DLL注入技术

  • 开发
  • 56

源地址

  1. 注入程序
#include <Windows.h>
#include <iostream>
#include <Tlhelp32.h>
#include <stdio.h>
#include <tchar.h>
#include <iostream>

using namespace std;

BOOL getProcess32Info(PROCESSENTRY32 *info, const TCHAR processName[])
{
   
	HANDLE handle;
	handle = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

	info->dwSize = sizeof(PROCESSENTRY32);

	Process32First(handle, info);


	while (Process32Next(handle, info) != FALSE)
	{
   
		if (wcscmp(processName, info->szExeFile) == 0)
		{
   
			return TRUE;
		}
	}
	
}

int InjectDll(const wchar_t *DllFullPath, const DWORD pid)
{
   
	HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
	if (hProc == 0)
	{
   
		return -1;
	}

	int pathSize = (wcslen(DllFullPath) + 1) * sizeof(wchar_t);
	LPVOID buffer = VirtualAllocEx(hProc, 0, pathSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	if (buffer == 0)
	{
   
		return -2;
	}

	if (!WriteProcessMemory(hProc, buffer, DllFullPath, pathSize, NULL))
	{
   
		return -3;
	}

	LPVOID pFunc = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "LoadLibraryW");

	CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)pFunc, buffer, 0, 0);
		
}

int main()
{
   
	system("start %windir%\\system32\\notepad.exe");

	PROCESSENTRY32 info;

	if (getProcess32Info(&info, L"notepad.exe"))
	{
   
		InjectDll(L"E:\\GlobalHook_Test.dll", info.th32ProcessID);
	}
	else
	{
   
		cout << "查找失败" << endl;
	}
	return 0;
    std::cout << "Hello World!\n";
}
  1. 钩子
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include "stdlib.h"
#include <iostream>

using namespace std;

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
   
    switch (ul_reason_for_call)
    {
   
    case DLL_PROCESS_ATTACH:
	{
   
		HWND hwnd = GetActiveWindow();
		MessageBox(hwnd, L"DLL已进入目标进程。", L"信息", MB_ICONINFORMATION);
		break;
	}
		
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

原地址

// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include "stdlib.h"
#include <iostream>
#include <TlHelp32.h>
#include <Windows.h>
#include <tchar.h>


using namespace std;

//指定全局变量
HHOOK global_Hook;


//判断是否是需要注入的进程
BOOL GetFirstModuleName(DWORD Pid, LPCTSTR ExeName)
{
   
	MODULEENTRY32 me32 = {
    0 };
	me32.dwSize = sizeof(MODULEENTRY32);
	HANDLE hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, Pid);

	if (INVALID_HANDLE_VALUE != hModuleSnap)
	{
   
		//先拿到自身进程名称
		BOOL bRet = Module32First(hModuleSnap, &me32);

		//对比如果是需要注入进程, 则返回真
		if (!_tcsicmp(ExeName, (LPCTSTR)me32.szModule))
		{
   
			CloseHandle(hModuleSnap);
			return TRUE;
		}
		CloseHandle(hModuleSnap);
		return FALSE;
	}

	CloseHandle(hModuleSnap);
	return FALSE;
}

//获取自身DLL名程
char* GetMyDllName()
{
   
	char szFileFullPath[MAX_PATH], szProcessName[MAX_PATH];

	//获取文件路径
	GetModuleFileNameA(NULL, szFileFullPath, MAX_PATH);

	int length = strlen(szFileFullPath);

	for (int i = length - 1; i >= 0; i--)
	{
   
		//找到第一个\就可以马上获取进程名称了
		if (szFileFullPath == "\\")
		{
   
			i++;
			//结束符\0不能少 即i=length
			for (int j = 0; i <= length; j++)
			{
   
				szProcessName[j] = szFileFullPath[i++];
			}
			break;
		}
	}
	return szProcessName;
}

//设置全局消息回调函数
LRESULT CALLBACK MyProc(int nCode, WPARAM wParam, LPARAM lParam)
{
   
	MessageBoxA(0, "wa haha", 0, 0);
	return CallNextHookEx(global_Hook, nCode, wParam, lParam);
}

//安装全局钩子 此处的GetMyDllName()函数 可以是外部其它DLL, 可将任意DLL进行注入
extern "C" _declspec(dllexport) void SetHook()
{
   
	global_Hook = SetWindowsHookEx(WH_CBT, MyProc, GetModuleHandleA(GetMyDllName()), 0);
}

//卸载全局钩子
extern "C" __declspec(dllexport) void UnHook()
{
   
	if (global_Hook)
	{
   
		UnhookWindowsHookEx(global_Hook);
	}
}


BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
   
    switch (ul_reason_for_call)
    {
   
    case DLL_PROCESS_ATTACH:
	{
   
		//当Dll被加载时触发, 判断自身当前父进程是否为
		BOOL flag = GetFirstModuleName(GetCurrentProcessId(), TEXT("InjectDll.exe"));
		if (flag == TRUE)
		{
   
