关于dll远程注入的问题
// myexe.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <TLHELP32.H>
HANDLE FindHandle,CretHandle;
DWORD thedid;
//函数查找进程名字和进程id
BOOL GetProcessByName (char* pExeName)
{
HANDLE hProcessSnap = NULL;
BOOL bRet = FALSE;
PROCESSENTRY32 pe32 = {0};
hProcessSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
return (FALSE);
pe32.dwSize = sizeof(PROCESSENTRY32);
if (::Process32First (hProcessSnap, &pe32))
{
//DWORD dwPriorityClass;
BOOL bGotModule = FALSE;
//MODULEENTRY32 me32 = {0};
do
{
if(*((char * )pe32.szExeFile)==*pExeName)
{
printf("进程名称:%ls\n",pe32.szExeFile);
printf("进程ID:%u\n\n",pe32.th32ProcessID);
thedid=pe32.th32ProcessID;
}
}
while (Process32Next(hProcessSnap, &pe32));
bRet = TRUE;
}
else
bRet = FALSE;
CloseHandle (hProcessSnap);
return (bRet);
}
//修改进程安全令牌
BOOL EnableDebugPrivilege(BOOL bEnable)
{
// 附给本进程特权,以便访问系统进程
BOOL bOk = FALSE;
HANDLE hToken;
// 打开一个进程的访问令牌
if(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
{
// 取得特权名称为“SetDebugPrivilege”的LUID
LUID uID;
::LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &uID);
// 调整特权级别
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = uID;
tp.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
::AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
bOk = (::GetLastError() == ERROR_SUCCESS);
// 关闭访问令牌句柄
::CloseHandle(hToken);
}
return bOk;
}
//注入函数
BOOL InjectModuleInto(DWORD dwProcessId)
{
if(::GetCurrentProcessId() == dwProcessId)
return FALSE;
// 首先查看目标进程是否加载了这个模块
BOOL bFound = FALSE;
MODULEENTRY32 me32 = { 0 };
HANDLE hModuleSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
me32.dwSize = sizeof(MODULEENTRY32);
char pszDllName[13]="mydll.dll";
if(::Module32First(hModuleSnap, &me32))
{
do
{
if(lstrcmpiA(me32.szExePath,pszDllName) == 0)
{
bFound = TRUE;
break;
}
}
while(::Module32Next(hModuleSnap, &me32));
}
::CloseHandle(hModuleSnap);
// 如果能够找到,就不重复加载了(因为重复加载没有用,Windows只将使用计数加1,其它什么也不做)
if(bFound)
return FALSE;
// 试图打开目标进程
HANDLE hProcess = ::OpenProcess(
PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION, FALSE, dwProcessId);
if(hProcess == NULL)
return FALSE;
// 在目标进程中申请空间,存放字符串pszDllName,作为远程线程的参数
int cbSize = (strlen(pszDllName) + 1);
LPVOID lpRemoteDllName = ::VirtualAllocEx(hProcess, NULL, cbSize, MEM_COMMIT, PAGE_READWRITE);
BOOL bwrit = ::WriteProcessMemory(hProcess, lpRemoteDllName, pszDllName, cbSize, NULL);
if (!bwrit) {
MessageBoxA(NULL,"text","写入失败",MB_OK);
}
// 取得LoadLibraryA函数的地址,我们将以它作为远程线程函数启动
HMODULE hModule=::GetModuleHandle("kernel32.dll");
LPTHREAD_START_ROUTINE pfnStartRoutine =
(LPTHREAD_START_ROUTINE)::GetProcAddress(hModule, "LoadLibraryA");
// 启动远程线程
HANDLE hRemoteThread = ::CreateRemoteThread(hProcess, NULL, 0, pfnStartRoutine, lpRemoteDllName, 0, NULL);
if(hRemoteThread == NULL)
{
::CloseHandle(hProcess);
return FALSE;
}
// 等待目标线程运行结束,即LoadLibraryA函数返回
::WaitForSingleObject(hRemoteThread, INFINITE);
::CloseHandle(hRemoteThread);
::CloseHandle(hProcess);
return TRUE;
}
/*
BOOL InjectDllFunc(DWORD threadID)
{
HANDLE hExplorerProcess=OpenProcess(PROCESS_CREATE_THREAD|
PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,threadID);
if (hExplorerProcess==INVALID_HANDLE_VALUE)
