标签:
// Injection64bit.cpp : 定义控制台应用程序的入口点。 // #include "stdafx.h" #include <windows.h> #include <Strsafe.h> BOOL InjectDll(TCHAR szPath[MAX_PATH], DWORD dwPid); int _tmain(int argc, _TCHAR* argv[]) { if (argc < 3) exit(0); // 第2个命令行参数为DLL路径, // 第3个命令行参数为要注入的程序PID DWORD dwPid = _wtoi(argv[2]); InjectDll(argv[1], dwPid); return 0; } BOOL InjectDll(TCHAR szPath[MAX_PATH], DWORD dwPid) { // szPath:DLL路径 // dwPid: 要注入的进程PID //1.打开要注入DLL的进程 HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid); if (!hProcess) { MessageBox(NULL, L"打开进程失败!", NULL, MB_OK); return FALSE; } //2.将Dll路径写进远进程内存 //2.1.计算注入的DLL路径所占空间 DWORD dwLength = 0; HRESULT hret = NULL; hret = StringCchLength(szPath, MAX_PATH, (size_t*)&dwLength); if (STRSAFE_E_INVALID_PARAMETER == hret) { CloseHandle(hProcess); MessageBox(NULL, L"DLL路径错误!", NULL, MB_OK); return FALSE; } DWORD dwSize = (dwLength + 1)* sizeof(TCHAR); //2.2.在要注入的进程内开辟空间用于存放DLL路径 LPVOID lpVirAddr = NULL; lpVirAddr = VirtualAllocEx(hProcess,//进程句柄 NULL, //申请的内存地址 dwSize, //申请的内存的大小 MEM_COMMIT, //申请的内存属性 PAGE_READWRITE);//申请的内存分页类型 if (NULL == lpVirAddr) { CloseHandle(hProcess); MessageBox(NULL, L"内存申请失败!", NULL, MB_OK); return FALSE; } //2.3将DLL路径写入申请的内存 if (!WriteProcessMemory( hProcess,//进程句柄 lpVirAddr,//要写入的内存地址 szPath,//要写入的数据地址 dwSize,//写入大小 NULL))//返回成功写入的数据的大小 { if (lpVirAddr) VirtualFreeEx(hProcess, (PVOID)lpVirAddr, 0, MEM_RELEASE); if (hProcess) CloseHandle(hProcess); MessageBox(NULL, L"写入内存失败!", NULL, MB_OK); return FALSE; } //3.获取Loadlibrary地址 PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress( GetModuleHandle(L"Kernel32"), "LoadLibraryW"); if (!pfnThreadRtn) { if (lpVirAddr) VirtualFreeEx(hProcess, (PVOID)lpVirAddr, 0, MEM_RELEASE); if (hProcess) CloseHandle(hProcess); MessageBox(NULL, L"LoadLibraryW地址获取失败!", NULL, MB_OK); return FALSE; } //4.创建远线程加载DLL HANDLE hThread = CreateRemoteThread( hProcess, //进程句柄 NULL, //安全类型 0, //栈大小 pfnThreadRtn, //线程回调函数地址 (PVOID)lpVirAddr, //线程回调函数参数 0, //创建标志,创建立刻执行 NULL); //传出值,线程ID if (NULL == hThread) { if (lpVirAddr) VirtualFreeEx(hProcess, (PVOID)lpVirAddr, 0, MEM_RELEASE); if (hProcess) CloseHandle(hProcess); return FALSE; } //5.等待远线程结束 WaitForSingleObject(hThread, INFINITE); //6.释放相关资源并关闭句柄 if (lpVirAddr) VirtualFreeEx(hProcess, (PVOID)lpVirAddr, 0, MEM_RELEASE); if (hThread) CloseHandle(hThread); if (hProcess) CloseHandle(hProcess); return TRUE; }
标签:
原文地址:http://www.cnblogs.com/Alyoyojie/p/5369826.html