// myexe.cpp : Defines the entry point for the console application.
//#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <TLHELP32.H>HANDLE FindHandle,CretHandle;
DWORD thedid;
//函数查找进程名字和进程id
BOOL GetProcessByName (char* pExeName)
{
HANDLE hProcessSnap = NULL;
BOOL bRet = FALSE;
PROCESSENTRY32 pe32 = {0};
hProcessSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
return (FALSE);
pe32.dwSize = sizeof(PROCESSENTRY32);
if (::Process32First (hProcessSnap, &pe32))
{
//DWORD dwPriorityClass;
BOOL bGotModule = FALSE;
//MODULEENTRY32 me32 = {0}; do
{
if(*((char * )pe32.szExeFile)==*pExeName)
{
printf("进程名称:%ls\n",pe32.szExeFile);
printf("进程ID:%u\n\n",pe32.th32ProcessID);
thedid=pe32.th32ProcessID;
}
}
while (Process32Next(hProcessSnap, &pe32));
bRet = TRUE;
}
else
bRet = FALSE;
CloseHandle (hProcessSnap); return (bRet);
}//修改进程安全令牌
BOOL EnableDebugPrivilege(BOOL bEnable)
{
// 附给本进程特权,以便访问系统进程
BOOL bOk = FALSE;
HANDLE hToken;
// 打开一个进程的访问令牌
if(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
{
// 取得特权名称为“SetDebugPrivilege”的LUID
LUID uID;
::LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &uID); // 调整特权级别
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = uID;
tp.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
::AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
bOk = (::GetLastError() == ERROR_SUCCESS); // 关闭访问令牌句柄
::CloseHandle(hToken);
}
return bOk;
}
//注入函数
BOOL InjectModuleInto(DWORD dwProcessId)
{
if(::GetCurrentProcessId() == dwProcessId)
return FALSE; // 首先查看目标进程是否加载了这个模块
BOOL bFound = FALSE;
MODULEENTRY32 me32 = { 0 };
HANDLE hModuleSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
me32.dwSize = sizeof(MODULEENTRY32);
char pszDllName[13]="mydll.dll";
if(::Module32First(hModuleSnap, &me32))
{
do
{
if(lstrcmpiA(me32.szExePath,pszDllName) == 0)
{
bFound = TRUE;
break;
}
}
while(::Module32Next(hModuleSnap, &me32));
}
::CloseHandle(hModuleSnap); // 如果能够找到,就不重复加载了(因为重复加载没有用,Windows只将使用计数加1,其它什么也不做)
if(bFound)
return FALSE;
// 试图打开目标进程
HANDLE hProcess = ::OpenProcess(
PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION, FALSE, dwProcessId);
if(hProcess == NULL)
return FALSE;
// 在目标进程中申请空间,存放字符串pszDllName,作为远程线程的参数
int cbSize = (strlen(pszDllName) + 1);
LPVOID lpRemoteDllName = ::VirtualAllocEx(hProcess, NULL, cbSize, MEM_COMMIT, PAGE_READWRITE);
BOOL bwrit = ::WriteProcessMemory(hProcess, lpRemoteDllName, pszDllName, cbSize, NULL);
if (!bwrit) {
MessageBoxA(NULL,"text","写入失败",MB_OK);
}
// 取得LoadLibraryA函数的地址,我们将以它作为远程线程函数启动
HMODULE hModule=::GetModuleHandle("kernel32.dll");
LPTHREAD_START_ROUTINE pfnStartRoutine =
(LPTHREAD_START_ROUTINE)::GetProcAddress(hModule, "LoadLibraryA");
// 启动远程线程
HANDLE hRemoteThread = ::CreateRemoteThread(hProcess, NULL, 0, pfnStartRoutine, lpRemoteDllName, 0, NULL);
if(hRemoteThread == NULL)
{
::CloseHandle(hProcess);
return FALSE;
} // 等待目标线程运行结束,即LoadLibraryA函数返回
::WaitForSingleObject(hRemoteThread, INFINITE);
::CloseHandle(hRemoteThread);
::CloseHandle(hProcess);
return TRUE;
}/*
BOOL InjectDllFunc(DWORD threadID)
