远程线程注入(0X02)注入第一个DLL

伟大的远程线程注入开始了!

先上代码

//dllCall.cpp
#include <windows.h>
#include <tlhelp32.h>
 
int WINAPI WinMain(
    HINSTANCE hInstance,
	HINSTANCE hPrevInstance,
	LPSTR szCmdLine,
	int nCmdShow
	)
{
	// 以下代码完成动态库的注入
	char path[100] = ("D:\\dllTest.dll");
	HANDLE hProcess;
	// 获取目标进程句柄 遍历系统当前进程
	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	BOOL bReturn, bFind = FALSE;
	PROCESSENTRY32 pe32;
	pe32.dwSize = sizeof(pe32);
	bReturn = Process32First(hSnapshot, &pe32);
	while (bReturn)
	{
		if (strcmp("calc.exe", pe32.szExeFile) == 0)
		{
			hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
			bFind = TRUE;
			break;
		}
		bReturn = Process32Next(hSnapshot, &pe32);
	}
	// 获取kernel32.dll中LoadLibraryA的地址,并将其作为远程线程的线程函数
	PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "LoadLibraryA");
	char *dllPath = (char*)VirtualAllocEx(hProcess, 0, 100 * sizeof(char), MEM_COMMIT, PAGE_READWRITE);
	if (!dllPath)
	{
		return 0;
	}
 
	if (!WriteProcessMemory(hProcess, dllPath, path, 100 * sizeof(char), 0))
	{
		return 0;
	}
	HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, pfnThreadRtn, dllPath, 0, 0);
	if (!hThread)
	{
		return 0;
	}
	CloseHandle(hThread);
	VirtualFreeEx(hProcess, dllPath, 100 * sizeof(char), MEM_RELEASE);
	CloseHandle(hProcess);
	FreeLibrary(GetModuleHandle(path));
 
	return 0;
}

把上一篇文章生成的dll扔到D盘根目录下就行了

运行环境:x64 Windows8.1+VS2013
说几点注意的,上述程序不是宽字符版本,而是多字符版本,所以得在项目属性里手动设置

由于系统是64位,所以计算器也是64位
VS2013默认是编译成32位的,所以需要手动修改编译选项改成64位,在项目属性里面改就好
32位程序是不能注入到64位程序里的,否则会没反应,记得把dll也编译成64位(测试32位可以用firefox.exe浏览器,这样不用改编译选项)
webp
哎~代码太丑了,但是好歹能运行~~
等以后空了再改改吧 先这样了~

很奇怪的是宽字符版本怎么都注入不了
先把代码贴下面,好心人路过帮忙看一下吧~~

//dllCall.cpp
#include <windows.h>
#include <tlhelp32.h>
 
int WINAPI WinMain(
    HINSTANCE hInstance,
	HINSTANCE hPrevInstance,
	LPSTR szCmdLine,
	int nCmdShow
	)
{
	// 以下代码完成动态库的注入
	wchar_t path[100] = TEXT("D:\\dllTest.dll");
	HANDLE hProcess;
	// 获取目标进程句柄 遍历系统当前进程
	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	BOOL bReturn, bFind = FALSE;
	PROCESSENTRY32 pe32;
	pe32.dwSize = sizeof(pe32);
	bReturn = Process32First(hSnapshot, &pe32);
	while (bReturn)
	{
		if (wcscmp(L"calc.exe", pe32.szExeFile) == 0)
		{
			hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
			bFind = TRUE;
			break;
		}
		bReturn = Process32Next(hSnapshot, &pe32);
	}
	// 获取kernel32.dll中LoadLibraryA的地址,并将其作为远程线程的线程函数
	PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "LoadLibraryA");
	wchar_t *dllPath = (wchar_t*)VirtualAllocEx(hProcess, 0, 100 * sizeof(wchar_t), MEM_COMMIT, PAGE_READWRITE);
	if (!dllPath)
	{
		return 0;
	}
 
	if (!WriteProcessMemory(hProcess, dllPath, path, 100 * sizeof(char), 0))
	{
		return 0;
	}
	HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, pfnThreadRtn, dllPath, 0, 0);
	if (!hThread)
	{
		return 0;
	}
	CloseHandle(hThread);
	VirtualFreeEx(hProcess, dllPath, 100 * sizeof(wchar_t), MEM_RELEASE);
	CloseHandle(hProcess);
	FreeLibrary(GetModuleHandle(path));
 
	return 0;
}