本文介绍: 【代码】DLL注入技术。

源地址

  1. 注入程序
#include <Windows.h>
#include <iostream>
#include <Tlhelp32.h>
#include <stdio.h>
#include <tchar.h>
#include <iostream>

using namespace std;

BOOL getProcess32Info(PROCESSENTRY32 *info, const TCHAR processName[])
{
	HANDLE handle;
	handle = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

	info->dwSize = sizeof(PROCESSENTRY32);

	Process32First(handle, info);


	while (Process32Next(handle, info) != FALSE)
	{
		if (wcscmp(processName, info->szExeFile) == 0)
		{
			return TRUE;
		}
	}
	
}

int InjectDll(const wchar_t *DllFullPath, const DWORD pid)
{
	HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
	if (hProc == 0)
	{
		return -1;
	}

	int pathSize = (wcslen(DllFullPath) + 1) * sizeof(wchar_t);
	LPVOID buffer = VirtualAllocEx(hProc, 0, pathSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	if (buffer == 0)
	{
		return -2;
	}

	if (!WriteProcessMemory(hProc, buffer, DllFullPath, pathSize, NULL))
	{
		return -3;
	}

	LPVOID pFunc = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "LoadLibraryW");

	CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)pFunc, buffer, 0, 0);
		
}

int main()
{
	system("start %windir%\system32\notepad.exe");

	PROCESSENTRY32 info;

	if (getProcess32Info(&info, L"notepad.exe"))
	{
		InjectDll(L"E:\GlobalHook_Test.dll", info.th32ProcessID);
	}
	else
	{
		cout << "查找失败" << endl;
	}
	return 0;
    std::cout << "Hello World!n";
}


  1. 钩子
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include "stdlib.h"
#include <iostream>

using namespace std;

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
	{
		HWND hwnd = GetActiveWindow();
		MessageBox(hwnd, L"DLL已进入目标进程。", L"信息", MB_ICONINFORMATION);
		break;
	}
		
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}


原地址

// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include "stdlib.h"
#include <iostream>
#include <TlHelp32.h>
#include <Windows.h>
#include <tchar.h>


using namespace std;

//指定全局变量
HHOOK global_Hook;


//判断是否是需要注入的进程
BOOL GetFirstModuleName(DWORD Pid, LPCTSTR ExeName)
{
	MODULEENTRY32 me32 = { 0 };
	me32.dwSize = sizeof(MODULEENTRY32);
	HANDLE hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, Pid);

	if (INVALID_HANDLE_VALUE != hModuleSnap)
	{
		//先拿到自身进程名称
		BOOL bRet = Module32First(hModuleSnap, &me32);

		//对比如果是需要注入进程, 则返回真
		if (!_tcsicmp(ExeName, (LPCTSTR)me32.szModule))
		{
			CloseHandle(hModuleSnap);
			return TRUE;
		}
		CloseHandle(hModuleSnap);
		return FALSE;
	}

	CloseHandle(hModuleSnap);
	return FALSE;
}

//获取自身DLL名程
char* GetMyDllName()
{
	char szFileFullPath[MAX_PATH], szProcessName[MAX_PATH];

	//获取文件路径
	GetModuleFileNameA(NULL, szFileFullPath, MAX_PATH);

	int length = strlen(szFileFullPath);

	for (int i = length - 1; i >= 0; i--)
	{
		//找到第一个就可以马上获取进程名称了
		if (szFileFullPath == "\")
		{
			i++;
			//结束符不能少 即i=length
			for (int j = 0; i <= length; j++)
			{
				szProcessName[j] = szFileFullPath[i++];
			}
			break;
		}
	}
	return szProcessName;
}

//设置全局消息回调函数
LRESULT CALLBACK MyProc(int nCode, WPARAM wParam, LPARAM lParam)
{
	MessageBoxA(0, "wa haha", 0, 0);
	return CallNextHookEx(global_Hook, nCode, wParam, lParam);
}

//安装全局钩子 此处的GetMyDllName()函数 可以是外部其它DLL, 可将任意DLL进行注入
extern "C" _declspec(dllexport) void SetHook()
{
	global_Hook = SetWindowsHookEx(WH_CBT, MyProc, GetModuleHandleA(GetMyDllName()), 0);
}

//卸载全局钩子
extern "C" __declspec(dllexport) void UnHook()
{
	if (global_Hook)
	{
		UnhookWindowsHookEx(global_Hook);
	}
}


BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
	{
		//当Dll被加载时触发, 判断自身当前父进程是否为
		BOOL flag = GetFirstModuleName(GetCurrentProcessId(), TEXT("InjectDll.exe"));
		if (flag == TRUE)
		{
			MessageBoxA(0, "InjectDll", 0, 0);
		}
		break;
		
	}
		
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}


#include <Windows.h>
#include <iostream>
#include <Tlhelp32.h>
#include <stdio.h>
#include <tchar.h>
#include <iostream>

using namespace std;

BOOL getProcess32Info(PROCESSENTRY32 *info, const TCHAR processName[])
{
	HANDLE handle;
	handle = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

	info->dwSize = sizeof(PROCESSENTRY32);

	Process32First(handle, info);


	while (Process32Next(handle, info) != FALSE)
	{
		if (wcscmp(processName, info->szExeFile) == 0)
		{
			return TRUE;
		}
	}
	
}

int InjectDll(const wchar_t *DllFullPath, const DWORD pid)
{
	HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
	if (hProc == 0)
	{
		return -1;
	}

	int pathSize = (wcslen(DllFullPath) + 1) * sizeof(wchar_t);
	LPVOID buffer = VirtualAllocEx(hProc, 0, pathSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	if (buffer == 0)
	{
		return -2;
	}

	if (!WriteProcessMemory(hProc, buffer, DllFullPath, pathSize, NULL))
	{
		return -3;
	}

	LPVOID pFunc = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "LoadLibraryW");

	CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)pFunc, buffer, 0, 0);
		
}

int main()
{
	/*
	system("start %windir%\system32\notepad.exe");

	PROCESSENTRY32 info;

	if (getProcess32Info(&info, L"notepad.exe"))
	{
		InjectDll(L"E:\GlobalHook_Test.dll", info.th32ProcessID);
	}
	else
	{
		cout << "查找失败" << endl;
	}
	return 0;
	*/
	
	HMODULE hMod = LoadLibrary(TEXT("E:\GlobalHook_Test.dll"));

	//挂钩
	typedef void(*pSetHook)(void);
	pSetHook SetHook = (pSetHook)GetProcAddress(hMod, "SetHook");
	SetHook();

	while (1)
	{
		Sleep(1000);
	}

	//卸载钩子
	typedef BOOL(*pUnSetHook)(HHOOK);
	pUnSetHook UnsetHook = (pUnSetHook)GetProcAddress(hMod, "UnHook");
	pUnSetHook();

	FreeLibrary(hMod);
	return 0;
}


原文地址:https://blog.csdn.net/qq_20189555/article/details/135740986

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。

如若转载,请注明出处:http://www.7code.cn/show_60971.html

如若内容造成侵权/违法违规/事实不符,请联系代码007邮箱:suwngjj01@126.com进行投诉反馈,一经查实,立即删除!

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注