[C] 純文本查看 復(fù)制代碼// 參數(shù)類型

typedef struct _INJECTTHREAD_PARAM

{

FARPROC pFunc[3];

char szBuf[2][128];

} INJECTTHREAD_PARAM, *PINJECTTHREAD_PARAM;

// 此函數(shù)以代碼形式注入目標(biāo)進(jìn)程

DWORD WINAPI InjectThreadProc(LPVOID param)

{

PINJECTTHREAD_PARAM pParam = (PINJECTTHREAD_PARAM)param;

HMODULE hModule;

FARPROC pFunc;

HANDLE hThread;

// 注入的代碼里不能直接調(diào)用API函數(shù)

// LoadLibraryA(szDllPath)

hModule = ((PFLOADLIBRARYA)pParam->pFunc[0])(pParam->szBuf[0]);

if (!hModule)

{

return 1;

}

// GetProcAddress(hModule, szFunc)

pFunc = ((PFGETPROCADDRESS)pParam->pFunc[1])(hModule, pParam->szBuf[1]);

if (!pFunc)

{

return 1;

}

// CreateThread()執(zhí)行加載時(shí)要運(yùn)行的函數(shù), 不知道使用這種方式合不合適

hThread = ((PFCREATETHREAD)pParam->pFunc[2])(NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, NULL, 0, NULL);

return 0;

}

BOOL InjectDll(DWORD dwPID, LPCSTR szDllPath, LPCSTR szFunc)

{

HMODULE hModule;

INJECTTHREAD_PARAM param;

HANDLE hProcess;

HANDLE hThread;

LPVOID pRemoteBuf[2];

DWORD dwSize;

hModule = GetModuleHandleW(L"kernel32.dll");

memset(?m, 0, sizeof(INJECTTHREAD_PARAM));

// 要進(jìn)行代碼注入, 就必需要把要調(diào)用參數(shù)先寫入目標(biāo)進(jìn)程

param.pFunc[0] = GetProcAddress(hModule, "LoadLibraryA");

param.pFunc[1] = GetProcAddress(hModule, "GetProcAddress");

param.pFunc[2] = GetProcAddress(hModule, "CreateThread");

strcpy_s(param.szBuf[0], strlen(szDllPath) + 1, szDllPath);

strcpy_s(param.szBuf[1], strlen(szFunc) + 1, szFunc);

if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)))

{

return FALSE;

}

// 判斷環(huán)境

if (Is64BitProcess(GetCurrentProcess()) != Is64BitProcess(hProcess))

{

MessageBox(NULL, TEXT("打開動(dòng)態(tài)鏈接庫文件失敗"), TEXT("提示"), MB_ICONERROR | MB_OK);

CloseHandle(hProcess);

return FALSE;

}

dwSize = sizeof(INJECTTHREAD_PARAM);

if (!(pRemoteBuf[0] = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE)))

{

return FALSE;

}

// 將全部的參數(shù)作為結(jié)構(gòu)體整個(gè)寫入

if (!WriteProcessMemory(hProcess, pRemoteBuf[0], (LPVOID)?m, dwSize, NULL))

{

return FALSE;

}

dwSize = (DWORD)InjectDll - (DWORD)InjectThreadProc;

if (!(pRemoteBuf[1] = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE)))

{

return FALSE;

}

// 再將InjectThreadProc的函數(shù)代碼寫入目標(biāo)進(jìn)程

if (!WriteProcessMemory(hProcess, pRemoteBuf[1], (LPVOID)InjectThreadProc, dwSize, NULL))

{

return FALSE;

}

// pRemoteBuf[1]就是InjectThreadProc在目標(biāo)進(jìn)程中的起始地址, 已經(jīng)被寫入, pRemoteBuf[0]則是寫入的參數(shù)地址

if (!(hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteBuf[1], pRemoteBuf[0], 0, NULL)))

{

return FALSE;

}

WaitForSingleObject(hThread, INFINITE);

VirtualFreeEx(hProcess, pRemoteBuf[0], 0, MEM_RELEASE);

VirtualFreeEx(hProcess, pRemoteBuf[1], 0, MEM_RELEASE);

CloseHandle(hThread);

CloseHandle(hProcess);

return TRUE;

[align=left]

}

總結(jié)

以上是生活随笔為你收集整理的c语言怎么编程dll,【C语言】编写的DLL注入工具的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。