DLL劫持注入

#include <Windows.h>

#define HIJCAKDLLNAME "hijack.dll"
HMODULE g_hModule = NULL; // 原始模块句柄

// 获取EXE的名称
void GetExePath(char* pExePath)
{
int pathlen = GetModuleFileName(NULL, pExePath, MAX_PATH);
while(1)
{
if(pExePath[pathlen--]=='\\')
break;
}
pExePath[++pathlen] = 0;
}

// 加载原始模块
void Load()
{
CHAR tmpPath[MAX_PATH] = {0};
GetExePath(tmpPath);
strcat(tmpPath,"\\");
strcat(tmpPath,HIJCAKDLLNAME);
g_hModule = LoadLibrary(tmpPath);
}

// 释放原始模块
void Free()
{
if (g_hModule)
{
FreeLibrary(g_hModule);
}
}

// 获取原始函数地址
FARPROC GetAddress(PCSTR pszProcName)
{
FARPROC fpAddress;
Load();
fpAddress = GetProcAddress(g_hModule, pszProcName);
return fpAddress;
}

BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
MessageBox(NULL,"DLL_PROCESS_ATTACH","RemoteThread inject",MB_OK);
break;
case DLL_THREAD_ATTACH:
//MessageBox(NULL,"DLL_THREAD_ATTACH","RemoteThread inject",MB_OK);
break;
case DLL_THREAD_DETACH:
//MessageBox(NULL,"DLL_THREAD_DETACH","RemoteThread inject",MB_OK);
break;
case DLL_PROCESS_DETACH:
//Free();
MessageBox(NULL,"DLL_PROCESS_DETACH","RemoteThread inject",MB_OK);
break;
}

return TRUE;
}

// 导出函数,转发方式
//#pragma comment(linker, "/EXPORT:add=hijack.add,@1")

// 直接调用方式
// #pragma comment(linker, "/EXPORT:add=_myadd,@1")
// typedef int (__cdecl *lpFun)(int, int);
// int __cdecl myadd(int x, int y)
// {
// // 获取了原函数的地址
// lpFun myFun = (lpFun)GetAddress("add");
// return myFun(x,y);
// }