64,690
社区成员
发帖
与我相关
我的任务
分享
#define _CRT_SECURE_NO_WARNINGS
#include<stdio.h>
#include<stdlib.h>
#include<Windows.h>
#include<string.h>
char dllpath[1024] = { 0 };// 用于存储注入模块DLL的路径全名
void inject(DWORD dwprocessid)// 使用远程线程向指定ID的进程注入模块
{
if (dwprocessid == 0)
{
printf("进程编号无效");
return;
}
HANDLE hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwprocessid);// 打开进程
if(hprocess == NULL)
{
printf("进程打开无效");
return;
}
int length = strlen(dllpath) + 1;//申请存放文件名的空间
LPVOID lpremotedllname = VirtualAllocEx(hprocess, NULL, length, MEM_COMMIT, PAGE_READWRITE);
if (lpremotedllname == NULL)
{
printf("进程分配内存失败");
return;
}
if (WriteProcessMemory(hprocess, lpremotedllname, dllpath, length, NULL) == FALSE)//把dll文件名写入申请的空间
{
printf("内存写入失败");
return;
}
HMODULE hmodule = GetModuleHandle((char *)"kerne132.dll");//获取动态链接库函数地址
LPTHREAD_START_ROUTINE fnstart = (LPTHREAD_START_ROUTINE)GetProcAddress(hmodule, "LoadLibraryA");
if ((DWORD)fnstart == 0)
{
printf("获取地址失败");
return;
}
HANDLE hremoteThread = CreateRemoteThread(hprocess, NULL, 0, fnstart, lpremotedllname, 0, NULL);//创建远程线程
if (hremoteThread == NULL)
{
printf("开启线程失败");
return;
}
if (WaitForSingleObject(hremoteThread, INFINITE) != WAIT_OBJECT_0)
{
printf("线程等待失败");
return;
}
CloseHandle(hremoteThread);
CloseHandle(hmodule);
CloseHandle(hprocess);
}
void main()
{
GetCurrentDirectoryA(1024, dllpath);// 取得当前工作目录路径
strcat(dllpath, "\\new.dll");// 生成注入模块DLL的路径全名
DWORD dwprocessid = 6944;// 接收用户输入的目标进程ID
inject(6944);
system("pause");
}