// RemoteThread.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <Windows.h>
#include <string.h>
#include <stdio.h>
#include <iostream>
using namespace std;
#define DEF_BUF_SIZE 1024
//存储注入模块Dll的路径全名
char szDllPath[DEF_BUF_SIZE]={0};
//使用远程线程向指定ID的进程注入模块
BOOL InjectModuleToProcessByID(DWORD dwProcessID)
{
if(dwProcessID==0)
return FALSE;
//打开目标进程
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessID);
if(hProcess==NULL)
return FALSE;
//申请存放文件名的空间
UINT nLen=(UINT)strlen(szDllPath)+1;
LPVOID lpRemoteDllName=VirtualAllocEx(hProcess,NULL,nLen,MEM_COMMIT,PAGE_READWRITE);//在目标进程中分配内存空间
if(lpRemoteDllName==NULL)
{
printf("[ERROR]VirtualAllocEx(%d)\n",GetLastError());
return FALSE;
}
//把dll文件名写入申请空间
if(WriteProcessMemory(hProcess,lpRemoteDllName,szDllPath,nLen,NULL) == FALSE)
{
printf( "[ERROR]WriteProcessMemory(%d)\n", GetLastError() );
return FALSE;
}
//获取系统的动态链接库函数地址
HMODULE hModule = GetModuleHandle( L"kernel32" );//获取模块句柄
LPTHREAD_START_ROUTINE fnStartAddr = ( LPTHREAD_START_ROUTINE )GetProcAddress(hModule,"LoadLibraryA");//获取模块中函数的地址
if( (DWORD)fnStartAddr == 0 )
{
printf( "[ERROR]GetProcAddress(%d)\n",GetLastError() );
return FALSE;
}
//创建远程线程
HANDLE hRemoteThread = CreateRemoteThread( hProcess,NULL,0,fnStartAddr,lpRemoteDllName,0,NULL );//
if( hRemoteThread == NULL )
{
printf( "[ERROR]CreateRemoteThread(%d)\n",GetLastError() );
return FALSE;
}
CloseHandle( hRemoteThread );
CloseHandle( hModule );//???
书上的例子,为什么关闭时总是报错?
CloseHandle( hProcess );
return TRUE;
}
int _tmain(int argc, _TCHAR* argv[])
{
//取得当前工作目录路径
GetCurrentDirectoryA( DEF_BUF_SIZE,szDllPath );
//生成注入模块DLL的路径全名
strcat(szDllPath,"\\DLLSample.dll");
DWORD dwProcessID=0;
cout<<"请输入目标进程ID:"<<endl;
cin>>dwProcessID;
while ( dwProcessID > 0 )
{
BOOL bRet = InjectModuleToProcessByID( dwProcessID );
printf( bRet ? "注入成功!\n":"注入失败!\n" );
}
return 0;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!