线程插入,请教

const DWORD THREADSIZE=1024*4;
HANDLE pRemoteThread,hRemoteProcess;
PTHREAD_START_ROUTINE pfnAddr;
DWORD pId;
void *pFileRemote;

HWND hWinPro=::FindWindow("ProgMan",NULL);
if(!hWinPro)
   MessageBox("Exploere not found!");
else
{
::GetWindowThreadProcessId(hWinPro,&pId); //获得explorer ID
hRemoteProcess=::OpenProcess(PROCESS_ALL_ACCESS,false,pId);
pFileRemote=::VirtualAllocEx(hRemoteProcess,0,THREADSIZE,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if(!::WriteProcessMemory(hRemoteProcess,pFileRemote,"C:\\My.dll",THREADSIZE,NULL))
return;
pfnAddr=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"LoadLibraryA");
pRemoteThread=::CreateRemoteThread(hRemoteProcess,NULL,0,pfnAddr,pFileRemote,0,NULL);if(pRemoteThread==NULL)
return;
else
MessageBox("success!");

}上面这段代码,是我从网上看到的,能运行,只是我加载的哪个My.dll 好像没有发挥作用,但这个DLL是被加载了的(判断方法是:运行程序时试删这个DLL,系统会报错,说是没办删除)不知是什么原因呢?

解决方案 »

免费领取超大流量手机卡，每月29元包185G流量+100分钟通话, 中国电信官方发货

这段程序的作用是,向EXPLORER 插入一个线程,这个线程会加载指定的DLL
我试了,DLL也加载了,但却DLL好像没有发挥作用,是我DLL的问题还是....?
请教!
大家研究:
我在网上找到一个例子,是插入EXPLORE进程中,并显示一个DONE的消息.
我运行后是成功的,但却导致EXPLORER 死掉,不知原因,大家试试?(已编译通过)
----------------------------------------------------------------
#pragma once#include <windows.h>
#include <TlHelp32.h>
#include <iostream>//线程参数结构体定义
typedef struct _RemoteParam {
    char szMsg[12];    //MessageBox函数中显示的字符提示
    DWORD dwMessageBox;//MessageBox函数的入口地址
} RemoteParam, * PRemoteParam;//定义MessageBox类型的函数指针
typedef int (__stdcall * PFN_MESSAGEBOX)(HWND, LPCTSTR, LPCTSTR, DWORD);
//线程函数定义
DWORD __stdcall threadProc(LPVOID lParam)
{
    RemoteParam* pRP = (RemoteParam*)lParam;

    PFN_MESSAGEBOX pfnMessageBox;
    pfnMessageBox = (PFN_MESSAGEBOX)pRP->dwMessageBox;
    pfnMessageBox(NULL, pRP->szMsg, pRP->szMsg, 0);    return 0;
}
int main(int argc, char* argv[])
{
    //定义线程体的大小
    const DWORD dwThreadSize = 4096;
    DWORD dwWriteBytes;
    //等待输入进程名称，注意大小写匹配
HWND hWinPro=::FindWindow("ProgMan",NULL); //找explorer
DWORD dwProcessId;
::GetWindowThreadProcessId(hWinPro,&dwProcessId); //获得explorer句柄

    //DWORD dwProcessId = processNameToId(szExeName);    if (dwProcessId == 0) {
        MessageBox(NULL, "The target process have not been found !",
            "Notice", MB_ICONINFORMATION | MB_OK);
        return -1;
    }    //根据进程ID得到进程句柄
    HANDLE hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);

    if (!hTargetProcess) {
        MessageBox(NULL, "Open target process failed !",
            "Notice", MB_ICONINFORMATION | MB_OK);
        return 0;
    }

    //在宿主进程中为线程体开辟一块存储区域
    //在这里需要注意MEM_COMMIT | MEM_RESERVE内存非配类型以及PAGE_EXECUTE_READWRITE内存保护类型
    //其具体含义请参考MSDN中关于VirtualAllocEx函数的说明。
    void* pRemoteThread = VirtualAllocEx(hTargetProcess, 0,
        dwThreadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);    if (!pRemoteThread) {
        MessageBox(NULL, "Alloc memory in target process failed !",
            "notice", MB_ICONINFORMATION | MB_OK);
        return 0;
    }

