dll注入+进程间通信

接着上篇的文章, 进程间通信,主要依赖的是fileMapping


三个代码部分


1: Game.exe

#include "stdafx.h"

void Attack()
{
	printf("**********攻击**********\n");
	return;
}

void Relax()
{
	printf("**********打坐**********\n");
	return;
}


void Blood()
{
	printf("**********回血**********\n");
	return;
}

int main(int argc, char* argv[])
{
	//printf("Hello World!\n");

	for(;;)
	{
		char x = getchar();

		switch(x)
		{
		case 'A':
			Attack();
			break;
		case 'B':
			Blood();
			break;
		case 'R':
			Relax();
			break;
		case 'E':
			printf("退出\n");
			getchar();
			return 0;
		}

	}

	return 0;
}


2: dll文件

// TestDll.cpp : Defines the entry point for the DLL application.
//

#include "stdafx.h"
#include "stdio.h"

#define _MAP_ "gyarmy"
#define _ATTACK_ 0x401030
#define _RELAX_ 0x401080
#define _BLOOD_ 0x4010d0

HANDLE g_hModule;
HANDLE g_hMapFile;
LPTSTR lpBuff;
DWORD dwType;

DWORD WINAPI ThreadProc(LPVOID lpParameter)
{
	dwType = 0;

	//打开共享内存
	g_hMapFile = OpenFileMapping(FILE_MAP_ALL_ACCESS,FALSE,_MAP_);

	if(g_hMapFile==NULL)
	{
		printf("OpenFileMapping Error: %d\n",GetLastError());
		return 0;
	}

	//映射内存
	lpBuff = (LPTSTR)MapViewOfFile(g_hMapFile,FILE_MAP_ALL_ACCESS,0,0,BUFSIZ);

	for(;;)
	{
		if(lpBuff!=NULL){
			CopyMemory(&dwType,lpBuff,4);
		}

		if(dwType==1)
		{
			__asm{
				mov eax,_ATTACK_
				call eax
			}
			dwType = 0;
			CopyMemory(lpBuff,&dwType,4);
		}

		if(dwType==2)
		{
			__asm{
				mov eax,_RELAX_
				call eax
			}
			dwType = 0;
			CopyMemory(lpBuff,&dwType,4);
		}

		if(dwType==3)
		{
			__asm{
				mov eax,_BLOOD_
				call eax
			}
			dwType = 0;
			CopyMemory(lpBuff,&dwType,4);
		}

		if(dwType==4)
		{
			FreeLibraryAndExitThread((HMODULE)g_hModule,0);
		}

		Sleep(600);
	}
	return 0;
}


BOOL APIENTRY DllMain( HANDLE hModule, 
                       DWORD  ul_reason_for_call, 
                       LPVOID lpReserved
					 )
{
	switch(ul_reason_for_call)
	{
		case DLL_PROCESS_ATTACH:
			CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)ThreadProc,NULL,0,NULL);
			break;
		case DLL_THREAD_ATTACH:
			
			break;
		case DLL_THREAD_DETACH:
			
			break;
	}
    return TRUE;
}


3:dll注入与进程通信

// DllInject.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include <windows.h>
#include <Tlhelp32.h>

#define _MAP_ "gyarmy"

HANDLE g_hModule;
HANDLE g_hMapFile;
LPTSTR lpBuff;
DWORD dwType;

BOOL DllInject(DWORD dwProcessID,LPCTSTR lpDllName)
{
	HANDLE hProcess = 0;

	//1 打开指定进程
	hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessID);
	if(hProcess == NULL){
		OutputDebugString("OpenProcess Error!");
		return FALSE;
	}

	//2 远程分配内存
	DWORD dwAllocSize = lstrlen(lpDllName)+1;

	LPVOID lpStrArr = VirtualAllocEx(hProcess,NULL,dwAllocSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE);

	if(lpStrArr==NULL){
		OutputDebugString("VirtualAllocEx Error!");
		CloseHandle(hProcess);
		return FALSE;
	}

