windows目标进程注入dll

Posted a-s-m

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了windows目标进程注入dll相关的知识,希望对你有一定的参考价值。

在别的程序注入dll

步骤:
1,获取目标进程ID,CreateToolhelp32Snapshot()函数;
2,获取目标进程句柄,OpenProcess()函数;
3,目标进程要一块内存,VirtualAllocEx()函数,不是VirtualAlloc()函数;
4,往要来的目标内存写入要注入的dll文件名,WriteProcessMemory;
5,拿到kernel32模块句柄,GetModuleHandle()函数;
6,拿到kernel32模块里LoadLibraryA()函数地址,GetProcAddress()函数;
7,把dll注入目标进程,CreateRemoteThread()函数

获取进程ID的方法:

DWORD GetPid(const TCHAR* pDest)
{
    HANDLE hProcessHandle;
    PROCESSENTRY32 pe32 = {0};

    hProcessHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
    if (hProcessHandle == INVALID_HANDLE_VALUE)
    {
        return FALSE;
    }
    pe32.dwSize = sizeof(PROCESSENTRY32);

    while (Process32Next(hProcessHandle,&pe32))
    {
        //printf("%s
", pe32.szExeFile);
        if (wcscmp(pe32.szExeFile,pDest)==0)
        {    
            CloseHandle(hProcessHandle);
            return pe32.th32ProcessID;
            wcout << pe32.szExeFile << ":" << pe32.th32ProcessID << endl;
        }
        
    }
    return 0;

}

注入过程,封装个方法:

BOOL LoadDll(DWORD pID,const TCHAR* pName)
{
    HANDLE hDestProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID);

    DWORD pLEN = wcslen(pName)+1;
    LPVOID lpStart =  VirtualAllocEx(hDestProcess, NULL, pLEN, MEM_COMMIT, PAGE_READWRITE);
    BOOL bRET = WriteProcessMemory(hDestProcess, lpStart, pName, pLEN, NULL);
    if (!bRET)
    {
        cout << "writeprocessmemory failed error : %d" << GetLastError() << endl;
        CloseHandle(hDestProcess);
        return FALSE;
    }
    HMODULE hModule = GetModuleHandle(TEXT("Kernel32.dll"));
    if (!hModule)
    {
        cout << "get kernel32 failed error :" << GetLastError() << endl;
        CloseHandle(hDestProcess);
        return FALSE;
    }
    DWORD f = (DWORD)GetProcAddress(hModule, "LoadLibraryA");
    if (!f)
    {
        cout << "get loadLibraryA failed error :" << GetLastError() << endl;
        CloseHandle(hDestProcess);
        CloseHandle(hModule);
        return FALSE;
    }
    CreateRemoteThread(hDestProcess,NULL,0, (LPTHREAD_START_ROUTINE)f,lpStart,NULL,NULL);
    CloseHandle(hDestProcess);
    CloseHandle(hModule);
    return TRUE;
}

 

以上是关于windows目标进程注入dll的主要内容,如果未能解决你的问题,请参考以下文章

在调用导入之前将挂钩 DLL 注入进程?

通过修改EIP寄存器实现32位程序的DLL注入

如何实现静态dll注入

Windows Dll InjectionProcess InjectionAPI Hook

vc 无dll的代码注入

实现远程代码注入