// //注入目标进程
BOOL CMoveCursorDlg::InjectDesProcess(DWORD dwProcessId)
{
BOOL bRet = FALSE;
DWORD dwCurrProcessId = ::GetCurrentProcessId();
bRet = AdjustProcessPrivilege(dwCurrProcessId); //手动提升当前进程权限
//打开目标进程句柄
m_hDesProcess = ::OpenProcess(PROCESS_ALL_ACCESS,
FALSE , dwProcessId);
if(m_hDesProcess != NULL && bRet)
{
//定位LoadLibraryA在kernel32.dll中的位置
HMODULE hModule = ::GetModuleHandle(_T("kernel32"));
if(hModule == NULL)
return FALSE;
PTHREAD_START_ROUTINE pfnLoadLibraryA = (PTHREAD_START_ROUTINE)::GetProcAddress(hModule,LPCSTR("LoadLibraryA"));
//在远程线程中分配地址空间来存放LoadLibraryA的参数
TCHAR szDllPath[MAX_PATH] ={0};
_tcscpy_s(szDllPath,MAX_PATH,_T("G:\\proj\\MoveCursor\\debug\\INJDLL.dll")); //DLL路径
LPVOID lpAddr = ::VirtualAllocEx(m_hDesProcess , NULL, sizeof(TCHAR) * MAX_PATH, MEM_COMMIT, PAGE_READWRITE);
if(lpAddr == NULL)
return FALSE; //将数据写入到目标进程地址空间中去
DWORD dwNumBytesOfWritten = 0;
DWORD dwSize = sizeof(szDllPath); bRet = ::WriteProcessMemory(m_hDesProcess, lpAddr, "G:\\proj\\MoveCursor\\debug\\INJDLL.dll",dwSize, &dwNumBytesOfWritten);
if(!bRet)
return FALSE; //将指定DLL注入目标进程
DWORD dwThreadId = 0;
HANDLE hRemoteThread = ::CreateRemoteThread(m_hDesProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pfnLoadLibraryA, lpAddr, 0, &dwThreadId);
if(hRemoteThread == NULL)
return FALSE;
::WaitForSingleObject(hRemoteThread,INFINITE);
::VirtualFree(lpAddr, sizeof(TCHAR) * MAX_PATH, MEM_RELEASE); //释放地址空间
::CloseHandle(hRemoteThread);
return TRUE; }
else
{
return FALSE;
}
}
我调试发现上面的每一行代码都显示的是正确的返回值!
我的注入DLL部分代码如下:#include "stdafx.h"
#include "MyFunc.h"
#include <fstream>
using namespace std;
fstream fs("G:\\proj\\MoveCursor\\debug\\dd.txt", ios::out);
#ifdef _MANAGED
#pragma managed(push, off)
#endifBOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
fs<<"DLL_ATTACH"<<endl;
::MessageBox(NULL,TEXT("注入"),TEXT("提示"),MB_OK);
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
fs<<"DLL_ATTACH"<<endl;
if(GetProcessMainWindow())
{
MoveCursor();
::MessageBox(NULL,TEXT("注入"),TEXT("提示"),MB_OK);
} break;
case DLL_PROCESS_DETACH:
fs<<"DLL_DETACH"<<endl;
break;
case DLL_THREAD_ATTACH:
fs<<"Thread_Attach"<<endl;
break;
case DLL_THREAD_DETACH:
fs<<"Thread_Detach"<<endl;
break;
default:
break;
}
return TRUE;
}但是注入过后,根本就没有反应,按理来说,他应该在注入后显示一个MessageBox对话框,在且会在指定目录下面创建一个文件!但是,注入后的结果是什么都没有!!!
调试了很久,一点进展没有!!望高手指点一二!!!!!
感谢!