	//3 远程内存写入
	DWORD dwWriteRet = WriteProcessMemory(hProcess,lpStrArr,(LPVOID)lpDllName,dwAllocSize,NULL);
	if(dwWriteRet == 0){
		OutputDebugString("WriteProcessMemory Error!");
		CloseHandle(hProcess);
		return FALSE;		
	}

	//4 本地获取LoadLibrary地址
	HMODULE hModule = GetModuleHandle("kernel32.dll");
	if(hModule==NULL){
		OutputDebugString("GetModuleHandle Error!");
		CloseHandle(hProcess);
		return FALSE;
	}
	FARPROC  dwProcAddr = GetProcAddress(hModule,"LoadLibraryA");
	if(dwProcAddr == NULL)
	{
		OutputDebugString("GetProcAddress Error!");
		CloseHandle(hProcess);
		return FALSE;
	}

	//5 远程线程载入指定的dll
	HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)dwProcAddr,lpStrArr,0,NULL);
	if(hThread==NULL)
	{
		OutputDebugString("CreateRemoteThread Error!");
		CloseHandle(hProcess);
		return FALSE;
	}

	//6 关闭句柄
	CloseHandle(hProcess);
	return TRUE;

}

//获取进程ID
DWORD GetProcessIDByName(LPCTSTR szProcessName)
{
    STARTUPINFO st;
    PROCESS_INFORMATION pi;
    PROCESSENTRY32 ps;
    HANDLE hSnapshot;
    DWORD dwPID=0;
    ZeroMemory(&st, sizeof(STARTUPINFO));
    ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
    st.cb = sizeof(STARTUPINFO);
    ZeroMemory(&ps, sizeof(PROCESSENTRY32));
    ps.dwSize = sizeof(PROCESSENTRY32);

    hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);//拍摄进程快照
    if (hSnapshot == INVALID_HANDLE_VALUE)//快照拍摄失败
    {
        return dwPID;
    }


    if (!Process32First(hSnapshot, &ps))
    {
        return dwPID;
    }
    do
    {
        if (lstrcmpi(ps.szExeFile, szProcessName) == 0)//遍历进程快照,比较进程名
        {
            //进程id
			dwPID = ps.th32ProcessID;
        }
    }while (Process32Next(hSnapshot, &ps));
    // 没有找到  
    CloseHandle(hSnapshot);
    return dwPID;//返回容器
}


//创建FileMapping
BOOL InitFileMapping()
{
	g_hMapFile = CreateFileMapping(INVALID_HANDLE_VALUE,NULL,PAGE_READWRITE,0,0x1000,_MAP_);
	if(g_hMapFile==NULL){
		printf("CreateFileMapping Error\n");
		return FALSE;
	}
	lpBuff = (LPTSTR)MapViewOfFile(g_hMapFile,FILE_MAP_ALL_ACCESS,0,0,BUFSIZ);
	if(lpBuff==NULL){
		printf("MapViewOfFile Error\n");
		return FALSE;
	}
	return TRUE;
}


int main(int argc, char* argv[])
{
	//注入DLL
	DWORD pId = GetProcessIDByName("Game.exe");
	DWORD dwOrderList[255]={0};
	if(InitFileMapping()){
		DllInject(pId,"C:\\Documents and Settings\\Administrator\\桌面\\TestDll.dll");

		//脚本队列
		dwOrderList[0] = 1;
		dwOrderList[1] = 2;
		dwOrderList[2] = 3;
		dwOrderList[3] = 3;
		dwOrderList[4] = 2;
		dwOrderList[5] = 1;
		dwOrderList[6] = 1;
		dwOrderList[7] = 2;
		dwOrderList[8] = 3;
		dwOrderList[9] = 4;
		dwOrderList[10] = 1;

		DWORD dwCtrlCode = 0;

		for(int i=0;i<10;i++)
		{
			dwCtrlCode  = dwOrderList[i];
			CopyMemory(lpBuff,&dwCtrlCode,4);
			Sleep(2000);
		}
		
	}

	return 0;
	
}


原文链接: dll注入+进程间通信 版权所有,转载时请注明出处,违者必究。
注明出处格式:流沙团 ( https://gyarmy.com/post-611.html )

发表评论

0则评论给“dll注入+进程间通信”