用什么方法可以将指定DLL插入到另一个进程的地址空间中,以便挂接其它进程?
感激不尽
感激不尽
解决方案 »
- 关于GetBuffer的问题,急!!!!!!!!!!
- 一个字符串的拆分,用VC可以这样写吗?
- 近期想往杭州找份工作,请老鸟谈谈经验!
- 在下想做个纸牌的游戏
- 怎么样定义返回值为数组的函数?
- 欢迎大家下载我的软件,下载者有分.
- 急,高手请进来!关于文件和文件夹属性页的处理问题,现在的代码有问题,可以给源代码,同时高分给高手啦!
- InstallShield里如何调用一个外部的Exe文件呀。Help
- 忽然发现一个问题,关于子类化的
- 如何解决error C2039: “oepn”: 不是“std::basic_ofstream<char,std::char_traits<char>>”的成员
- 请教:UDP的问题
- 急急急!!!!!!!!! 100分求一个动态画曲线的类.VC
#pragma once
#include<windows.h>
//允许远程调试
#define ENABLE_REMOTE_DEBUG 0#pragma pack(push)
#pragma pack(4)
typedef struct
{
FARPROC _LoadLibrary;
FARPROC _GetProcAddress;
DWORD dwParam;
char szFileName[500];
char szEntry[100];
}InjectionStruct;
#pragma pack(pop)BOOL InjectWindow(HWND hWindow,LPCSTR szModule,LPCSTR szEntry);
BOOL InjectProcess(DWORD dwProcessID,LPCSTR szModule,LPCSTR szEntry,DWORD dwParam);---------------------- Injection.cpp ----------------------
#include "Injection.h"BYTE lpShellCode[]=
{
#if ENABLE_REMOTE_DEBUG==1
0xCC, //int 3
#endif
0xE8,0x00,0x00,0x00,0x00, //CALL HI.00401209
0x5B, //POP EBX
0x81,0xEB,0x09,0x12,0x40,0x00, //SUB EBX,HI.00401209 ; 入口地址BX,H
0x8D,0x83,0x44,0x12,0x40,0x00, //LEA EAX,DWORD PTR DS:[EBX+____FileName]
0x50, //PUSH EAX
0xFF,0x93,0x38,0x12,0x40,0x00, //CALL DWORD PTR DS:[EBX+DataPool]
0x8D,0x93,0x38,0x14,0x40,0x00, //LEA EDX,DWORD PTR DS:[EBX+____Entry]
0x52, //PUSH EDX
0x50, //PUSH EAX
0xFF,0x93,0x3C,0x12,0x40,0x00, //CALL DWORD PTR DS:[EBX+____GetProcAddres>
0x0B,0xC0, //OR EAX,EAX
0x74,0x08, //JE SHORT HI.00401237
0xFF,0xB3,0x40,0x12,0x40,0x00, //PUSH DWORD PTR DS:[EBX+____Window]
0xFF,0xD0, //CALL EAX
0xC3 //RETN
};
BOOL InjectProcess(DWORD dwProcessID,LPCSTR szModule,LPCSTR szEntry,DWORD dwParam)
{
InjectionStruct inject;
DWORD dwBytesWritten;
HMODULE hMod=GetModuleHandle("kernel32.dll");
HANDLE hProcess;
LPVOID lpRemoteCode;
HANDLE hThread;
DWORD dwShellCodeSize=sizeof(lpShellCode);
inject._LoadLibrary=GetProcAddress(hMod,"LoadLibraryA");
inject._GetProcAddress=GetProcAddress(hMod,"GetProcAddress");
inject.dwParam=dwParam;
strcpy(inject.szFileName,szModule);
strcpy(inject.szEntry,szEntry);
hProcess=OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE,FALSE,dwProcessID);
if(hProcess)
{
lpRemoteCode=VirtualAllocEx(hProcess,NULL,dwShellCodeSize + sizeof(InjectionStruct),MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(lpRemoteCode)
{
WriteProcessMemory(hProcess,lpRemoteCode,lpShellCode,dwShellCodeSize,&dwBytesWritten);
WriteProcessMemory(hProcess,(LPBYTE)lpRemoteCode+dwShellCodeSize,&inject,sizeof(InjectionStruct),&dwBytesWritten);
hThread=CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpRemoteCode,NULL,0,0);
CloseHandle(hThread);
return TRUE;
}
}
return FALSE;
}BOOL InjectWindow(HWND hWindow,LPCSTR szModule,LPCSTR szEntry)
{
DWORD dwProcessID;
GetWindowThreadProcessId(hWindow,&dwProcessID);
return InjectProcess(dwProcessID,szModule,szEntry,(DWORD)hWindow);
}
以前写的一段代码。
其中szModule是需要插入的DLL的地址,szEntry是插入到进程后执行的入口函数名
其中DLL中导出的szEntry必须满足以下原形:
VOID (WINAPI*)(DWORD dwParam)
如果用第二个InjectWindow,则传入的dwParam为被插入的窗口的HWND
其它高手如果有更好的方法,也请赐教,不胜感激!
好处是对于不加载Kernel32的进程也有效,缺点是编程比较困难