BOOL CGameMainDlg::InjectModuleToProcess(void)
{
//获取DLL路径
char szDllPath[1024] = {0};
GetCurrentDirectory(1024,szDllPath);
strcat(szDllPath,"\\GameDLL.dll");
MessageBox(szDllPath);
//获取窗口句柄
HWND hGame = ::FindWindow(NULL,"计算器");
if (hGame == NULL)
return FALSE;
//获取进程ID
DWORD dwProcessId;
GetWindowThreadProcessId(hGame,&dwProcessId);
if (dwProcessId == 0)
return FALSE;
//打开远程进程
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessId);
if (hProcess == NULL)
return FALSE;
//申请空间
UINT nLen = (UINT)strlen(szDllPath)+1;
LPVOID lpRemoteDLLName = VirtualAllocEx(hProcess,NULL,nLen,MEM_COMMIT,PAGE_READWRITE);
if (lpRemoteDLLName == NULL)
return FALSE;
//把DLL名写入申请的内存空间
if (WriteProcessMemory(hProcess,lpRemoteDLLName,szDllPath,nLen,NULL) == 0 )
return FALSE;
//获取动态链接库函数地址
HMODULE hModule = GetModuleHandle ( "kernel32.dll" ) ;
LPTHREAD_START_ROUTINE fnStartAddr = ( LPTHREAD_START_ROUTINE )GetProcAddress(hModule,"LoadLibraryA") ;
if ( (DWORD)fnStartAddr == 0 )
return FALSE;
//创建远程线程
HANDLE hRemoteThread = CreateRemoteThread ( hProcess, NULL, 0,fnStartAddr, lpRemoteDLLName, 0, NULL ) ;
if ( hRemoteThread == NULL )
return FALSE;
return TRUE;
}
我看书上的这个,CTRL+F5就能注入,直接执行生成的文件就注入不了,高手指点条明路!
[课程]Linux pwn 探索篇!