#include <stdio.h>
#include <windows.h>
#include <conio.h>
int main()
{
char *way_dll = (char*)"D:/Visual studio/源文件储存处/外挂研究/目标/目标/Debug/目标.dll";
SIZE_T byteNum = (SIZE_T)(sizeof(way_dll) + 1);
/* 获取进程句柄,存储在 handle_process */
HANDLE handle_process = OpenProcess(PROCESS_ALL_ACCESS,false,69464); //可以补全
/* 获取 loadlibrary() 的 dll文件的句柄,存储在 handle_dll_LoadLibraryA */
HMODULE handle_dll_LoadLibraryA = LoadLibraryA("Kernel32.dll"); //可以补全
/* 获取函数的地址,存储在 p_loadlibraryA */
FARPROC p_loadlibraryA = GetProcAddress(/*dll文件的句柄*/handle_dll_LoadLibraryA, "LoadLibraryA"); //可以补全
/* 申请内存,并储存 dll文件地址字符串,内存的地址储存在 p_spaceNewlyCreate */
LPVOID p_spaceNewlyCreate = VirtualAllocEx(handle_process,NULL, byteNum, MEM_COMMIT, PAGE_EXECUTE_READWRITE); //可以补全
/* 将dll文件的路径字符串写入刚才申请的内存中,结果储存在 flag_ifSuccess */
BOOL flag_ifSuccess = WriteProcessMemory(handle_process, /*基址指针*/p_spaceNewlyCreate, /*缓冲区指针*/(LPCVOID)way_dll, byteNum, NULL);
/* 创建线程,并执行LoadLibraryA函数,以加载我们的Dll */
CreateRemoteThread(handle_process,NULL,0, (LPTHREAD_START_ROUTINE)p_loadlibraryA, p_spaceNewlyCreate,0,NULL);
printf("进程的句柄为%x\n load函数的dll文件的句柄为%x\n ", (int)handle_process, (int)handle_dll_LoadLibraryA);
printf("函数的地址为%x\n 创建的内存的地址为%x\n 写入函数是否成功为%d",(int)p_loadlibraryA, (int)p_spaceNewlyCreate, (int)flag_ifSuccess);
while (1)
{
Sleep(300);
if (_kbhit())
{
break;
}
}
return 0;
}
然而,运行过后,根据工具显示,目标程序依旧没有加载我的DLL文件
