不依赖dllmain触发的CE注入代码
以下代码演示将test.dll注入电话进程并触发test.dll里的导出函数HelloWorld
首先是注入的exe:
1 //取得CProg.exe进程句柄的OpenProcess就不贴了,大家都知道@@
2
3 //卸载钩子函数
4 bool UninstallHook(HANDLE hProcessDest,HINSTANCE hInst){
5 CALLBACKINFO ci;
6 ci.hProcess = hProcessDest;
7 ci.pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(GetModuleHandle(L"COREDLL"), L"FreeLibrary"), hProcessDest);
8 ci.pvArg0 = hInst; //HINSTANCE returned by LoadLibrary
9 DWORD dw = PerformCallBack4(&ci, 0,0,0); //returns 1 if correctly unloaded
10 return (bool)dw;
11 }
12
13 //安装钩子
14 bool InstallHook( HANDLE hProcessDest )
15 {
16 BOOL bMode = SetKMode(TRUE);
17 DWORD dwPerm = SetProcPermissions(0xFFFFFFFF);
18
19 CALLBACKINFO ci;
20
21 ci.hProcess = hProcessDest;
22 ci.pFunction = (FARPROC)GetProcAddress(GetModuleHandle( _T("coredll.dll") ),_T("LoadLibraryW") );
23 ci.pvArg0 = MapPtrToProcess(_T("test.dll"),GetCurrentProcess()); //先注入dll
24
25 HINSTANCE hInst = (HINSTANCE) PerformCallBack4(&ci,0,0,0);
26 if ( 0 == GetLastError())
27 {
28 //MessageBox(NULL,TEXT("Success inje"),TEXT("success"),MB_OK);// (NULL,TEXT("PerformCallBack4() run successful\n",TEXT("test"),MB_OK));
29 //get the proc address
30 FARPROC pHook = GetProcAddress(hInst, (LPCTSTR)L"HelloWorld"); //关键的地方!获取注入dll的函数地址
31 ci.hProcess = hProcessDest;
32 ci.pFunction = (FARPROC)MapPtrToProcess(pHook, hProcessDest);
33 ci.pvArg0 = NULL;
34 DWORD dw = PerformCallBack4(&ci, 0, 0, 0); //再次注入!这次是函数地址!然后相关的导出函数就运作了
35 //UninstallHook(hProcessDest,hInst);
36 SetKMode(bMode);
37 SetProcPermissions(dwPerm);
38 return (bool)dw;
39 }else{
40 LPWSTR tt;
41 wsprintf(tt,TEXT("GetLastError:%d"),GetLastError());
42 MessageBox(NULL,tt,TEXT("fail"),MB_OK);
43 }
44 SetKMode(bMode);
45 SetProcPermissions(dwPerm);
46 return false;
47 }
2
3 //卸载钩子函数
4 bool UninstallHook(HANDLE hProcessDest,HINSTANCE hInst){
5 CALLBACKINFO ci;
6 ci.hProcess = hProcessDest;
7 ci.pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(GetModuleHandle(L"COREDLL"), L"FreeLibrary"), hProcessDest);
8 ci.pvArg0 = hInst; //HINSTANCE returned by LoadLibrary
9 DWORD dw = PerformCallBack4(&ci, 0,0,0); //returns 1 if correctly unloaded
10 return (bool)dw;
11 }
12
13 //安装钩子
14 bool InstallHook( HANDLE hProcessDest )
15 {
16 BOOL bMode = SetKMode(TRUE);
17 DWORD dwPerm = SetProcPermissions(0xFFFFFFFF);
18
19 CALLBACKINFO ci;
20
21 ci.hProcess = hProcessDest;
22 ci.pFunction = (FARPROC)GetProcAddress(GetModuleHandle( _T("coredll.dll") ),_T("LoadLibraryW") );
23 ci.pvArg0 = MapPtrToProcess(_T("test.dll"),GetCurrentProcess()); //先注入dll
24
25 HINSTANCE hInst = (HINSTANCE) PerformCallBack4(&ci,0,0,0);
26 if ( 0 == GetLastError())
27 {
28 //MessageBox(NULL,TEXT("Success inje"),TEXT("success"),MB_OK);// (NULL,TEXT("PerformCallBack4() run successful\n",TEXT("test"),MB_OK));
29 //get the proc address
30 FARPROC pHook = GetProcAddress(hInst, (LPCTSTR)L"HelloWorld"); //关键的地方!获取注入dll的函数地址
31 ci.hProcess = hProcessDest;
32 ci.pFunction = (FARPROC)MapPtrToProcess(pHook, hProcessDest);
33 ci.pvArg0 = NULL;
34 DWORD dw = PerformCallBack4(&ci, 0, 0, 0); //再次注入!这次是函数地址!然后相关的导出函数就运作了
35 //UninstallHook(hProcessDest,hInst);
36 SetKMode(bMode);
37 SetProcPermissions(dwPerm);
38 return (bool)dw;
39 }else{
40 LPWSTR tt;
41 wsprintf(tt,TEXT("GetLastError:%d"),GetLastError());
42 MessageBox(NULL,tt,TEXT("fail"),MB_OK);
43 }
44 SetKMode(bMode);
45 SetProcPermissions(dwPerm);
46 return false;
47 }
DLL的导出代码:
1 extern "C" __declspec(dllexport) bool WINAPI HelloWorld()
2 {
3 MessageBox(NULL,TEXT("Hello World by 小金"),TEXT("success"),MB_OK);
4 return true;
5 }
2 {
3 MessageBox(NULL,TEXT("Hello World by 小金"),TEXT("success"),MB_OK);
4 return true;
5 }
posted on 2009-08-16 14:41 IamEasy_Man 阅读(479) 评论(0) 收藏 举报
浙公网安备 33010602011771号