远程DLL注入
界面如下:
关键部分代码如下:
1 void CInjectDllDlg::OnBnClickedButtonInject() 2 { 3 // TODO: 在此添加控件通知处理程序代码 4 UpdateData(TRUE); 5 int iBufSize = WideCharToMultiByte(CP_ACP, 0, m_strPathName.GetBuffer(0), -1, NULL, 0, NULL, NULL); 6 char *pszBuffer = new char[iBufSize]; 7 WideCharToMultiByte(CP_ACP, 0, m_strPathName.GetBuffer(0), -1, pszBuffer, iBufSize, NULL, NULL); 8 InjectDll(m_dwPid, pszBuffer); 9 delete []pszBuffer; 10 pszBuffer = NULL; 11 } 12 13 void CInjectDllDlg::OnBnClickedButtonUnload() 14 { 15 // TODO: 在此添加控件通知处理程序代码 16 UpdateData(TRUE); 17 int iBufSize = WideCharToMultiByte(CP_ACP, 0, m_strPathName.GetBuffer(0), -1, NULL, 0, NULL, NULL); 18 char *pszBuffer = new char[iBufSize]; 19 WideCharToMultiByte(CP_ACP, 0, m_strPathName.GetBuffer(0), -1, pszBuffer, iBufSize, NULL, NULL); 20 UnInjectDll(m_dwPid, pszBuffer); 21 delete []pszBuffer; 22 pszBuffer = NULL; 23 } 24 25 void CInjectDllDlg::InjectDll(DWORD dwPid, char* szDllName) 26 { 27 if (dwPid == 0 || strlen(szDllName) == 0) 28 { 29 return; 30 } 31 32 char *pFunName = "LoadLibraryA"; 33 HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid); 34 if (NULL == hProcess) 35 { 36 return; 37 } 38 39 int iDllLen = strlen(szDllName) + sizeof(char); 40 PVOID pDllAddr = VirtualAllocEx(hProcess, NULL, iDllLen, MEM_COMMIT, PAGE_READWRITE); 41 if (NULL == pDllAddr) 42 { 43 CloseHandle(hProcess); 44 return; 45 } 46 47 DWORD dwWriteNum = 0; 48 WriteProcessMemory(hProcess, pDllAddr, szDllName, iDllLen, &dwWriteNum); 49 FARPROC pFunAddr = GetProcAddress(GetModuleHandleA("kernel32.dll"), pFunName); 50 HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunAddr, pDllAddr, 0, NULL); 51 WaitForSingleObject(hThread, INFINITE); 52 53 CloseHandle(hThread); 54 CloseHandle(hProcess); 55 } 56 57 void CInjectDllDlg::UnInjectDll(DWORD dwPid, char* szDllName) 58 { 59 HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPid); 60 MODULEENTRY32 Me32 = {0}; 61 Me32.dwSize = sizeof(MODULEENTRY32); 62 63 BOOL bRet = Module32First(hSnap, &Me32); 64 while (bRet) 65 { 66 int iBufSize = WideCharToMultiByte(CP_ACP, 0, Me32.szExePath, -1, NULL, 0, NULL, NULL); 67 char *pszBuffer = new char[iBufSize]; 68 WideCharToMultiByte(CP_ACP, 0, Me32.szExePath, -1, pszBuffer, iBufSize, NULL, NULL); 69 if (strcmp(pszBuffer, szDllName) == 0) 70 { 71 delete []pszBuffer; 72 pszBuffer = NULL; 73 break; 74 } 75 delete []pszBuffer; 76 pszBuffer = NULL; 77 bRet = Module32Next(hSnap, &Me32); 78 } 79 CloseHandle(hSnap); 80 char *pFunName = "FreeLibrary"; 81 82 HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid); 83 FARPROC pFunAddr = GetProcAddress(GetModuleHandleA("kernel32.dll"), pFunName); 84 HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunAddr, Me32.hModule, 0, NULL); 85 WaitForSingleObject(hThread, INFINITE); 86 87 CloseHandle(hThread); 88 CloseHandle(hProcess); 89 }
下载地址:
