/****************************************************************
前提:准备注入的dll存放在临时目录里面,命名为inject.dll
步骤一 去临时目录查看要注入的dll
步骤二 查找要注入的进程
步骤三 注入dll
***************************************************************/
#define _CRT_SECURE_NO_DEPRECATE
#include<windows.h>
#include <Tlhelp32.h>
#include <comdef.h>
#include <io.h>
#define DllPathSize 1024
int GetDllPath(char* DllPath);
int FindTargetPid(const char* FileName);
int InjectDll(int targetid,const char * DllPath);
int targetid = 0;
int main()
{
char DllPath[DllPathSize] = { 0 };
if (GetDllPath(DllPath)) // 准备注入的dll名称为inject.dll,存放在临时目录里面
{
if (FindTargetPid("XXXX.exe")) // 查找准备注入的进程
{
InjectDll(targetid, DllPath); // 注入dll
}
}
return 1;
}
int GetDllPath(char * DllPath)
{
GetTempPathA(DllPathSize -1 , DllPath);
strcat(DllPath, "inject.dll");
if (_access(DllPath, 0) == 0)
{
printf("DllPath: %s\n", DllPath);
return 1;
}
else
{
printf("File do not exist\n");
return 0;
}
}
int FindTargetPid(const char * FileName)
{
PROCESSENTRY32 pi;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE)
{
printf("can not reateToolhelp32Snapshot \n");
targetid = 0;
return 0;
}
pi.dwSize = sizeof(PROCESSENTRY32);
BOOL bRet = Process32First(hSnapshot, &pi);
while (bRet)
{
_bstr_t ExeFile(pi.szExeFile);
if (strcmp(ExeFile, FileName) == 0)
{
targetid = pi.th32ProcessID;
printf("targetid: %d\n", targetid);
CloseHandle(hSnapshot);
return 1;
}
bRet = Process32Next(hSnapshot, &pi);
}
printf("don not find target pid\n");
return 0;
}
int InjectDll(int targetid,const char * DllPath)
{
HANDLE hDesProcess = OpenProcess(PROCESS_ALL_ACCESS, false, targetid);
if (!hDesProcess)
{
printf("OpenProcess error\n");
return 0;
}
LPVOID pRemoteBuf = VirtualAllocEx(hDesProcess, NULL, DllPathSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (pRemoteBuf == NULL)
{
printf("VirtualAllocEx error\n");
return 0;
}
bool ret = WriteProcessMemory(hDesProcess, pRemoteBuf, DllPath, DllPathSize, NULL);
if (ret == 0)
{
printf("WriteProcessMemory error\n");
return 0;
}
HMODULE hMod = GetModuleHandleA("kernel32.dll");
LPTHREAD_START_ROUTINE pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hMod, "LoadLibraryA");
if (pThreadProc == 0)
{
printf("pThreadProc error\n");
return 0;
}
HANDLE hThread = CreateRemoteThread(hDesProcess, NULL, 0, pThreadProc, pRemoteBuf, 0, NULL);
if (hThread == NULL)
{
printf("CreateRemoteThread error\n");
return 0;
}
CloseHandle(hDesProcess);
return 1;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工
作,每周日13:00-18:00直播授课