windows dll inject

windows 下，把 dll 注入某個進程，直接代碼。

 

my_dll.h

#ifndef __my_dll_h__ #define __my_dll_h__ #include <Windows.h> #ifdef DLL_EXPORT #define DLLAPI __declspec(dllexport) #else #define DLLAPI __declspec(dllimport) #endif #ifdef __cplusplus extern "C" { #endif void DLLAPI set_hook (); void DLLAPI remove_hook (); #ifdef __cplusplus } #endif #endif // __my_dll_h__

 

my_dll.c

#define DLL_EXPORT #include "my_dll.h" #include <process.h> #include <stdio.h> HANDLE g_hThrd = NULL; unsigned int __stdcall thrdproc( void *param ); int APIENTRY DllMain( HINSTANCE hInst, DWORD dwReason, LPVOID lpReserved ) { switch( dwReason ) { case DLL_PROCESS_ATTACH: set_hook(); break; case DLL_PROCESS_DETACH: remove_hook(); break; } return TRUE; } void DLLAPI set_hook() { static int time = 3000; if( NULL != g_hThrd ) return; g_hThrd = (HANDLE)_beginthreadex( NULL, 0, thrdproc, (void*)&time, 0, NULL ); if( NULL == g_hThrd ) MessageBox( NULL, "set_hook() failed", "dll", MB_OK ); } void DLLAPI remove_hook() { if( NULL == g_hThrd ) return; WaitForSingleObject( g_hThrd, INFINITE ); CloseHandle( g_hThrd ); g_hThrd = NULL; } unsigned int __stdcall thrdproc( void *param ) { int time = *(int*)param; int i = 0; char title[4] = { 0 }; while( i++ < 10 ) { memset( title, 0, sizeof(char) * 4 ); sprintf( title, "%d", i ); MessageBox( NULL, "thread output", title, MB_OK ); Sleep( time ); } _endthreadex( 0 ); return 0; }

 

測試代碼：

#include <stdio.h> #include <string.h> #include <Windows.h> #include <TlHelp32.h> void ImprovePermission() { HANDLE hToken = NULL; LUID luid = { 0 }; TOKEN_PRIVILEGES tp = { 0 }; if( !OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken) ) return; if( !LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid) ) { CloseHandle( hToken ); return; } tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL); CloseHandle( hToken ); } HANDLE GetProcessHandleByName( char *lpszName ) { HANDLE hSnap = NULL; PROCESSENTRY32 pe = { sizeof(PROCESSENTRY32) }; if( NULL == lpszName ) return NULL; ImprovePermission(); hSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); if( INVALID_HANDLE_VALUE == hSnap ) return NULL; if( !Process32First(hSnap, &pe) ) { CloseHandle( hSnap ); return NULL; } do { if( 0 == _stricmp(lpszName, pe.szExeFile) ) { CloseHandle( hSnap ); return OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe.th32ProcessID ); } } while( Process32Next(hSnap, &pe) ); CloseHandle( hSnap ); return NULL; } int main( void ) { HANDLE hProcess = NULL; HANDLE hRemoteThread = NULL; int sz = 0; char *pszRemoteName = NULL; PTHREAD_START_ROUTINE pfnStartAddr = NULL; #if 0 char szDll[] = "C://bin//api_hook.dll"; char szExe[] = "explorer.exe"; #else char szDll[MAX_PATH] = { 0 }; char szExe[MAX_PATH] = { 0 }; printf( "input the dll path: " ); /*這裏必須是 dll 的全路徑*/ gets( szDll ); printf( "input the exe file: " ); /*這裏是一個運行中的進程名*/ gets( szExe ); #endif ImprovePermission(); hProcess = GetProcessHandleByName( szExe ); if( NULL == hProcess ) { printf( "GetProcessHandleByName failed !/n" ); return 1; } sz = (strlen(szDll) + 1) * sizeof(char); pszRemoteName = (char*)VirtualAllocEx( hProcess, 0, sz, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE ); if( NULL == pszRemoteName ) { printf( "VirtualAllocEx failed !/n" ); return 2; } if( !WriteProcessMemory(hProcess, pszRemoteName, (LPVOID)szDll, sz, NULL) ) { printf( "WriteProcessMemory failed !/n" ); return 3; } pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress( GetModuleHandleA("kernel32.dll"), "LoadLibraryA" ); hRemoteThread = CreateRemoteThread( hProcess, NULL, 0, pfnStartAddr, pszRemoteName, 0, NULL ); WaitForSingleObject( hRemoteThread, INFINITE ); VirtualFreeEx( hProcess, pszRemoteName, sz, 0 ); if( hRemoteThread ) CloseHandle( hRemoteThread ); return 0; }

 

測試效果：