#include
#include
HINSTANCE hProcess;
PWSTR pszLibFileRemote;
HINSTANCE hThread;
void StartInject(int ProcessID, char * DllName);
void OverInject(char * DllName);
void EnableDebugPrivilege(HANDLE processHandle);
int main(int argc, char* argv[])
{
int processid = 0;
char DllName[50] = "Win32DLL.dll";
while (1)
{
//ZeroMemory(DllName, sizeof(DllName));
printf("please input the process id:\n");
scanf("%d", &processid);
EnableDebugPrivilege(GetCurrentThread());
StartInject(processid, DllName);
OverInject(DllName);
}
return 0;
}
void StartInject(int ProcessID, char * DllName)
{
//打开进程,申请访问;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, ProcessID);
if (hProcess == NULL)
{
printf("进程不允许访问!");
getchar();
exit(0);
}
int cch = 1 + lstrlenW(DllName);
int cb = cch * sizeof(WCHAR);
pszLibFileRemote = (PWSTR)VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);//为DllName在远程线程空间分配内存;
if (pszLibFileRemote == NULL)
{
printf("在远程线程空间为DllName分配内存失败!");
getchar();
exit(0);
}
if (!WriteProcessMemory(hProcess, pszLibFileRemote, (PVOID)DllName, cb, NULL))
{
printf("在拷贝DllName到远程线程内存地址空间时失败!");
getchar();
exit(0);
}
/*得到LoadLibraryW在内核(kernel32.dll中的地址)*/
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
if (pfnThreadRtn == NULL)
{
printf("在得到函数地址时出现错误:\n函数名:LoadLibraryW(加载动态链接库)");
getchar();
exit(0);
}
hThread = CreateRemoteThread(hProcess, NULL, 0,pfnThreadRtn, pszLibFileRemote, 0, NULL);
if (hThread == NULL)
{
printf("创建远程线程失败,错误代码:%d",GetLastError());
getchar();
exit(0);
}
}
void OverInject(char * DllName)
{
if (DllName != NULL)
VirtualFreeEx(hProcess, DllName, 0, MEM_RELEASE);
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
}
void EnableDebugPrivilege(HANDLE processHandle)
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(processHandle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
printf("OpenProcessToken");
return;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
{
printf("LookupPrivilegeValue");
CloseHandle(hToken);
return;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL))
{
printf("AdjustTokenPrivileges");
CloseHandle(hToken);
}
}
然后DLL中是这样的:
#include
#include
int WINAPI DllMain(HINSTANCE hInstance, DWORD fdwReason, PVOID pvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
//The DLL is being mapped into the process's address space.
MessageBoxW(NULL, "这是一个确定 取消的消息框!", "标题", MB_OKCANCEL);
break;
case DLL_THREAD_ATTACH:
//A thread is being created.
break;
case DLL_THREAD_DETACH:
//A thread is exiting cleanly.
break;
case DLL_PROCESS_DETACH:
//The DLL is being unmapped from the process's address space.
break;
}
/*MessageBoxW(NULL, "这是一个确定 取消的消息框!", "标题", MB_OKCANCEL);*/
return(TRUE); // Used only for DLL_PROCESS_ATTACH
}
