自分のdllを他のプロセスに注入して実行

7066 ワード

次は簡単なmydllです.dllがQQに注入されて実行される例:
#include 
#include 
#include 
#include 

DWORD dwProcessID=0;
HANDLE hProcessHandle=NULL;
LPVOID pAddrStart=NULL;
HANDLE hThreadHandle=NULL;
HANDLE hDllHandle=NULL;


/*****************************
*   :GetProcessIdByName
*    :         ID
*    :const char*ProcessName,   
*    : 
*   :  ID,    -1
*****************************/
DWORD GetProcessIdByName(const char*ProcessName)
{
    PROCESSENTRY32 stProcess;
    HWND hProcessShot;
    stProcess.dwSize=sizeof(PROCESSENTRY32);
    hProcessShot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
    Process32First(hProcessShot,&stProcess);

    do
    {
        if(!strcmp(ProcessName,stProcess.szExeFile))
            return stProcess.th32ProcessID;
    }while(Process32Next(hProcessShot,&stProcess));

    CloseHandle(hProcessShot);
    return -1;
}

/*****************************
*   :dll_inject
*    : dll         
*    :const char*ProcessName,   
        const char *pDllName,dll 
*    : 
*   :    0,    -1
*****************************/
int dll_inject(const char *pProcessName, const char *pDllName)
{
    //char *pProcessName="QQ.exe";
    BOOL bSuccess = FALSE;
    //         ID
    dwProcessID = GetProcessIdByName(pProcessName);
    if(dwProcessID == -1)
    {
        printf("%s   ", pProcessName);
        return -1;
    }
    printf("%s  ID %d", pProcessName,dwProcessID);

    //    ID      
    hProcessHandle = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessID);
    if(hProcessHandle == NULL)
    {
        printf("OpenProcess        
"); return -1; } // VirtualAllocEx pAddrStart = VirtualAllocEx(hProcessHandle,0,1024,MEM_COMMIT,PAGE_EXECUTE_READWRITE); if (pAddrStart == NULL) { printf(" !
"); return; } printf(" 0x%x
",pAddrStart); // dll bSuccess = WriteProcessMemory(hProcessHandle,pAddrStart,pDllName,1024,0); if(!bSuccess) { printf("WriteProcessMemory !
"); return -1; } //printf("memory of pAddrStart is:%s",pAddrStart); // , "LoadLibraryA" mydll.dll hThreadHandle = CreateRemoteThread(hProcessHandle, 0, 0, GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA"),// LoadLibraryA pAddrStart,//mydll.dll 0, 0); if(hThreadHandle == NULL) { printf(" %s %s ",pProcessName,pDllName); return -1; } WaitForSingleObject(hThreadHandle,INFINITE); // dll , dll // VirtualFreeEx(hProcessHandle,pAddrStart,0,MEM_RELEASE); CloseHandle(hThreadHandle); CloseHandle(hProcessHandle); printf("Hello world!
"); return 0; } /***************************** * :dll_free * : dll * :const char*ProcessName, const char *pDllName,dll * : * : 0, -1 *****************************/ int dll_free(const char *pProcessName, const char *pDllName) { BOOL bSuccess = FALSE; // ID dwProcessID = GetProcessIdByName(pProcessName); if(dwProcessID == -1) { printf("%s ", pProcessName); return -1; } printf("%s ID %d", pProcessName,dwProcessID); // ID hProcessHandle = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessID); if(hProcessHandle == NULL) { printf("OpenProcess
"); return -1; } // VirtualAllocEx pAddrStart = VirtualAllocEx(hProcessHandle,0,1024,MEM_COMMIT,PAGE_EXECUTE_READWRITE); if (pAddrStart == NULL) { printf(" !
"); return; } printf(" 0x%x
",pAddrStart); // dll bSuccess = WriteProcessMemory(hProcessHandle,pAddrStart,pDllName,1024,0); if(!bSuccess) { printf("WriteProcessMemory !
"); return -1; } // , GetModuleHandleA mydll.dll , GetExitCodeThread mydll.dll , FreeLibrary hThreadHandle = CreateRemoteThread(hProcessHandle, 0, 0, GetProcAddress(GetModuleHandle("kernel32.dll"),"GetModuleHandleA"),// GetModuleHandleA pAddrStart,//mydll.dll 0, 0); // GetExitCodeThread dll WaitForSingleObject(hThreadHandle,INFINITE); GetExitCodeThread(hThreadHandle,&hDllHandle); // FreeLibrary , DLL hThreadHandle=CreateRemoteThread(hProcessHandle, 0, 0, GetProcAddress(GetModuleHandle("kernel32.dll"),"FreeLibrary"), hDllHandle, 0, 0); // WaitForSingleObject(hThreadHandle,INFINITE); VirtualFreeEx(hProcessHandle,pAddrStart,0,MEM_RELEASE); CloseHandle(hThreadHandle); CloseHandle(hProcessHandle); return 0; } int main() { // mydll.dll QQ dll_inject("QQ.exe","mydll.dll"); // dll dll_free("QQ.exe","mydll.dll"); printf("Hello world!
"); return 0; }

上はdll注入プロセスを完了し、下は注入するdllの実現であり、実際には普通のdllである.
#include "main.h"

// a sample exported function
void DLL_EXPORT SomeFunction(const LPCSTR sometext)
{
    MessageBoxA(0, sometext, "DLL Message", MB_OK | MB_ICONINFORMATION);
}

extern "C" DLL_EXPORT BOOL APIENTRY DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    switch (fdwReason)
    {
        case DLL_PROCESS_ATTACH:
            // attach to process
            // return FALSE to fail DLL load
            MessageBoxA(0, "I am a dll!", "DLL Message", MB_OK | MB_ICONINFORMATION);
            break;

        case DLL_PROCESS_DETACH:
            // detach from process
            break;

        case DLL_THREAD_ATTACH:
            // attach to thread
            break;

        case DLL_THREAD_DETACH:
            // detach from thread
            break;
    }
    return TRUE; // succesful
}

dllエントリ関数でcase DLL_PROCESS_ATTACHブランチであるdllロード時に実行先に独自のコードを追加します.ここではダイアログボックスがポップアップされます.生成されたmydll.dllはsystem 32の下に置かれる.
上のdll注入プログラムを実行し、ダイアログボックスをポップアップし、dll注入に成功したことを示します.
もちろん、参照注入の方法は、dll非入口関数においてGetProcAddressによって実行する関数のアドレスを取得して、自分が完成したい機能を実行してもよい.