BOOL CPicture::InjectDll(WCHAR *pDllName, DWORD nPid)
{
BOOL bRet = FALSE;
//提权
if (!AdJustPr()) return bRet;
//打开进程
HANDLE hProcess = nullptr, hThread = nullptr;
PVOID pAddress = nullptr, pStartAddress = nullptr, pSaveAddress = nullptr, pLoadAddress = nullptr;
CString strCode;
CHAR cBuf[64] = { 0 };
do
{
hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, false, nPid);
if (!hProcess)
{
Printf("打开进程失败,请确认是否是管理员权限运行!!!");
break;
}
pAddress = ::VirtualAllocEx(hProcess, NULL, 1024 * 4, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!pAddress)
{
Printf("远程申请内存失败!");
break;
}
//这里执行地址
pStartAddress = (DWORD *)pAddress + 200;
//保存地址
pSaveAddress = (DWORD*)pAddress + 512;
//取得DLL路径
//DLL路径
if (!WriteProcessMemory(hProcess, pAddress, pDllName, sizeof(WCHAR)* (wcslen(pDllName) + 1), 0))
{
Printf("写入内存失败!!!!");
break;
}
//LoadLibarayW
pLoadAddress = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"Kernel32"), "LoadLibraryW");
//初始写入数据
LoadLibrary64 Code(pStartAddress, pAddress, pLoadAddress,pSaveAddress);
//写入执行地址
if (!WriteProcessMemory(hProcess, pStartAddress, &Code, sizeof(LoadLibrary64), NULL))
{
Printf("写入内存失败!!!!");
break;
}
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pStartAddress, NULL, 0, NULL);
if (!hThread)
{
Printf("执行失败!!!!");
break;
}
WaitForSingleObject(hThread, INFINITE);
DWORD dwCode;
GetExitCodeThread(hThread, &dwCode);
if (!ReadProcessMemory(hProcess, pSaveAddress, &m_hModule, sizeof(INT64), NULL))
{
Printf("读取模块句柄失败");
break;
}
if (dwCode == -1)
{
Printf("注入失败......");
break;
}
_i64toa_s(m_hModule, cBuf, 64, 16);
strCode=L"注入成功:模块句柄为:";
strCode += cBuf;
Printf(strCode);
bRet = TRUE;
} while (false);
if (pAddress)
::VirtualFreeEx(hProcess, pAddress, 1024 * 4, MEM_RELEASE);
if (hProcess)
CloseHandle(hProcess);
if (hThread)
CloseHandle(hThread);
return bRet;
}
来自小编的强迫症
