求一静态注入DLL的示例代码呀!! 求一静态注入DLL的示例代码呀!!谢谢,好像这种注入方式蛮复杂的?问网上没有找到示例。。晕了。哪位朋友有示例有发邮箱一下。。[email protected]谢谢了...能贴出来共享那当然最好不过啦。。 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 没这种说法,给你个注入的例子,不用尝试对反病毒软件和游戏的注入了,肯定不行的/************************************************************************//* 通过CreateRemoteThread注入进程/* 参数:进程ID,dll路径/************************************************************************/BOOL InjectModuleToProcessByRT(DWORD dwProcessId, LPWSTR lpDllPath) { BOOL bRet = FALSE; HANDLE hProcess = NULL, hThread = NULL; LPWSTR lpRemoteDllName = NULL; WCHAR szBuf[MAX_PATH] = {0}; DWORD dwSmss = GetProcessIdByName(L"smss.exe"); DWORD dwCsrss = GetProcessIdByName(L"csrss.exe"); if( (dwProcessId == 0)||(dwProcessId == 4)||(dwProcessId == dwSmss)||(dwProcessId == dwCsrss)) { return bRet; } __try { //获取目标进程句柄 hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId); if (hProcess == NULL) { wsprintf(szBuf,L"[error]OpenProcess(%d)",GetLastError()); OutputDebugString(szBuf); __leave; } // 计算dll路径所需要的字节数 int cch = 1 + lstrlenW(lpDllPath); int cb = cch * sizeof(wchar_t); // 为远程线程的路径分配空间 lpRemoteDllName = (LPWSTR) VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE); if (lpRemoteDllName == NULL) { wsprintf(szBuf,L"[error]VirtualAllocEx(%d)",GetLastError()); OutputDebugString(szBuf); __leave; } //将dll路径写入远程线程空间 if (!WriteProcessMemory(hProcess, lpRemoteDllName, (PVOID) lpDllPath, cb, NULL)) { wsprintf(szBuf,L"[error]WriteProcessMemory(%d)",GetLastError()); OutputDebugString(szBuf); __leave; } // 获取LoadLibraryW在Kernel32.dll中的地址 PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle(L"Kernel32"), "LoadLibraryW"); if (pfnThreadRtn == NULL) { OutputDebugString(L"[error]Get LoadLibraryW Address Fail"); __leave; } // 创建远程线程 hThread = CreateRemoteThread(hProcess, NULL, 0, pfnThreadRtn, lpRemoteDllName, 0, NULL); if (hThread == NULL) { wsprintf(szBuf,L"[error]CreateRemoteThread(%d)",GetLastError()); OutputDebugString(szBuf); __leave; } // 等待远程线程结束 WaitForSingleObject(hThread, INFINITE); bRet = TRUE; } __finally { if (lpRemoteDllName != NULL) VirtualFreeEx(hProcess, lpRemoteDllName, 0, MEM_RELEASE); if (hThread != NULL) CloseHandle(hThread); if (hProcess != NULL) CloseHandle(hProcess); } return bRet;} 使用LordPe或者Stud_PE,打开目标PE(exe/dll/ax/sys...)文件,在导入表部分,使用“添加导入模块”功能,添加一个指向自己dll的入口就可以了。网上有教程的,楼主试试。 谁搭建过SVN的 遇到个思路问题题,没人可以请教,只好求教各位,拜托了! 用opengl画图时遇到的几个问题,请教! 关于线程类的一点疑问? 类似这样的字符串如何处理? 怎样继承一个button类来响应OnLButtonUp消息? 如何实现这个简单功能? (100分)CListBox的问题,非常奇怪,请大家来看看,帮我解决! 求教SetScrollInfo()和GetScrollInfo()的用法? Viper_sh(viper)请进 关于VC++ 6.0 MFC编程 [求助]如何获取网页中Flash的数据(字符,数字等)
/************************************************************************/
/* 通过CreateRemoteThread注入进程
/* 参数:进程ID,dll路径
/************************************************************************/
BOOL InjectModuleToProcessByRT(DWORD dwProcessId, LPWSTR lpDllPath)
{
BOOL bRet = FALSE;
HANDLE hProcess = NULL, hThread = NULL;
LPWSTR lpRemoteDllName = NULL;
WCHAR szBuf[MAX_PATH] = {0};
DWORD dwSmss = GetProcessIdByName(L"smss.exe");
DWORD dwCsrss = GetProcessIdByName(L"csrss.exe");
if( (dwProcessId == 0)||(dwProcessId == 4)||(dwProcessId == dwSmss)||(dwProcessId == dwCsrss))
{
return bRet;
}
__try
{
//获取目标进程句柄
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if (hProcess == NULL)
{
wsprintf(szBuf,L"[error]OpenProcess(%d)",GetLastError());
OutputDebugString(szBuf);
__leave;
} // 计算dll路径所需要的字节数
int cch = 1 + lstrlenW(lpDllPath);
int cb = cch * sizeof(wchar_t); // 为远程线程的路径分配空间
lpRemoteDllName = (LPWSTR) VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);
if (lpRemoteDllName == NULL)
{
wsprintf(szBuf,L"[error]VirtualAllocEx(%d)",GetLastError());
OutputDebugString(szBuf);
__leave;
} //将dll路径写入远程线程空间
if (!WriteProcessMemory(hProcess, lpRemoteDllName, (PVOID) lpDllPath, cb, NULL))
{
wsprintf(szBuf,L"[error]WriteProcessMemory(%d)",GetLastError());
OutputDebugString(szBuf);
__leave;
} // 获取LoadLibraryW在Kernel32.dll中的地址
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(L"Kernel32"), "LoadLibraryW");
if (pfnThreadRtn == NULL)
{
OutputDebugString(L"[error]Get LoadLibraryW Address Fail");
__leave;
} // 创建远程线程
hThread = CreateRemoteThread(hProcess, NULL, 0, pfnThreadRtn, lpRemoteDllName, 0, NULL);
if (hThread == NULL)
{
wsprintf(szBuf,L"[error]CreateRemoteThread(%d)",GetLastError());
OutputDebugString(szBuf);
__leave;
} // 等待远程线程结束
WaitForSingleObject(hThread, INFINITE); bRet = TRUE;
}
__finally
{
if (lpRemoteDllName != NULL)
VirtualFreeEx(hProcess, lpRemoteDllName, 0, MEM_RELEASE); if (hThread != NULL)
CloseHandle(hThread); if (hProcess != NULL)
CloseHandle(hProcess);
} return bRet;
}