源地址文章来源:https://www.toymoban.com/news/detail-819805.html
- 注入程序
#include <Windows.h>
#include <iostream>
#include <Tlhelp32.h>
#include <stdio.h>
#include <tchar.h>
#include <iostream>
using namespace std;
BOOL getProcess32Info(PROCESSENTRY32 *info, const TCHAR processName[])
{
HANDLE handle;
handle = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
info->dwSize = sizeof(PROCESSENTRY32);
Process32First(handle, info);
while (Process32Next(handle, info) != FALSE)
{
if (wcscmp(processName, info->szExeFile) == 0)
{
return TRUE;
}
}
}
int InjectDll(const wchar_t *DllFullPath, const DWORD pid)
{
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
if (hProc == 0)
{
return -1;
}
int pathSize = (wcslen(DllFullPath) + 1) * sizeof(wchar_t);
LPVOID buffer = VirtualAllocEx(hProc, 0, pathSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (buffer == 0)
{
return -2;
}
if (!WriteProcessMemory(hProc, buffer, DllFullPath, pathSize, NULL))
{
return -3;
}
LPVOID pFunc = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "LoadLibraryW");
CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)pFunc, buffer, 0, 0);
}
int main()
{
system("start %windir%\\system32\\notepad.exe");
PROCESSENTRY32 info;
if (getProcess32Info(&info, L"notepad.exe"))
{
InjectDll(L"E:\\GlobalHook_Test.dll", info.th32ProcessID);
}
else
{
cout << "查找失败" << endl;
}
return 0;
std::cout << "Hello World!\n";
}
- 钩子
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include "stdlib.h"
#include <iostream>
using namespace std;
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
HWND hwnd = GetActiveWindow();
MessageBox(hwnd, L"DLL已进入目标进程。", L"信息", MB_ICONINFORMATION);
break;
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
原地址文章来源地址https://www.toymoban.com/news/detail-819805.html
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include "stdlib.h"
#include <iostream>
#include <TlHelp32.h>
#include <Windows.h>
#include <tchar.h>
using namespace std;
//指定全局变量
HHOOK global_Hook;
//判断是否是需要注入的进程
BOOL GetFirstModuleName(DWORD Pid, LPCTSTR ExeName)
{
MODULEENTRY32 me32 = { 0 };
me32.dwSize = sizeof(MODULEENTRY32);
HANDLE hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, Pid);
if (INVALID_HANDLE_VALUE != hModuleSnap)
{
//先拿到自身进程名称
BOOL bRet = Module32First(hModuleSnap, &me32);
//对比如果是需要注入进程, 则返回真
if (!_tcsicmp(ExeName, (LPCTSTR)me32.szModule))
{
CloseHandle(hModuleSnap);
return TRUE;
}
CloseHandle(hModuleSnap);
return FALSE;
}
CloseHandle(hModuleSnap);
return FALSE;
}
//获取自身DLL名程
char* GetMyDllName()
{
char szFileFullPath[MAX_PATH], szProcessName[MAX_PATH];
//获取文件路径
GetModuleFileNameA(NULL, szFileFullPath, MAX_PATH);
int length = strlen(szFileFullPath);
for (int i = length - 1; i >= 0; i--)
{
//找到第一个\就可以马上获取进程名称了
if (szFileFullPath == "\\")
{
i++;
//结束符\0不能少 即i=length
for (int j = 0; i <= length; j++)
{
szProcessName[j] = szFileFullPath[i++];
}
break;
}
}
return szProcessName;
}
//设置全局消息回调函数
LRESULT CALLBACK MyProc(int nCode, WPARAM wParam, LPARAM lParam)
{
MessageBoxA(0, "wa haha", 0, 0);
return CallNextHookEx(global_Hook, nCode, wParam, lParam);
}
//安装全局钩子 此处的GetMyDllName()函数 可以是外部其它DLL, 可将任意DLL进行注入
extern "C" _declspec(dllexport) void SetHook()
{
global_Hook = SetWindowsHookEx(WH_CBT, MyProc, GetModuleHandleA(GetMyDllName()), 0);
}
//卸载全局钩子
extern "C" __declspec(dllexport) void UnHook()
{
if (global_Hook)
{
UnhookWindowsHookEx(global_Hook);
}
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
//当Dll被加载时触发, 判断自身当前父进程是否为
BOOL flag = GetFirstModuleName(GetCurrentProcessId(), TEXT("InjectDll.exe"));
if (flag == TRUE)
{
MessageBoxA(0, "InjectDll", 0, 0);
}
break;
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
#include <Windows.h>
#include <iostream>
#include <Tlhelp32.h>
#include <stdio.h>
#include <tchar.h>
#include <iostream>
using namespace std;
BOOL getProcess32Info(PROCESSENTRY32 *info, const TCHAR processName[])
{
HANDLE handle;
handle = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
info->dwSize = sizeof(PROCESSENTRY32);
Process32First(handle, info);
while (Process32Next(handle, info) != FALSE)
{
if (wcscmp(processName, info->szExeFile) == 0)
{
return TRUE;
}
}
}
int InjectDll(const wchar_t *DllFullPath, const DWORD pid)
{
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
if (hProc == 0)
{
return -1;
}
int pathSize = (wcslen(DllFullPath) + 1) * sizeof(wchar_t);
LPVOID buffer = VirtualAllocEx(hProc, 0, pathSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (buffer == 0)
{
return -2;
}
if (!WriteProcessMemory(hProc, buffer, DllFullPath, pathSize, NULL))
{
return -3;
}
LPVOID pFunc = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "LoadLibraryW");
CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)pFunc, buffer, 0, 0);
}
int main()
{
/*
system("start %windir%\\system32\\notepad.exe");
PROCESSENTRY32 info;
if (getProcess32Info(&info, L"notepad.exe"))
{
InjectDll(L"E:\\GlobalHook_Test.dll", info.th32ProcessID);
}
else
{
cout << "查找失败" << endl;
}
return 0;
*/
HMODULE hMod = LoadLibrary(TEXT("E:\\GlobalHook_Test.dll"));
//挂钩
typedef void(*pSetHook)(void);
pSetHook SetHook = (pSetHook)GetProcAddress(hMod, "SetHook");
SetHook();
while (1)
{
Sleep(1000);
}
//卸载钩子
typedef BOOL(*pUnSetHook)(HHOOK);
pUnSetHook UnsetHook = (pUnSetHook)GetProcAddress(hMod, "UnHook");
pUnSetHook();
FreeLibrary(hMod);
return 0;
}
到了这里,关于DLL注入技术的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!
![[技术杂谈]如何查看DLL文件或者pyd文件依赖的DLL](https://imgs.yssmx.com/Uploads/2024/02/469585-1.png)
