远程DLL注入

界面如下：

关键部分代码如下：

 

 1 void CInjectDllDlg::OnBnClickedButtonInject()

 2 {

 3     // TODO: 在此添加控件通知处理程序代码

 4     UpdateData(TRUE);

 5     int iBufSize = WideCharToMultiByte(CP_ACP, 0, m_strPathName.GetBuffer(0), -1, NULL, 0, NULL, NULL);

 6     char *pszBuffer = new char[iBufSize];

 7     WideCharToMultiByte(CP_ACP, 0, m_strPathName.GetBuffer(0), -1, pszBuffer, iBufSize, NULL, NULL);

 8     InjectDll(m_dwPid, pszBuffer);

 9     delete []pszBuffer;

10     pszBuffer = NULL;

11 }

12 

13 void CInjectDllDlg::OnBnClickedButtonUnload()

14 {

15     // TODO: 在此添加控件通知处理程序代码

16     UpdateData(TRUE);

17     int iBufSize = WideCharToMultiByte(CP_ACP, 0, m_strPathName.GetBuffer(0), -1, NULL, 0, NULL, NULL);

18     char *pszBuffer = new char[iBufSize];

19     WideCharToMultiByte(CP_ACP, 0, m_strPathName.GetBuffer(0), -1, pszBuffer, iBufSize, NULL, NULL);

20     UnInjectDll(m_dwPid, pszBuffer);

21     delete []pszBuffer;

22     pszBuffer = NULL;

23 }

24 

25 void CInjectDllDlg::InjectDll(DWORD dwPid, char* szDllName)

26 {

27     if (dwPid == 0 || strlen(szDllName) == 0)

28     {

29         return;

30     }

31 

32     char *pFunName = "LoadLibraryA";

33     HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);

34     if (NULL == hProcess)

35     {

36         return;

37     }

38 

39     int iDllLen = strlen(szDllName) + sizeof(char);

40     PVOID pDllAddr = VirtualAllocEx(hProcess, NULL, iDllLen, MEM_COMMIT, PAGE_READWRITE);

41     if (NULL == pDllAddr)

42     {

43         CloseHandle(hProcess);

44         return;

45     }

46 

47     DWORD dwWriteNum = 0;

48     WriteProcessMemory(hProcess, pDllAddr, szDllName, iDllLen, &dwWriteNum);

49     FARPROC pFunAddr = GetProcAddress(GetModuleHandleA("kernel32.dll"), pFunName);

50     HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunAddr, pDllAddr, 0, NULL);

51     WaitForSingleObject(hThread, INFINITE);

52 

53     CloseHandle(hThread);

54     CloseHandle(hProcess);

55 }

56 

57 void CInjectDllDlg::UnInjectDll(DWORD dwPid, char* szDllName)

58 {

59     HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPid);

60     MODULEENTRY32 Me32 = {0};

61     Me32.dwSize = sizeof(MODULEENTRY32);

62 

63     BOOL bRet = Module32First(hSnap, &Me32);

64     while (bRet)

65     {

66         int iBufSize = WideCharToMultiByte(CP_ACP, 0, Me32.szExePath, -1, NULL, 0, NULL, NULL);

67         char *pszBuffer = new char[iBufSize];

68         WideCharToMultiByte(CP_ACP, 0, Me32.szExePath, -1, pszBuffer, iBufSize, NULL, NULL);

69         if (strcmp(pszBuffer, szDllName) == 0)

70         {

71             delete []pszBuffer;

72             pszBuffer = NULL;

73             break;

74         }

75         delete []pszBuffer;

76         pszBuffer = NULL;

77         bRet = Module32Next(hSnap, &Me32);

78     }

79     CloseHandle(hSnap);

80     char *pFunName = "FreeLibrary";

81 

82     HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);

83     FARPROC pFunAddr = GetProcAddress(GetModuleHandleA("kernel32.dll"), pFunName);

84     HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunAddr, Me32.hModule, 0, NULL);

85     WaitForSingleObject(hThread, INFINITE);

86 

87     CloseHandle(hThread);

88     CloseHandle(hProcess);

89 }

下载地址：

http://pan.baidu.com/s/1xk7Jw