向远程进程注入 DLL

//注入DLL 至窗口进程中 //HWND hwnd : 远程窗口进程 HWND //LPCSTR dllName : 要注入的DLL Name BOOL InjectDllToProcess(HWND hwnd , LPCSTR dllName){ DWORD processId; GetWindowThreadProcessId(hwnd,&processId); //打开进程，并设置完全访问权 HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,processId); if(hProcess == NULL){ return FALSE; } //将当前程序执行路径 附为 dll 路径 char dll[500]; GetCurrentDirectoryA(sizeof(dll),dll); strcat_s(dll,"//"); strcat_s(dll,dllName); //计算 dll 名称字符串长度 size_t size = strlen(dll) + 1; //远程中分配 LPVOID parmAddr = VirtualAllocEx(hProcess,NULL,size,MEM_COMMIT,PAGE_READWRITE); //将 dll 名称写入 远程进程 DWORD d; if(!WriteProcessMemory(hProcess,parmAddr,dll,size,&d)){ return FALSE; } //读取 LoadLibraryA 地址 PROC funAddr = GetProcAddress(GetModuleHandleA("kernel32") , "LoadLibraryA"); if(NULL == funAddr){ return FALSE; } //建立远程 线程 加载 DLL. HANDLE thread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)funAddr,parmAddr,0,NULL); if(NULL == thread){ return FALSE; } //等待远程线程结束 WaitForSingleObject(thread,INFINITE); CloseHandle(thread); CloseHandle(hProcess); return TRUE; } //注入DLL 至窗口进程中 //HWND hwnd : 远程窗口进程 HWND //LPCSTR dllName : 要注入的DLL Name BOOL InjectDllToProcess(HWND hwnd , LPCSTR dllName){ DWORD processId; GetWindowThreadProcessId(hwnd,&processId); //打开进程，并设置完全访问权 HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,processId); if(hProcess == NULL){ return FALSE; } //将当前程序执行路径 附为 dll 路径 char dll[500]; GetCurrentDirectoryA(sizeof(dll),dll); strcat_s(dll,"//"); strcat_s(dll,dllName); //计算 dll 名称字符串长度 size_t size = strlen(dll) + 1; //远程中分配 LPVOID parmAddr = VirtualAllocEx(hProcess,NULL,size,MEM_COMMIT,PAGE_READWRITE); //将 dll 名称写入 远程进程 DWORD d; if(!WriteProcessMemory(hProcess,parmAddr,dll,size,&d)){ return FALSE; } //读取 LoadLibraryA 地址 PROC funAddr = GetProcAddress(GetModuleHandleA("kernel32") , "LoadLibraryA"); if(NULL == funAddr){ return FALSE; } //建立远程 线程 加载 DLL. HANDLE thread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)funAddr,parmAddr,0,NULL); if(NULL == thread){ return FALSE; } //等待远程线程结束 WaitForSingleObject(thread,INFINITE); CloseHandle(thread); CloseHandle(hProcess); return TRUE; }