注射C DLL

我知道这里有各种各样的问题和书籍,但我似乎无法将C DLL注入到任何进程中。

注入DLL的代码:

#include <iostream>
#include "windows.h"

bool Inject(DWORD pId, char *dllName);

using namespace std;

int main()
{
    Inject(600, "C:\\d.dll");
    return 0;
}

bool Inject(DWORD pId, char *dllName)
{
    HANDLE h = OpenProcess(PROCESS_ALL_ACCESS, false, pId);
    if(h)
    {
        LPVOID LoadLibAddr = (LPVOID)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
        LPVOID dereercomp = VirtualAllocEx(h, NULL, strlen(dllName), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
        WriteProcessMemory(h, dereercomp, dllName, strlen(dllName), NULL);
        HANDLE asdc = CreateRemoteThread(h, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddr, dereercomp, 0, NULL);
        WaitForSingleObject(asdc, INFINITE);
        VirtualFreeEx(h, dereercomp, strlen(dllName), MEM_RELEASE);
        CloseHandle(asdc);
        CloseHandle(h);
        return true;
    }
    return false;
}

和我试图注入的DLL:

#include <windows.h>
#include <stdio.h>

BOOL APIENTRY DllMain (HINSTANCE hInst     /* Library instance handle. */ ,
                       DWORD reason        /* Reason this function is being called. */ ,
                       LPVOID reserved     /* Not used. */ )
{
switch (reason)
    {
      case DLL_PROCESS_ATTACH:
           MessageBox (0, "From DLL\n", "Process Attach", MB_ICONINFORMATION);
        break;

      case DLL_PROCESS_DETACH:
           MessageBox (0, "From DLL\n", "Process Detach", MB_ICONINFORMATION);
        break;

      case DLL_THREAD_ATTACH:
           MessageBox (0, "From DLL\n", "Thread Attach", MB_ICONINFORMATION);
        break;

      case DLL_THREAD_DETACH:
           MessageBox (0, "From DLL\n", "Thread Detach", MB_ICONINFORMATION);
        break;
    }

    return TRUE;
}

我不知道C是否知道这是怎么回事。我已经在我试图注入的过程中运行Process Explorer(进程以admin的形式运行),但没有被注入。当我运行它,没有什么发生,任何想法?

不要从DllMain做MessageBox。为什么?看到:

> DLL_PROCESS_ATTACH failing to execute on Windows 7 C++
> Some reasons not to do anything scary in your DllMain
> Don’t use standard library/CRT functions in static initializers/DllMain!

您的消息框可能只会在显示之前死锁。为确保您达到感兴趣的代码行,请改用OutputDebugString。如你所说,您熟悉Process Explorer,您可能会注意到已创建的线程(您可以通过在CreateRemoteThread中提供最后一个参数来获取其启动器中的标识符),并在内核库中执行锁定状态。

这是你需要放置OutputDebugString的地方:

BOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, VOID* pvReserved)
{
    pvReserved;
    TCHAR pszMessage[1024] = { 0 };
    _stprintf_s(pszMessage, _T("GetCurrentProcessId() %d, hModule 0x%p, nReason %d\r\n"), GetCurrentProcessId(), hModule, nReason);
    OutputDebugString(pszMessage);
    /*switch(nReason)
    {
    case DLL_PROCESS_ATTACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }*/
    return TRUE;
}

另外需要确定的是,您正在加载正确位置的DLL。 Win32 DLL进入Win32进程,或x64 DLL进入x64进程。

UPDATE。我从评论中提出这一点:这里是Visual Studio 2010项目的源代码:SVNTrac

>将进程标识符放入源代码中
>可执行文件创建远程线程并加载库
>库从DllMain启动并生成调试输出
> DebugView显示输出
> ProcessExplorer显示您创建的线程,并且还打印其标识符

http://stackoverflow.com/questions/10930353/injecting-c-dll

本站文章除注明转载外,均为本站原创或编译
转载请明显位置注明出处:注射C DLL