本文介绍: 【代码】DLL注入技术。
- 注入程序
#include <Windows.h>
#include <iostream>
#include <Tlhelp32.h>
#include <stdio.h>
#include <tchar.h>
#include <iostream>
using namespace std;
BOOL getProcess32Info(PROCESSENTRY32 *info, const TCHAR processName[])
{
HANDLE handle;
handle = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
info->dwSize = sizeof(PROCESSENTRY32);
Process32First(handle, info);
while (Process32Next(handle, info) != FALSE)
{
if (wcscmp(processName, info->szExeFile) == 0)
{
return TRUE;
}
}
}
int InjectDll(const wchar_t *DllFullPath, const DWORD pid)
{
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
if (hProc == 0)
{
return -1;
}
int pathSize = (wcslen(DllFullPath) + 1) * sizeof(wchar_t);
LPVOID buffer = VirtualAllocEx(hProc, 0, pathSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (buffer == 0)
{
return -2;
}
if (!WriteProcessMemory(hProc, buffer, DllFullPath, pathSize, NULL))
{
return -3;
}
LPVOID pFunc = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "LoadLibraryW");
CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)pFunc, buffer, 0, 0);
}
int main()
{
system("start %windir%\system32\notepad.exe");
PROCESSENTRY32 info;
if (getProcess32Info(&info, L"notepad.exe"))
{
InjectDll(L"E:\GlobalHook_Test.dll", info.th32ProcessID);
}
else
{
cout << "查找失败" << endl;
}
return 0;
std::cout << "Hello World!n";
}
- 钩子
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include "stdlib.h"
#include <iostream>
using namespace std;
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
HWND hwnd = GetActiveWindow();
MessageBox(hwnd, L"DLL已进入目标进程。", L"信息", MB_ICONINFORMATION);
break;
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include "stdlib.h"
#include <iostream>
#include <TlHelp32.h>
#include <Windows.h>
#include <tchar.h>
using namespace std;
//指定全局变量
HHOOK global_Hook;
//判断是否是需要注入的进程
BOOL GetFirstModuleName(DWORD Pid, LPCTSTR ExeName)
{
MODULEENTRY32 me32 = { 0 };
me32.dwSize = sizeof(MODULEENTRY32);
HANDLE hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, Pid);
if (INVALID_HANDLE_VALUE != hModuleSnap)
{
//先拿到自身进程名称
BOOL bRet = Module32First(hModuleSnap, &me32);
//对比如果是需要注入进程, 则返回真
if (!_tcsicmp(ExeName, (LPCTSTR)me32.szModule))
{
CloseHandle(hModuleSnap);
return TRUE;
}
CloseHandle(hModuleSnap);
return FALSE;
}
CloseHandle(hModuleSnap);
return FALSE;
}
//获取自身DLL名程
char* GetMyDllName()
{
char szFileFullPath[MAX_PATH], szProcessName[MAX_PATH];
//获取文件路径
GetModuleFileNameA(NULL, szFileFullPath, MAX_PATH);
int length = strlen(szFileFullPath);
for (int i = length - 1; i >= 0; i--)
{
//找到第一个就可以马上获取进程名称了
if (szFileFullPath == "\")
{
i++;
//结束符不能少 即i=length
for (int j = 0; i <= length; j++)
{
szProcessName[j] = szFileFullPath[i++];
}
break;
}
}
return szProcessName;
}
//设置全局消息回调函数
LRESULT CALLBACK MyProc(int nCode, WPARAM wParam, LPARAM lParam)
{
MessageBoxA(0, "wa haha", 0, 0);
return CallNextHookEx(global_Hook, nCode, wParam, lParam);
}
//安装全局钩子 此处的GetMyDllName()函数 可以是外部其它DLL, 可将任意DLL进行注入
extern "C" _declspec(dllexport) void SetHook()
{
global_Hook = SetWindowsHookEx(WH_CBT, MyProc, GetModuleHandleA(GetMyDllName()), 0);
}
//卸载全局钩子
extern "C" __declspec(dllexport) void UnHook()
{
if (global_Hook)
{
UnhookWindowsHookEx(global_Hook);
}
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
//当Dll被加载时触发, 判断自身当前父进程是否为
BOOL flag = GetFirstModuleName(GetCurrentProcessId(), TEXT("InjectDll.exe"));
if (flag == TRUE)
{
MessageBoxA(0, "InjectDll", 0, 0);
}
break;
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
#include <Windows.h>
#include <iostream>
#include <Tlhelp32.h>
#include <stdio.h>
#include <tchar.h>
#include <iostream>
using namespace std;
BOOL getProcess32Info(PROCESSENTRY32 *info, const TCHAR processName[])
{
HANDLE handle;
handle = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
info->dwSize = sizeof(PROCESSENTRY32);
Process32First(handle, info);
while (Process32Next(handle, info) != FALSE)
{
if (wcscmp(processName, info->szExeFile) == 0)
{
return TRUE;
}
}
}
int InjectDll(const wchar_t *DllFullPath, const DWORD pid)
{
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
if (hProc == 0)
{
return -1;
}
int pathSize = (wcslen(DllFullPath) + 1) * sizeof(wchar_t);
LPVOID buffer = VirtualAllocEx(hProc, 0, pathSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (buffer == 0)
{
return -2;
}
if (!WriteProcessMemory(hProc, buffer, DllFullPath, pathSize, NULL))
{
return -3;
}
LPVOID pFunc = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "LoadLibraryW");
CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)pFunc, buffer, 0, 0);
}
int main()
{
/*
system("start %windir%\system32\notepad.exe");
PROCESSENTRY32 info;
if (getProcess32Info(&info, L"notepad.exe"))
{
InjectDll(L"E:\GlobalHook_Test.dll", info.th32ProcessID);
}
else
{
cout << "查找失败" << endl;
}
return 0;
*/
HMODULE hMod = LoadLibrary(TEXT("E:\GlobalHook_Test.dll"));
//挂钩
typedef void(*pSetHook)(void);
pSetHook SetHook = (pSetHook)GetProcAddress(hMod, "SetHook");
SetHook();
while (1)
{
Sleep(1000);
}
//卸载钩子
typedef BOOL(*pUnSetHook)(HHOOK);
pUnSetHook UnsetHook = (pUnSetHook)GetProcAddress(hMod, "UnHook");
pUnSetHook();
FreeLibrary(hMod);
return 0;
}
原文地址:https://blog.csdn.net/qq_20189555/article/details/135740986
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。
如若转载,请注明出处:http://www.7code.cn/show_60971.html
如若内容造成侵权/违法违规/事实不符,请联系代码007邮箱:suwngjj01@126.com进行投诉反馈,一经查实,立即删除!
声明:本站所有文章,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。