{ HANDLE hExplorerProcess=OpenProcess(PROCESS_CREATE_THREAD|
PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,threadID); if (hExplorerProcess==INVALID_HANDLE_VALUE)
return (FALSE);
char pszDllName[13]="test_dll.dll";
DWORD nSize=lstrlenA(pszDllName)+1;
LPVOID lpbuf1=VirtualAllocEx(hExplorerProcess,NULL,nSize,MEM_COMMIT,PAGE_READWRITE);
DWORD ActualSize; HMODULE hmodule=::GetModuleHandle("Kernel32.dll");
LPTHREAD_START_ROUTINE pfnStartRoutine=(LPTHREAD_START_ROUTINE)GetProcAddress(hmodule,"LoadLibaryA");
WriteProcessMemory(hExplorerProcess,lpbuf1,(LPVOID)pszDllName,nSize,&ActualSize);
HANDLE hThread=CreateRemoteThread(hExplorerProcess,
NULL,0,(LPTHREAD_START_ROUTINE)pfnStartRoutine,
(LPVOID)pszDllName,0,NULL);
if (hThread == INVALID_HANDLE_VALUE)
return (FALSE);
return true;
} */
int main(int argc, char* argv[])
{ char * name="notepad.exe";
//char name[30]={0x6e,0x6f,0x74,0x65,0x70,0x61,0x64,0x2e,0x65,0x78,0x65,0x00}; GetProcessByName(name);
EnableDebugPrivilege(TRUE);
InjectModuleInto(thedid); /* FindHandle =FindWindow(NULL, "无标题 - 记事本" ); if (FindHandle!=NULL) {
HANDLE hprocess =OpenProcess(PROCESS_ALL_ACCESS,FALSE,)
CretHandle =CreateRemoteThread(
FindHandle, // handle to process to create thread in
NULL, // pointer to security attributes
NULL, // initial thread stack size, in bytes
ThreadProc, // pointer to thread function
NULL, // argument for new thread
NULL, // creation flags
NULL // pointer to returned thread identifier
);
}
*/
return 0;
}
//#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <TLHELP32.H>HANDLE FindHandle,CretHandle;
DWORD thedid;
//函数查找进程名字和进程id
BOOL GetProcessByName (char* pExeName)
{
HANDLE hProcessSnap = NULL;
BOOL bRet = FALSE;
PROCESSENTRY32 pe32 = {0};
hProcessSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
return (FALSE);
pe32.dwSize = sizeof(PROCESSENTRY32);
if (::Process32First (hProcessSnap, &pe32))
{
//DWORD dwPriorityClass;
BOOL bGotModule = FALSE;
//MODULEENTRY32 me32 = {0}; do
{
if(*((char * )pe32.szExeFile)==*pExeName)
{
printf("进程名称:%ls\n",pe32.szExeFile);
printf("进程ID:%u\n\n",pe32.th32ProcessID);
thedid=pe32.th32ProcessID;
}
}
while (Process32Next(hProcessSnap, &pe32));
bRet = TRUE;
}
else
bRet = FALSE;
CloseHandle (hProcessSnap); return (bRet);
}//修改进程安全令牌
BOOL EnableDebugPrivilege(BOOL bEnable)
{
// 附给本进程特权,以便访问系统进程
BOOL bOk = FALSE;
HANDLE hToken;
// 打开一个进程的访问令牌
if(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
{
// 取得特权名称为“SetDebugPrivilege”的LUID
LUID uID;
::LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &uID); // 调整特权级别
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = uID;
tp.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
::AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
bOk = (::GetLastError() == ERROR_SUCCESS); // 关闭访问令牌句柄
::CloseHandle(hToken);
}
return bOk;
}
//注入函数
BOOL InjectModuleInto(DWORD dwProcessId)
{
if(::GetCurrentProcessId() == dwProcessId)
return FALSE; // 首先查看目标进程是否加载了这个模块
BOOL bFound = FALSE;
MODULEENTRY32 me32 = { 0 };