BOOL CMoveCursorDlg::InjectDesProcess(DWORD dwProcessId)
{
BOOL bRet = FALSE;
DWORD dwCurrProcessId = ::GetCurrentProcessId();
bRet = AdjustProcessPrivilege(dwCurrProcessId); //手动提升当前进程权限
//打开目标进程句柄
m_hDesProcess = ::OpenProcess(PROCESS_ALL_ACCESS,
FALSE , dwProcessId);
if(m_hDesProcess != NULL && bRet)
{
//定位LoadLibraryA在kernel32.dll中的位置
HMODULE hModule = ::GetModuleHandle(_T("kernel32"));
if(hModule == NULL)
return FALSE;
PTHREAD_START_ROUTINE pfnLoadLibraryA = (PTHREAD_START_ROUTINE)::GetProcAddress(hModule,LPCSTR("LoadLibraryA"));
//在远程线程中分配地址空间来存放LoadLibraryA的参数
TCHAR szDllPath[MAX_PATH] ={0};
_tcscpy_s(szDllPath,MAX_PATH,_T("G:\\proj\\MoveCursor\\debug\\INJDLL.dll")); //DLL路径
LPVOID lpAddr = ::VirtualAllocEx(m_hDesProcess , NULL, sizeof(TCHAR) * MAX_PATH, MEM_COMMIT, PAGE_READWRITE);
if(lpAddr == NULL)
return FALSE; //将数据写入到目标进程地址空间中去
DWORD dwNumBytesOfWritten = 0;
DWORD dwSize = sizeof(szDllPath); bRet = ::WriteProcessMemory(m_hDesProcess, lpAddr, "G:\\proj\\MoveCursor\\debug\\INJDLL.dll",dwSize, &dwNumBytesOfWritten);
if(!bRet)
return FALSE; //将指定DLL注入目标进程
DWORD dwThreadId = 0;
HANDLE hRemoteThread = ::CreateRemoteThread(m_hDesProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pfnLoadLibraryA, lpAddr, 0, &dwThreadId);
if(hRemoteThread == NULL)
return FALSE;
::WaitForSingleObject(hRemoteThread,INFINITE);
::VirtualFree(lpAddr, sizeof(TCHAR) * MAX_PATH, MEM_RELEASE); //释放地址空间
::CloseHandle(hRemoteThread);
return TRUE; }
else
{
return FALSE;
}
}
我调试发现上面的每一行代码都显示的是正确的返回值!
我的注入DLL部分代码如下:#include "stdafx.h"
#include "MyFunc.h"
#include <fstream>
using namespace std;
fstream fs("G:\\proj\\MoveCursor\\debug\\dd.txt", ios::out);
#ifdef _MANAGED
#pragma managed(push, off)
#endifBOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
fs<<"DLL_ATTACH"<<endl;
::MessageBox(NULL,TEXT("注入"),TEXT("提示"),MB_OK);
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
fs<<"DLL_ATTACH"<<endl;
if(GetProcessMainWindow())
{
MoveCursor();
::MessageBox(NULL,TEXT("注入"),TEXT("提示"),MB_OK);
} break;
case DLL_PROCESS_DETACH:
fs<<"DLL_DETACH"<<endl;
break;
case DLL_THREAD_ATTACH:
fs<<"Thread_Attach"<<endl;
break;
case DLL_THREAD_DETACH:
fs<<"Thread_Detach"<<endl;
break;
default:
break;
}
return TRUE;
}但是注入过后,根本就没有反应,按理来说,他应该在注入后显示一个MessageBox对话框,在且会在指定目录下面创建一个文件!但是,注入后的结果是什么都没有!!!
调试了很久,一点进展没有!!望高手指点一二!!!!!
感谢!
解决方案 »
- visual studio c++2010打不开visual studio c++ 2008版的项目??
- 有关图像细化的代码问题
- 如何用ReadProcessMemory取出数据,然后与整数1进行比较?
- VC与数据库连接问题,急求帮助
- ADO 增加记录出错
- 高手进!!!!!多线程问题,启动/关闭一个无退出过程的线程有什么好的办法吗?在线...
- 卸载VC6。0后又重装时出现问题!!!!
- 用vc++7.0的bug?
- VC 在对话框上的组合框中进行N行乘以N列的分屏,如何实现
- 我想在vc++中使用winsock 控件,快来帮帮我?????????????????
- Edit Box控件的显示文件数据不全
- 请问,怎样缩小link 的LIB大小,提高编译速度?
不清楚会不会牵扯到缓冲的问题,你也可以用outputdebugstring输出调试语句另用ProcessExplorer确认DLL有没有被LOAD到目标进程中
不知道为什么!!!!!!!!!!!
