STARTUPINFOW si = { 0 };
 PROCESS_INFORMATION pi = { 0 };
 si.cb = sizeof(STARTUPINFOW);
 
::CreateProcessW(pProcessPath, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
 CONTEXT ct = { 0 };
 ct.ContextFlags = CONTEXT_ALL;
 GetThreadContext(pi.hThread, &ct);
 DWORD dwSize = sizeof(WCHAR) * 1024;
 BYTE *pProcessMem = (BYTE *)::VirtualAllocEx(pi.hProcess, NULL, dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 
 DWORD dwWrited = 0;
 ::WriteProcessMemory(pi.hProcess, (pProcessMem + 0x100), pDllPath, (wcslen(pDllPath) + 1) * sizeof(WCHAR), &dwWrited);
 
 FARPROC pLoadLibraryW = (FARPROC)::GetProcAddress(::GetModuleHandle(L"Kernel32"), "LoadLibraryW");

 BYTE ShellCode[32] = { 0 };
 DWORD *pdwAddr = NULL;
 
 ShellCode[0] = 0x60; // pushad
 ShellCode[1] = 0x9c; // pushfd
 ShellCode[2] = 0x68; // push
 pdwAddr = (DWORD *)&ShellCode[3]; // ShellCode[3/4/5/6]
 *pdwAddr = (DWORD)(pProcessMem + 0x100);
 ShellCode[7] = 0xe8;
 pdwAddr = (DWORD *)&ShellCode[8]; // ShellCode[8/9/10/11]
 *pdwAddr = (DWORD)pLoadLibraryW - (DWORD)(pProcessMem + 7) - 5;
 ShellCode[12] = 0x9d; // popfd
 ShellCode[13] = 0x61; // popad
 ShellCode[14] = 0xe9; // jmp
 
 pdwAddr = (DWORD *)&ShellCode[15]; // ShellCode[15/16/17/18]
 *pdwAddr = ct.Eip - (DWORD)(pProcessMem + 14) - 5;
 ::WriteProcessMemory(pi.hProcess, pProcessMem, ShellCode, sizeof(ShellCode), &dwWrited);
 ct.Eip = (DWORD)pProcessMem;
 ::SetThreadContext(pi.hThread, &ct);
 
 ::ResumeThread(pi.hThread);
 ::CloseHandle(pi.hProcess);
 ::CloseHandle(pi.hThread);    

用OD调试 shellcode已经写进去了 但是好像没有执行 (就在shellcode下断 没有断下来 被注入的程序就直接跑起来了)

前段时间还好用 奇怪 哪位大侠指点下 谢谢                  

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课