dll遠程注入

/****************************************************************
* 函數名稱: InjectDll
* 功能描述: 遠程注入Dll
* 參數列表: sProcName  --- 進程名稱
            strDll     --- Dll路徑名稱
* 返回結果: 0:失敗
****************************************************************/
BOOL CRemoteDll::InjectDll(char *sProcName, char *sDllName)
{
 char *strProcess = sProcName;
 char *strDll = sDllName;

 m_dwSize = lstrlenA(strDll) + 1;
    DWORD lv_dwProcessID = GetTargetProcId(strProcess);
 if (lv_dwProcessID == 0)
 {
  MessageBox(NULL, "找不到該進程", "信息", MB_OK);
        return FALSE;
 }

 m_hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION
  | PROCESS_VM_WRITE, FALSE, lv_dwProcessID);//打開目標進程

 LPVOID lv_lpBuf = (PWSTR)VirtualAllocEx(m_hProcess, NULL, m_dwSize, MEM_COMMIT, PAGE_READWRITE);//在目標進程中開闢空間
 if(NULL == lv_lpBuf)
 {
  CloseHandle(m_hProcess);
        return FALSE;
 }

 DWORD lv_dwWritten;
 if (WriteProcessMemory(m_hProcess, lv_lpBuf, (LPVOID)strDll, m_dwSize, &lv_dwWritten))
 {
  if (lv_dwWritten != m_dwSize)
  {
   VirtualFreeEx(m_hProcess, lv_lpBuf, m_dwSize, MEM_DECOMMIT);

   CloseHandle(m_hProcess);
            return FALSE;
  }
 }
 else
 {
  CloseHandle(m_hProcess);
  return FALSE;
 }

 PTHREAD_START_ROUTINE pfnEndAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");

 // 使目標進程調用LoadLibrary，加載DLL
 DWORD dwID;
 HANDLE hThread = CreateRemoteThread( m_hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pfnEndAddr, lv_lpBuf, 0, &dwID );
 
 // 等待LoadLibrary加載完畢
 WaitForSingleObject( hThread, INFINITE );
 
 // 釋放目標進程中申請的空間
 VirtualFreeEx( m_hProcess, lv_lpBuf, m_dwSize, MEM_DECOMMIT );
 CloseHandle( hThread );
 CloseHandle( m_hProcess );

 return FALSE;
}

/****************************************************************
* 函數名稱: GetTarget
* 功能描述: 查找進程
* 參數列表: sProcName  --- 進程名稱
* 返回結果: 返回進程ID
****************************************************************/
DWORD CRemoteDll::GetTargetProcId(char *sProcName)
{
    DWORD dwRet = 0;
 
    HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0);//進程快照
 
    PROCESSENTRY32 pe32;
    pe32.dwSize = sizeof( PROCESSENTRY32 );
 
    BOOL lv_return = Process32First( hSnapshot, &pe32 );
    while(lv_return)
    {
        if (0 == strcmp(pe32.szExeFile, sProcName))
        {
            dwRet = pe32.th32ProcessID;
            break;
        }
  
  lv_return = Process32Next(hSnapshot, &pe32);
    }
 
    CloseHandle(hSnapshot);

 return dwRet;
}

 

此代碼僅作技術交流，請勿用於非法傳播。