// InjectDll.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <windows.h>
#include <string>
#include "stdio.h"
#include <iostream>
using namespace std;
#define DEF_BUF_SIZE 1024
//用于存储注入模块DLL的路径全名
char szDllPath[DEF_BUF_SIZE] ={0};
//使用远程线程向指定ID的进程注入模块
BOOL InjectModuleToProcessById(DWORD dwProcessId){
if(dwProcessId == 0)
{
return FALSE;
}
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE ,dwProcessId);
if(hProcess == NULL){
return FALSE;
}
//申请存放文件名的空间
UINT nLen = (UINT)strlen(szDllPath)+1;
LPVOID lpRemoteDllName = VirtualAllocEx(hProcess ,NULL ,nLen,MEM_COMMIT,PAGE_READWRITE);
if (lpRemoteDllName == NULL)
{
printf("[ERROR]VirtualAllocEx(%d)/n", GetLastError() );
return FALSE;
}
//把dll文件名写入申请的空间
if (WriteProcessMemory(hProcess,lpRemoteDllName,szDllPath,nLen,NULL) ==FALSE)
{
printf ( "[ERROR]WriteProcessMemory(%d)/n", GetLastError() );
return FALSE ;
}
//获取动态库函数地址
HMODULE hModule = GetModuleHandle(L"kernel32.dll");
LPTHREAD_START_ROUTINE fnStartAddr = (LPTHREAD_START_ROUTINE)GetProcAddress(hModule ,"LoadLibraryA");
if ((DWORD)fnStartAddr ==0)
{
printf ( "[ERROR]GetProcAddress(%d)/n", GetLastError() );
return FALSE ;
}
//创建远程线程
HANDLE hRemoteThread = CreateRemoteThread(hProcess ,NULL ,0,fnStartAddr ,lpRemoteDllName ,0,NULL);
if(hRemoteThread == NULL){
printf ( "[ERROR]CreateRemoteThread(%d)/n", GetLastError() );
return FALSE ;
}
//等待远程线程结束
if(WaitForSingleObject(hRemoteThread,INFINITE)!= WAIT_OBJECT_0 ){
printf ( "[ERROR]WaitForSingleObject(%d)/n", GetLastError() );
return FALSE ;
}
CloseHandle(hRemoteThread);
CloseHandle(hModule);
CloseHandle(hProcess);
return TRUE;
}
int _tmain(int argc, _TCHAR* argv[])
{
GetCurrentDirectoryA(DEF_BUF_SIZE ,szDllPath);
strcat(szDllPath ,"dll");
DWORD dwProcessId = 0;
while (printf("请输入目标进程ID")&& cin>> dwProcessId && dwProcessId>0)
{
BOOL bRet = InjectModuleToProcessById(dwProcessId);
printf (bRet ? "注入成功!/n":"注入失败!/n") ;
}
return 0;
}
原文:http://www.cnblogs.com/sz-xxc-1234/p/4044508.html