//计算DLL路径名所需的字节数
DWORD dwSize = (lstrlenW(pszLibFile) + 1) * sizeof(wchar_t);
// 获取传递进程ID的进程句柄
HANDLE hProcess = OpenProcess(
PROCESS_QUERY_INFORMATION |
PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION |
PROCESS_VM_WRITE,//目标进程的四个权限
FALSE, dwProcessId);
// 在远程进程中为路径名分配空间
LPVOID pszLibFileRemote = (PWSTR)VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
// 将DLL的路径名复制到远程进程地址空间
//pszLibFile:要注入的dll的路径 pathname
DWORD n = WriteProcessMemory(hProcess, pszLibFileRemote, (PVOID)pszLibFile, dwSize, NULL);
//在Kernel32.dll中获取LoadLibraryW的实际地址
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
//创建一个调用LoadLibraryW(DLLPathname)的远程线程
// CreateRemoteThread(目标进程句柄,NULL,0,线程函数指针,线程函数参数,0,NULL)
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, pfnThreadRtn, pszLibFileRemote, 0, NULL);
// 等待远程线程终止
WaitForSingleObject(hThread, INFINITE);
// 释放包含DLL路径名的远程内存并关闭句柄
if (pszLibFileRemote != NULL) //开辟的内存已经注入进数据
VirtualFreeEx(hProcess, pszLibFileRemote, 0, MEM_RELEASE);
//关闭线程和进程函数句柄
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
return(0);
}
浙公网安备 33010602011771号