直接使用远程线程调用 LoadLibrary即可
#include "stdafx.h"
#include <windows.h>
BOOL DllInject(DWORD dwProcessID,LPCTSTR lpDllName)
{
HANDLE hProcess = 0;
//1 打开指定进程
hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessID);
if(hProcess == NULL){
OutputDebugString("OpenProcess Error!");
return FALSE;
}
//2 远程分配内存
DWORD dwAllocSize = lstrlen(lpDllName)+1;
LPVOID lpStrArr = VirtualAllocEx(hProcess,NULL,dwAllocSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(lpStrArr==NULL){
OutputDebugString("VirtualAllocEx Error!");
CloseHandle(hProcess);
return FALSE;
}
//3 远程内存写入
DWORD dwWriteRet = WriteProcessMemory(hProcess,lpStrArr,(LPVOID)lpDllName,dwAllocSize,NULL);
if(dwWriteRet == 0){
OutputDebugString("WriteProcessMemory Error!");
CloseHandle(hProcess);
return FALSE;
}
//4 本地获取LoadLibrary地址
HMODULE hModule = GetModuleHandle("kernel32.dll");
if(hModule==NULL){
OutputDebugString("GetModuleHandle Error!");
CloseHandle(hProcess);
return FALSE;
}
FARPROC dwProcAddr = GetProcAddress(hModule,"LoadLibraryA");
if(dwProcAddr == NULL)
{
OutputDebugString("GetProcAddress Error!");
CloseHandle(hProcess);
return FALSE;
}
//5 远程线程载入指定的dll
HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)dwProcAddr,lpStrArr,0,NULL);
if(hThread==NULL)
{
OutputDebugString("CreateRemoteThread Error!");
CloseHandle(hProcess);
return FALSE;
}
//6 关闭句柄
CloseHandle(hProcess);
return TRUE;
}
int main(int argc, char* argv[])
{
//printf("Hello World!\n");
DllInject(3300,"C:\\Documents and Settings\\Administrator\\桌面\\TestDll.dll");
return 0;
}
0则评论给“测试远程线程注入Dll”