    //将线程体拷贝到宿主进程中
    if (!WriteProcessMemory(hTargetProcess,
            pRemoteThread, &threadProc, dwThreadSize, 0)) {
        MessageBox(NULL, "Write data to target process failed !",
            "Notice", MB_ICONINFORMATION | MB_OK);
        return 0;
    }
    //定义线程参数结构体变量
    RemoteParam remoteData;
    ZeroMemory(&remoteData, sizeof(RemoteParam));

    //填充结构体变量中的成员
    HINSTANCE hUser32 = LoadLibrary("User32.dll");
    remoteData.dwMessageBox = (DWORD)GetProcAddress(hUser32, "MessageBoxA");
    strcat(remoteData.szMsg, "Done\0");

    //为线程参数在宿主进程中开辟存储区域
    RemoteParam* pRemoteParam = (RemoteParam*)VirtualAllocEx(
    hTargetProcess , 0, sizeof(RemoteParam), MEM_COMMIT, PAGE_READWRITE);

    if (!pRemoteParam) {
        MessageBox(NULL, "Alloc memory failed !",
            "Notice", MB_ICONINFORMATION | MB_OK);
        return 0;
    }    //将线程参数拷贝到宿主进程地址空间中
    if (!WriteProcessMemory(hTargetProcess ,
            pRemoteParam, &remoteData, sizeof(remoteData), 0)) {
        MessageBox(NULL, "Write data to target process failed !",
            "Notice", MB_ICONINFORMATION | MB_OK);
        return 0;
    }

    //在宿主进程中创建线程
    HANDLE hRemoteThread = CreateRemoteThread(
        hTargetProcess, NULL, 0, (DWORD (__stdcall *)(void *))pRemoteThread,
        pRemoteParam, 0, &dwWriteBytes);    if (!hRemoteThread) {
        MessageBox(NULL, "Create remote thread failed !", "Notice",  MB_ICONINFORMATION | MB_OK);
        return 0;
    }    CloseHandle(hRemoteThread);    return 0;
}
我没有hook explorer我hook，wsock32.dll成功代码段如下：
BOOL WINAPI LoadLib(DWORD dwProcessId, LPTSTR lpszLibName)
{
BOOL   bResult          = FALSE;
HANDLE hProcess         = NULL;
HANDLE hThread          = NULL;
PSTR   pszLibFileRemote = NULL; __try
{
// 获得想要注入代码的进程的句柄.
hProcess = OpenProcess(
PROCESS_ALL_ACCESS,
FALSE,
dwProcessId
); if (hProcess == NULL)
__leave;

    // 计算DLL路径名需要的字节数.
int cch = 1 + strlen(lpszLibName); // 在远程线程中为路径名分配空间.
pszLibFileRemote = (PSTR)VirtualAllocEx(
hProcess,
NULL,
cch,
MEM_COMMIT,
PAGE_READWRITE
); if (pszLibFileRemote == NULL)
__leave;

// 将DLL的路径名复制到远程进程的内存空间.
if (!WriteProcessMemory(
hProcess,
(PVOID)pszLibFileRemote,
(PVOID)lpszLibName,
cch,
NULL))
__leave;

   // 获得LoadLibraryA在Kernel32.dll中的真正地址.
PTHREAD_START_ROUTINE pfnThreadRtn =
(PTHREAD_START_ROUTINE)GetProcAddress(
GetModuleHandle("Kernel32"), "LoadLibraryA"); if (pfnThreadRtn == NULL)
__leave;     // 创建远程线程，并通过远程线程调用用户的DLL文件.
hThread = CreateRemoteThread(
hProcess,
NULL,
0,
pfnThreadRtn,
(PVOID)pszLibFileRemote,
0,
NULL
);
if (hThread == NULL)
__leave; // 等待远程线程终止.
WaitForSingleObject(hThread, INFINITE); bResult = TRUE;
}
__finally
{
// 关闭句柄.
if (pszLibFileRemote != NULL)
VirtualFreeEx(hProcess, (PVOID)pszLibFileRemote, 0, MEM_RELEASE); if (hThread  != NULL)
CloseHandle(hThread); if (hProcess != NULL)
CloseHandle(hProcess);
}
return bResult;
}