// //注入目标进程
BOOL CMoveCursorDlg::InjectDesProcess(DWORD dwProcessId)
{
BOOL bRet = FALSE;
DWORD dwCurrProcessId = ::GetCurrentProcessId();
bRet = AdjustProcessPrivilege(dwCurrProcessId); //手动提升当前进程权限
//打开目标进程句柄
m_hDesProcess = ::OpenProcess(PROCESS_ALL_ACCESS,
FALSE , dwProcessId);
if(m_hDesProcess != NULL && bRet)
{
//定位LoadLibraryA在kernel32.dll中的位置
HMODULE hModule = ::GetModuleHandle(_T("Kernel32"));
if(hModule == NULL)
return FALSE;
PTHREAD_START_ROUTINE pfnLoadLibraryW = (PTHREAD_START_ROUTINE)::GetProcAddress(hModule,LPCSTR("LoadLibraryW"));
//在远程线程中分配地址空间来存放LoadLibraryA的参数
TCHAR szDllPath[MAX_PATH] ={0};
_tcscpy_s(szDllPath,MAX_PATH, _T("G:\\proj\\MoveCursor\\debug\\INJDLL.dll")); //DLL路径
size_t size;
StringCchLength(szDllPath,260,&size);
DWORD dwSize = (size + 1) * sizeof(TCHAR);
TCHAR* lpAddr = (TCHAR*)::VirtualAllocEx(m_hDesProcess , NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
if(lpAddr == NULL)
return FALSE; //将数据写入到目标进程地址空间中去
DWORD dwNumBytesOfWritten = 0; bRet = ::WriteProcessMemory(m_hDesProcess, lpAddr, szDllPath ,dwSize, &dwNumBytesOfWritten);
if(!bRet)
return FALSE; //将指定DLL注入目标进程
DWORD dwThreadId = 0;
HANDLE hRemoteThread = ::CreateRemoteThread(m_hDesProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pfnLoadLibraryW, lpAddr, 0, &dwThreadId);
if(hRemoteThread == NULL)
return FALSE;
::WaitForSingleObject(hRemoteThread,INFINITE);
::VirtualFree(lpAddr, sizeof(TCHAR) * MAX_PATH, MEM_RELEASE); //释放地址空间
::CloseHandle(hRemoteThread);
return TRUE; }
else
{
return FALSE;
}
}
outputdebugstring是把字符串输出到哪里??调试的输出窗口吗???
不清楚会不会牵扯到缓冲的问题??什么意思??不懂!
你可以在VirtualAllocEx和WriteProcessMemory的时候长度给sizeof(szDllPath),以免长度计算有误。
BOOL CMoveCursorDlg::InjectDesProcess(DWORD dwProcessId)
{
BOOL bRet = FALSE;
DWORD dwCurrProcessId = ::GetCurrentProcessId();
bRet = AdjustProcessPrivilege(dwCurrProcessId); //手动提升当前进程权限
//打开目标进程句柄
m_hDesProcess = ::OpenProcess(PROCESS_ALL_ACCESS,
FALSE , dwProcessId);
if(m_hDesProcess != NULL && bRet)
{
//定位LoadLibraryA在kernel32.dll中的位置
HMODULE hModule = ::GetModuleHandle(_T("Kernel32"));
if(hModule == NULL)
return FALSE;
PTHREAD_START_ROUTINE pfnLoadLibraryW = (PTHREAD_START_ROUTINE)::GetProcAddress(hModule,LPCSTR("LoadLibraryW"));
//在远程线程中分配地址空间来存放LoadLibraryA的参数
TCHAR szDllPath[MAX_PATH] ={0};
_tcscpy_s(szDllPath,MAX_PATH, _T("G:\\proj\\MoveCursor\\debug\\INJDLL.dll")); //DLL路径 DWORD dwSize = sizeof(szDllPath);
TCHAR* lpAddr = (TCHAR*)::VirtualAllocEx(m_hDesProcess , NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
if(lpAddr == NULL)
return FALSE; //将数据写入到目标进程地址空间中去
DWORD dwNumBytesOfWritten = 0; bRet = ::WriteProcessMemory(m_hDesProcess, lpAddr, szDllPath ,dwSize, &dwNumBytesOfWritten);
if(!bRet)
return FALSE; //将指定DLL注入目标进程
DWORD dwThreadId = 0;
HANDLE hRemoteThread = ::CreateRemoteThread(m_hDesProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pfnLoadLibraryW, lpAddr, 0, &dwThreadId);
if(hRemoteThread == NULL)
return FALSE;
::WaitForSingleObject(hRemoteThread,INFINITE);
::VirtualFree(lpAddr, sizeof(TCHAR) * MAX_PATH, MEM_RELEASE); //释放地址空间
::CloseHandle(hRemoteThread);
return TRUE; }
else
{
return FALSE;
}
}
代码是这个样子,还是时而能够注入,时而不能注入!郁闷!
(通过查看是否创建了 dd.txt 文件来判断!!!!!)
高手救命呀!
郁闷死了!!
DLL中最好不要用静态对象。
可能是你的DLL又调用了其它DLL,在当前路径下找不到。
你可以先用自己的程序LoadLibrary加载自己的DLL来测试,确认没问题后再试注入。