c – DLL注入记事本
发布时间:2020-12-16 07:21:46 所属栏目:百科 来源:网络整理
导读:我想在记事本中出现一个消息框,所以我找到了一个简单的dll注入示例.注入器本身不是我的,似乎工作正常(获取进程的id,创建一个远程线程,获取dll文件的绝对路径).我认为,问题在于dll的实现.这些项目在没有任何警告的情况下编译,但未达到预期的结果.你能看看并帮
|
我想在记事本中出现一个消息框,所以我找到了一个简单的dll注入示例.注入器本身不是我的,似乎工作正常(获取进程的id,创建一个远程线程,获取dll文件的绝对路径).我认为,问题在于dll的实现.这些项目在没有任何警告的情况下编译,但未达到预期的结果.你能看看并帮助我理解这个问题吗? (我已将dll的发布版本放在注入器项目文件夹中)
dllmain.cpp: // dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
#include "dll.h"
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
DLLEXPORT void mess() {
MessageBoxA(NULL,"HELLO THERE","From Notepad",NULL);
}
BOOL APIENTRY DllMain( HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH: mess(); break;
case DLL_THREAD_ATTACH: mess(); break;
case DLL_THREAD_DETACH: mess(); break;
case DLL_PROCESS_DETACH: mess(); break;
}
return TRUE;
}
dll.h: #ifndef _DLL_H_ #define _DLL_H_ # define DLLEXPORT __declspec (dllexport) # define DLLIMPORT __declspec (dllimport) DLLEXPORT void mess(void); #endif 和inject.cpp作为参考,它包含一个找到所需进程id的函数,一个创建远程线程的函数和一个main: #include "stdafx.h"
#include <windows.h>
#include <tlhelp32.h>
#include <shlwapi.h>
#include <conio.h>
#include <stdio.h>
#include <iostream>
using namespace std;
#define WIN32_LEAN_AND_MEAN
#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ)
DWORD GetProcessId(IN PCHAR szExeName)
{
DWORD dwRet = 0;
DWORD dwCount = 0;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (hSnapshot != INVALID_HANDLE_VALUE)
{
PROCESSENTRY32 pe = { 0 };
pe.dwSize = sizeof(PROCESSENTRY32);
BOOL bRet = Process32First(hSnapshot,&pe);
while (bRet)
{
if (!strcmp( szExeName,pe.szExeFile))
{
dwCount++;
dwRet = pe.th32ProcessID;
}
bRet = Process32Next(hSnapshot,&pe);
}
if (dwCount > 1)
dwRet = 0xFFFFFFFF;
CloseHandle(hSnapshot);
}
return dwRet;
}
BOOL CreateRemoteThreadInject(DWORD ID,const char * dll)
{
HANDLE Process;
LPVOID Memory;
LPVOID LoadLibrary;
if (!ID) return false;
Process = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION,FALSE,ID);
LoadLibrary = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
Memory = (LPVOID)VirtualAllocEx(Process,NULL,strlen(dll) + 1,MEM_RESERVE | MEM_COMMIT,PAGE_READWRITE);
WriteProcessMemory(Process,(LPVOID)Memory,dll,NULL);
CreateRemoteThread(Process,(LPTHREAD_START_ROUTINE)LoadLibrary,NULL);
CloseHandle(Process);
VirtualFreeEx(Process,MEM_RELEASE);
return true;
}
int main()
{
char dll[MAX_PATH] ;
GetFullPathName("testdll.dll",MAX_PATH,NULL);
DWORD ID = GetProcessId("notepad.exe");
if (!CreateRemoteThreadInject(ID,dll)) cout<<"failure";
else cout << "success";
return 0;
}
谢谢. 解决方法
小心x64 x86二进制文件
在Windows 7/8/10上,notepad.exe是一个64位进程,所以你需要编译你的DLL& x64中的喷油器 (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |