<<std::endl;
system("pause");
return 0;
}

// 总是显示"注入成功" 但是从来不出现窗口
// 请问是怎么一回事啊

...全文

120 5 打赏收藏转发到动态举报

写回复

用AI写文章

5 条回复

切换为时间正序

请发表友善的回复…

发表回复

bffeey 2010-06-20

打赏
举报

[Quote=引用 4 楼 cnzdgs 的回复:]

把"setdll.dll"改成完整路径~
[/Quote]

正解
3q

cnzdgs 2010-06-20

打赏
举报

把"setdll.dll"改成完整路径~

sunlin7 2010-06-19

打赏
举报

使用本人写的RawPeApi,可以轻松注入dll.

yxwsbobo 2010-06-19

打赏
举报

LPVOID pfFunc = &LoadLibraryA;

改成
PTHREAD_START_ROUTINE pfFunc= (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"LoadLibraryA");

yxwsbobo 2010-06-19