HANDLE hModuleSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
me32.dwSize = sizeof(MODULEENTRY32);
char pszDllName[13]="mydll.dll";
if(::Module32First(hModuleSnap, &me32))
{
do
{
if(lstrcmpiA(me32.szExePath,pszDllName) == 0)
{
bFound = TRUE;
break;
}
}
while(::Module32Next(hModuleSnap, &me32));
}
::CloseHandle(hModuleSnap); // 如果能够找到,就不重复加载了(因为重复加载没有用,Windows只将使用计数加1,其它什么也不做)
if(bFound)
return FALSE;
// 试图打开目标进程
HANDLE hProcess = ::OpenProcess(
PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION, FALSE, dwProcessId);
if(hProcess == NULL)
return FALSE;
// 在目标进程中申请空间,存放字符串pszDllName,作为远程线程的参数
int cbSize = (strlen(pszDllName) + 1);
LPVOID lpRemoteDllName = ::VirtualAllocEx(hProcess, NULL, cbSize, MEM_COMMIT, PAGE_READWRITE);
BOOL bwrit = ::WriteProcessMemory(hProcess, lpRemoteDllName, pszDllName, cbSize, NULL);
if (!bwrit) {
MessageBoxA(NULL,"text","写入失败",MB_OK);
}
// 取得LoadLibraryA函数的地址,我们将以它作为远程线程函数启动
HMODULE hModule=::GetModuleHandle("kernel32.dll");
LPTHREAD_START_ROUTINE pfnStartRoutine =
(LPTHREAD_START_ROUTINE)::GetProcAddress(hModule, "LoadLibraryA");
// 启动远程线程
HANDLE hRemoteThread = ::CreateRemoteThread(hProcess, NULL, 0, pfnStartRoutine, lpRemoteDllName, 0, NULL);
if(hRemoteThread == NULL)
{
::CloseHandle(hProcess);
return FALSE;
} // 等待目标线程运行结束,即LoadLibraryA函数返回
::WaitForSingleObject(hRemoteThread, INFINITE);
::CloseHandle(hRemoteThread);
::CloseHandle(hProcess);
return TRUE;
}/*
BOOL InjectDllFunc(DWORD threadID)
{ HANDLE hExplorerProcess=OpenProcess(PROCESS_CREATE_THREAD|
PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,threadID); if (hExplorerProcess==INVALID_HANDLE_VALUE)
return (FALSE);
char pszDllName[13]="test_dll.dll";
DWORD nSize=lstrlenA(pszDllName)+1;
LPVOID lpbuf1=VirtualAllocEx(hExplorerProcess,NULL,nSize,MEM_COMMIT,PAGE_READWRITE);
DWORD ActualSize; HMODULE hmodule=::GetModuleHandle("Kernel32.dll");
LPTHREAD_START_ROUTINE pfnStartRoutine=(LPTHREAD_START_ROUTINE)GetProcAddress(hmodule,"LoadLibaryA");
WriteProcessMemory(hExplorerProcess,lpbuf1,(LPVOID)pszDllName,nSize,&ActualSize);
HANDLE hThread=CreateRemoteThread(hExplorerProcess,
NULL,0,(LPTHREAD_START_ROUTINE)pfnStartRoutine,
(LPVOID)pszDllName,0,NULL);
if (hThread == INVALID_HANDLE_VALUE)
return (FALSE);
return true;
} */
int main(int argc, char* argv[])
{ char * name="notepad.exe";
//char name[30]={0x6e,0x6f,0x74,0x65,0x70,0x61,0x64,0x2e,0x65,0x78,0x65,0x00}; GetProcessByName(name);
EnableDebugPrivilege(TRUE);
InjectModuleInto(thedid); /* FindHandle =FindWindow(NULL, "无标题 - 记事本" ); if (FindHandle!=NULL) {
HANDLE hprocess =OpenProcess(PROCESS_ALL_ACCESS,FALSE,)
CretHandle =CreateRemoteThread(
FindHandle, // handle to process to create thread in
NULL, // pointer to security attributes
NULL, // initial thread stack size, in bytes
ThreadProc, // pointer to thread function
NULL, // argument for new thread
NULL, // creation flags
NULL // pointer to returned thread identifier
);
}
*/
return 0;
}
解决方案 »
- 如何得到图片广告的超链接
- 问下 聊天室
- 对话框工程调用 SetDlgItemText 卡住
- CHttpFile得到的网页内容是乱码
- 编译错误:PRJ0019 工具从“MAKING HELP FILE...”
