[C] 純文本查看 復制代碼// 參數類型

typedef struct _INJECTTHREAD_PARAM

{

FARPROC pFunc[3];

char szBuf[2][128];

} INJECTTHREAD_PARAM, *PINJECTTHREAD_PARAM;

// 此函數以代碼形式注入目標進程

DWORD WINAPI InjectThreadProc(LPVOID param)

{

PINJECTTHREAD_PARAM pParam = (PINJECTTHREAD_PARAM)param;

HMODULE hModule;

FARPROC pFunc;

HANDLE hThread;

// 注入的代碼里不能直接調用API函數

// LoadLibraryA(szDllPath)

hModule = ((PFLOADLIBRARYA)pParam->pFunc[0])(pParam->szBuf[0]);

if (!hModule)

{

return 1;

}

// GetProcAddress(hModule, szFunc)

pFunc = ((PFGETPROCADDRESS)pParam->pFunc[1])(hModule, pParam->szBuf[1]);

if (!pFunc)

{

return 1;

}

// CreateThread()執行加載時要運行的函數, 不知道使用這種方式合不合適

hThread = ((PFCREATETHREAD)pParam->pFunc[2])(NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, NULL, 0, NULL);

return 0;

}

BOOL InjectDll(DWORD dwPID, LPCSTR szDllPath, LPCSTR szFunc)

{

HMODULE hModule;

INJECTTHREAD_PARAM param;

HANDLE hProcess;

HANDLE hThread;

LPVOID pRemoteBuf[2];

DWORD dwSize;

hModule = GetModuleHandleW(L"kernel32.dll");

memset(?m, 0, sizeof(INJECTTHREAD_PARAM));

// 要進行代碼注入, 就必需要把要調用參數先寫入目標進程

param.pFunc[0] = GetProcAddress(hModule, "LoadLibraryA");

param.pFunc[1] = GetProcAddress(hModule, "GetProcAddress");

param.pFunc[2] = GetProcAddress(hModule, "CreateThread");

strcpy_s(param.szBuf[0], strlen(szDllPath) + 1, szDllPath);

strcpy_s(param.szBuf[1], strlen(szFunc) + 1, szFunc);

if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)))

{

return FALSE;

}

// 判斷環境

if (Is64BitProcess(GetCurrentProcess()) != Is64BitProcess(hProcess))

{

MessageBox(NULL, TEXT("打開動態鏈接庫文件失敗"), TEXT("提示"), MB_ICONERROR | MB_OK);

CloseHandle(hProcess);

return FALSE;

}

dwSize = sizeof(INJECTTHREAD_PARAM);

if (!(pRemoteBuf[0] = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE)))

{

return FALSE;

}

// 將全部的參數作為結構體整個寫入

if (!WriteProcessMemory(hProcess, pRemoteBuf[0], (LPVOID)?m, dwSize, NULL))

{

return FALSE;

}

dwSize = (DWORD)InjectDll - (DWORD)InjectThreadProc;

if (!(pRemoteBuf[1] = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE)))

{

return FALSE;

}

// 再將InjectThreadProc的函數代碼寫入目標進程

if (!WriteProcessMemory(hProcess, pRemoteBuf[1], (LPVOID)InjectThreadProc, dwSize, NULL))

{

return FALSE;

}

// pRemoteBuf[1]就是InjectThreadProc在目標進程中的起始地址, 已經被寫入, pRemoteBuf[0]則是寫入的參數地址

if (!(hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteBuf[1], pRemoteBuf[0], 0, NULL)))

{

return FALSE;

}

WaitForSingleObject(hThread, INFINITE);

VirtualFreeEx(hProcess, pRemoteBuf[0], 0, MEM_RELEASE);

VirtualFreeEx(hProcess, pRemoteBuf[1], 0, MEM_RELEASE);

CloseHandle(hThread);

CloseHandle(hProcess);

return TRUE;

[align=left]

}

總結

以上是生活随笔為你收集整理的c语言怎么编程dll,【C语言】编写的DLL注入工具的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。