#include <Windows.h>
#include <tchar.h>
BOOL InjectDll(DWORD dwPiD, LPCTSTR szDllPath) {
//dwpid是要注入的进程的pid,szdllpath是要注入的dll
HANDLE hProcess = NULL, hThread = NULL;
HMODULE hMod = NULL;
LPVOID pRemoteBuf = NULL;
DWORD dwBufSize = (DWORD)(_tcslen(szDllPath) + 1) * sizeof(TCHAR);
LPTHREAD_START_ROUTINE pThreadProc;
//pThreadProc是要获取的dll中函数的地址
if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPiD))) {
_tprintf(L"OpenPtocess(%d) failed!!![%d]\n", dwPiD, GetLastError());
return FALSE;
}
pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE);
//分配空间,空间里存一个dllname那么大的空间,返回的是分配的空间的起始地址
WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllPath, dwBufSize, NULL);
//将路径写入内存
hMod = GetModuleHandle(L"kernel32.dll");
pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hMod, "LoadLibraryW");
//pThreadProc这里为LoadLibraryW的地址
hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, pRemoteBuf, 0, NULL);
//在目标进程中运行线程
//这里用loadlibaryw去调用dll名字
WaitForSingleObject(hThread, INFINITE);
//等待进程结束
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}
int _tmain(int argc, TCHAR* argv[]) {
if (argc != 3) {
_tprintf(L"USAGE : %s pid dll_path\n", argv[0]);
return 1;
}
if (InjectDll((DWORD)_tstol(argv[1]), argv[2])) {
_tprintf(L"InjectDll (\"%s\") success!!!\n", argv[2]);
}
else {
_tprintf(L"InjectDll (\"%s\") failed!!!\n", argv[2]);
}
}
原文:https://www.cnblogs.com/yakoazz/p/12287479.html