			MessageBoxA(0, "InjectDll", 0, 0);
		}
		break;
		
	}
		
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}



#include <Windows.h>
#include <iostream>
#include <Tlhelp32.h>
#include <stdio.h>
#include <tchar.h>
#include <iostream>

using namespace std;

BOOL getProcess32Info(PROCESSENTRY32 *info, const TCHAR processName[])
{
   
	HANDLE handle;
	handle = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

	info->dwSize = sizeof(PROCESSENTRY32);

	Process32First(handle, info);


	while (Process32Next(handle, info) != FALSE)
	{
   
		if (wcscmp(processName, info->szExeFile) == 0)
		{
   
			return TRUE;
		}
	}
	
}

int InjectDll(const wchar_t *DllFullPath, const DWORD pid)
{
   
	HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
	if (hProc == 0)
	{
   
		return -1;
	}

	int pathSize = (wcslen(DllFullPath) + 1) * sizeof(wchar_t);
	LPVOID buffer = VirtualAllocEx(hProc, 0, pathSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	if (buffer == 0)
	{
   
		return -2;
	}

	if (!WriteProcessMemory(hProc, buffer, DllFullPath, pathSize, NULL))
	{
   
		return -3;
	}

	LPVOID pFunc = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "LoadLibraryW");

	CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)pFunc, buffer, 0, 0);
		
}

int main()
{
   
	/*
	system("start %windir%\\system32\\notepad.exe");

	PROCESSENTRY32 info;

	if (getProcess32Info(&info, L"notepad.exe"))
	{
		InjectDll(L"E:\\GlobalHook_Test.dll", info.th32ProcessID);
	}
	else
	{
		cout << "查找失败" << endl;
	}
	return 0;
	*/
	
	HMODULE hMod = LoadLibrary(TEXT("E:\\GlobalHook_Test.dll"));

	//挂钩
	typedef void(*pSetHook)(void);
	pSetHook SetHook = (pSetHook)GetProcAddress(hMod, "SetHook");
	SetHook();

	while (1)
	{
   
		Sleep(1000);
	}

	//卸载钩子
	typedef BOOL(*pUnSetHook)(HHOOK);
	pUnSetHook UnsetHook = (pUnSetHook)GetProcAddress(hMod, "UnHook");
	pUnSetHook();

	FreeLibrary(hMod);
	return 0;
}
阅读全部

相关推荐

  1. DLL注入技术

    2024-01-23 08:56:01       57 阅读

  3. 实现动态链接库(DLL注入的C++编程

    2024-01-23 08:56:01       68 阅读

  4. SQL注入绕过技术

    2024-01-23 08:56:01       56 阅读

  7. 抗艾程序员龚伦强谈:DLL注入之输入法注入C++实现源码

    2024-01-23 08:56:01       36 阅读

  8. mysql大表ddl注意

    2024-01-23 08:56:01       24 阅读

最近更新

  3. docker php8.1+nginx base 镜像 dockerfile 配置

    2024-01-23 08:56:01       98 阅读

  4. Could not load dynamic library ‘cudart64_100.dll‘

    2024-01-23 08:56:01       106 阅读

  9. 在Django里面运行非项目文件

    2024-01-23 08:56:01       87 阅读

  19. Python语言-面向对象

    2024-01-23 08:56:01       96 阅读

  20. 如何分清楚常见的 Git 分支管理策略Git Flow、GitHub Flow 和 GitLab Flow

    2024-01-23 08:56:01       91 阅读

热门阅读

  2. 创建Servlet的三种方式

    2024-01-23 08:56:01       52 阅读

  4. 如何在前端优化中减少页面加载时间?

    2024-01-23 08:56:01       55 阅读

  7. CF1893C Freedom of Choice 题解

    2024-01-23 08:56:01       48 阅读

  11. spring和springboot、springMVC有什么区别?

    2024-01-23 08:56:01       43 阅读

  13. 网安防御保护入门

    2024-01-23 08:56:01       51 阅读

  21. npm换源

    2024-01-23 08:56:01       52 阅读

  22. 【issue-halcon例程学习】fuzzy_measure_pin.hdev

    2024-01-23 08:56:01       50 阅读

  24. 【issue-halcon例程学习】measure_arc.hdev

    2024-01-23 08:56:01       48 阅读

  25. 流畅的Python(五)- 一等函数

    2024-01-23 08:56:01       46 阅读

  27. 使用flask_limiter限制接口访问速率的方法

    2024-01-23 08:56:01       56 阅读

  28. AcWing 1229.日期问题(枚举题,细节多)

    2024-01-23 08:56:01       56 阅读

  29. c# OpenTK 入门

    2024-01-23 08:56:01       53 阅读

  30. 云风网(www.niech.cn)个人网站搭建(补充)HTTP常见状态码

    2024-01-23 08:56:01       53 阅读