#include "stdafx.h"
#include <windows.h>
#include<tlhelp32.h>
#define szProcessName TEXT("BeInjectProcess.exe")
typedef HMODULE ( _stdcall *PLPADLIBARY)(
LPCSTR
);
int _tmain(int argc, _TCHAR* argv[])
{
//在待注入进程里面创建一个远程线程
HANDLE hProcessSnapShot= CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (!hProcessSnapShot)
{
printf("进程快照失败");
Sleep(2000);
return -1;
}
PROCESSENTRY32 ProcessEntry={sizeof(PROCESSENTRY32)};
Process32First(hProcessSnapShot,&ProcessEntry);
do
{
if (!wcscmp(ProcessEntry.szExeFile,szProcessName))
{
break;
}
} while (Process32Next(hProcessSnapShot,&ProcessEntry));
HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,0,ProcessEntry.th32ProcessID);
if (!hProcess)
{
printf("进程打开失败");
Sleep(2000);
return -1;
}
//线程函数的地址是LoadLibary的地址
HMODULE hModule=LoadLibrary(TEXT("Kernel32.dll"));
if (!hModule)
{
printf("模块句柄获取失败");
Sleep(2000);
return -1;
}
PLPADLIBARY LoadLibaryAddr;
LoadLibaryAddr=(PLPADLIBARY)GetProcAddress(hModule,"LoadLibraryA");
DWORD dwErr=GetLastError();
if (!LoadLibaryAddr)
{
printf("LoadLibrary函数地址查找失败");
Sleep(2000);
return -1;
}
//在目标进程申请一块内存存放DLL名字
PVOID pAllocAddr= VirtualAllocEx(hProcess,0,20,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
char szModuleName[8]="Dll.dll";
WriteProcessMemory(hProcess,pAllocAddr,szModuleName,8,0);
//传入的参数就是模块名的地址
HANDLE hThread= CreateRemoteThread(hProcess,0,0,(LPTHREAD_START_ROUTINE)LoadLibaryAddr,pAllocAddr,0,0);
WaitForSingleObject(hThread,INFINITE);
DWORD dwThread=0;
GetExitCodeThread(hThread,&dwThread);
BOOL bRet= FreeLibrary((HMODULE)dwThread);
return 0;
}
远程创建线程实现DLL注入
猜你喜欢
转载自blog.csdn.net/qq_41490873/article/details/88565048
今日推荐
周排行