- [困惑]我是一个小小VB的程序员,请不要鄙视我,各位VC的大虾们,我现在想问一些关于VC的DLL的问题!
- CComboBox类取值问题
- 如何将多文档一个窗口中的图片拖放至另一个窗口
- 哪位高手帮帮我 如何获得当前打开的ie中的源码 如何获得网页的内容啊??
- 请教数据采集算法(好算法共品尝)
- error LNK2001: unresolved external symbol???
- 谁能帮我看看,为什么搜索不到蓝牙设备
#define AFX_STDAFX_H__8E3C7F7F_A155_4FFF_B376_18E3630F65FA__INCLUDED_#if _MSC_VER > 1000
#pragma once
#endif // _MSC_VER > 1000#include <windows.h>
#include <stdio.h>
typedef int ( *PFNEXPORTFUNC)();为了方便大家调试,我把那个stdfx.h也贴出来了
LPVOID lpRemoteDllName = ::VirtualAllocEx(hProcess, NULL, cbSize, MEM_COMMIT, PAGE_READWRITE);
可是调用
BOOL bwrit = ::WriteProcessMemory(hProcess, lpRemoteDllName, pszDllName, cbSize, NULL);之后并没有出现异常,但是写入的的地址根本不存在,所以也没有写进去,dll始终没有注入成功,浪费各位大大的时间,不好意思,希望大大们能抽出时间解决我的疑惑
之后lpRemoteDllName == NULL立即调getlasterror()
这个东西
- -!、、还有 为嘛 我的写dll注入 代码还没有你这里的一半多、、
{
// TODO: Add your control notification handler code here
DWORD dwNotepad;
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
HANDLE hSnpshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
BOOL bMore = Process32First(hSnpshot,&pe32);
while(bMore){
if(0 == stricmp("notepad.exe",pe32.szExeFile)){
dwNotepad = pe32.th32ProcessID;
HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE,FALSE,dwNotepad);
if (!hProcess)
{
MessageBox("打开进程失败!...","提示");
CloseHandle(hProcess);
CloseHandle(hSnpshot);
return;
}
LPVOID lpBaseAddr = VirtualAllocEx(hProcess,NULL,strlen("c:\\DllInster.dll") + 1,MEM_COMMIT,PAGE_READWRITE);
if(NULL == lpBaseAddr){
MessageBox("申请内存空间失败!...","提示");
CloseHandle(hProcess);
CloseHandle(hSnpshot);
return;
}
DWORD dwWritten = 0;
if(WriteProcessMemory(hProcess,lpBaseAddr,"c:\\DllInster.dll",strlen("c:\\DllInster.dll") + 1,&dwWritten)){
if (strlen("c:\\DllInster.dll") + 1 != dwWritten)
{
MessageBox("写入内存失败!...","提示");
VirtualFreeEx(hProcess,lpBaseAddr,strlen("c:\\dllinster.dll") + 1,MEM_DECOMMIT);
CloseHandle(hProcess);
CloseHandle(hSnpshot);
return;
}
}
HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)LoadLibrary,lpBaseAddr,0,NULL);
if (NULL == hThread)
{
MessageBox("创建远程线程失败!...","提示");
VirtualFreeEx(hProcess,lpBaseAddr,strlen("c:\\dllinster.dll") + 1,MEM_DECOMMIT);
CloseHandle(hProcess);
CloseHandle(hSnpshot);
return;
}
WaitForSingleObject(hThread,INFINITE);
VirtualFreeEx(hProcess,lpBaseAddr,strlen("c:\\dllinster.dll") + 1,MEM_DECOMMIT);
CloseHandle(hProcess);
CloseHandle(hSnpshot);
MessageBox("DLL注入成功!....","提示");
return;
}
bMore = Process32Next(hSnpshot,&pe32);
}
MessageBox("没有发现记事本程序进程","提示");
CloseHandle(hSnpshot);
}