return (FALSE);
char pszDllName[13]="test_dll.dll";
DWORD nSize=lstrlenA(pszDllName)+1;
LPVOID lpbuf1=VirtualAllocEx(hExplorerProcess,NULL,nSize,MEM_COMMIT,PAGE_READWRITE);
DWORD ActualSize;
HMODULE hmodule=::GetModuleHandle("Kernel32.dll");
LPTHREAD_START_ROUTINE pfnStartRoutine=(LPTHREAD_START_ROUTINE)GetProcAddress(hmodule,"LoadLibaryA");
WriteProcessMemory(hExplorerProcess,lpbuf1,(LPVOID)pszDllName,nSize,&ActualSize);
HANDLE hThread=CreateRemoteThread(hExplorerProcess,
NULL,0,(LPTHREAD_START_ROUTINE)pfnStartRoutine,
(LPVOID)pszDllName,0,NULL);
if (hThread == INVALID_HANDLE_VALUE)
return (FALSE);
return true;
}
*/
int main(int argc, char* argv[])
{
char * name="notepad.exe";
//char name[30]={0x6e,0x6f,0x74,0x65,0x70,0x61,0x64,0x2e,0x65,0x78,0x65,0x00};
GetProcessByName(name);
EnableDebugPrivilege(TRUE);
InjectModuleInto(thedid);
/*
FindHandle =FindWindow(NULL, "无标题 - 记事本" );
if (FindHandle!=NULL) {
HANDLE hprocess =OpenProcess(PROCESS_ALL_ACCESS,FALSE,)
CretHandle=CreateRemoteThread(
FindHandle, // handle to process to create thread in
NULL, // pointer to security attributes
NULL, // initial thread stack size, in bytes
ThreadProc, // pointer to thread function
NULL, // argument for new thread
NULL, // creation flags
NULL // pointer to returned thread identifier
);
}
*/
return 0;
}
[解决办法]
这个是我以前做的第一个dll注入程序、、你看看吧、、、- -!、、好吧 我承认 那个Dllinster写错了 我当时想取名DllInsert的、、结果 写完了才发现名字错了 不过 不影响程序 。
void CDllInjectToolDlg::OnBtnLoaddll() { // TODO: Add your control notification handler code here DWORD dwNotepad; PROCESSENTRY32 pe32; pe32.dwSize = sizeof(PROCESSENTRY32); HANDLE hSnpshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); BOOL bMore = Process32First(hSnpshot,&pe32); while(bMore){ if(0 == stricmp("notepad.exe",pe32.szExeFile)){ dwNotepad = pe32.th32ProcessID; HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE,FALSE,dwNotepad); if (!hProcess) { MessageBox("打开进程失败!...","提示"); CloseHandle(hProcess); CloseHandle(hSnpshot); return; } LPVOID lpBaseAddr = VirtualAllocEx(hProcess,NULL,strlen("c:\\DllInster.dll") + 1,MEM_COMMIT,PAGE_READWRITE); if(NULL == lpBaseAddr){ MessageBox("申请内存空间失败!...","提示"); CloseHandle(hProcess); CloseHandle(hSnpshot); return; } DWORD dwWritten = 0; if(WriteProcessMemory(hProcess,lpBaseAddr,"c:\\DllInster.dll",strlen("c:\\DllInster.dll") + 1,&dwWritten)){ if (strlen("c:\\DllInster.dll") + 1 != dwWritten) { MessageBox("写入内存失败!...","提示"); VirtualFreeEx(hProcess,lpBaseAddr,strlen("c:\\dllinster.dll") + 1,MEM_DECOMMIT); CloseHandle(hProcess); CloseHandle(hSnpshot); return; } } HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)LoadLibrary,lpBaseAddr,0,NULL); if (NULL == hThread) { MessageBox("创建远程线程失败!...","提示"); VirtualFreeEx(hProcess,lpBaseAddr,strlen("c:\\dllinster.dll") + 1,MEM_DECOMMIT); CloseHandle(hProcess); CloseHandle(hSnpshot); return; } WaitForSingleObject(hThread,INFINITE); VirtualFreeEx(hProcess,lpBaseAddr,strlen("c:\\dllinster.dll") + 1,MEM_DECOMMIT); CloseHandle(hProcess); CloseHandle(hSnpshot); MessageBox("DLL注入成功!....","提示"); return; } bMore = Process32Next(hSnpshot,&pe32); } MessageBox("没有发现记事本程序进程","提示"); CloseHandle(hSnpshot);}