DLL注入经典方法

注入Dll：

1. OpenProcess获得要注入进程的句柄(可以先通过通过CreateProcess创建进程,获取PID,然后由OpenProcessPID获取)

2. VirtualAllocEx在远程进程中开辟出一段内存，长度为strlen(dllname)+1;

3. WriteProcessMemory将Dll的名字写入第二步开辟出的内存中。

4. CreateRemoteThread将LoadLibraryA作为线程函数，参数为Dll的名称，创建新线程

5. CloseHandle关闭线程句柄

卸载Dll：

1. CreateRemoteThread将GetModuleHandle注入到远程进程中，参数为被注入的Dll名

2. GetExitCodeThread将线程退出的退出码作为Dll模块的句柄值。

3. CloseHandle关闭线程句柄

3. CreateRemoteThread将FreeLibraryA注入到远程进程中，参数为第二步获得的句柄值。

4. WaitForSingleObject等待对象句柄返回

5. CloseHandle关闭线程及进程句柄。

//Code By Pnig0s1992
//Date:2012,3,13
#include <stdio.h>
#include <Windows.h>
#include <TlHelp32.h>

//根据进程名查找进程PID
DWORD GetProcessHandle(LPCTSTR lpProcessName)
{
 //创建进程快照
    DWORD dwRet = 0;
    HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
    if(hSnapShot == INVALID_HANDLE_VALUE)
    {
        printf("\n获得进程快照失败%d",GetLastError());
        return dwRet;
    }

 //遍历进程快照
    PROCESSENTRY32 pe32;//声明进程入口对象
    pe32.dwSize = sizeof(PROCESSENTRY32);//填充进程入口对象大小
    BOOL bMore = Process32First(hSnapShot,&pe32);//遍历进程列表
    while (bMore)
    {
 //查找指定进程名的PID
        if(!lstrcmp(pe32.szExeFile,lpProcessName))
        {
            dwRet = pe32.th32ProcessID;
            break;
        }

 bMore = Process32Next(hSnapShot,&pe32);
    }

 //关闭快照句柄
 CloseHandle(hSnapShot);
    return dwRet;
}

INT main(INT argc,CHAR * argv[])
{
  //通过进程名称获取进程ID
    DWORD dwPid = getProcessHandle((LPCTSTR)argv[1]);

  //通过进程ID获取进程句柄
    HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwPid);
    if(hProcess == NULL)
    {
        printf("\n获取进程句柄错误%d",GetLastError());
        return -1;
    }

 //计算DLL路径名需要的内存空间
 LPCSTR lpDllName = "EvilDll.dll";
  DWORD dwSize = strlen(lpDllName)+1;

 //使用VirtualAllocEx函数在远程进程的内存地址空间分配DLL文件名缓冲区,成功返回分配内存的首地址.
    LPVOID lpRemoteBuf = VirtualAllocEx(hProcess,NULL,dwSize,MEM_COMMIT,PAGE_READWRITE);

 //使用WriteProcessMemory函数将DLL的路径名复制到远程进程的内存空间,成功返回TRUE.
 DWORD dwHasWrite = 0;
    if(WriteProcessMemory(hProcess,lpRemoteBuf,lpDllName,dwSize,&dwHasWrite))
    {
        if(dwHasWrite != dwSize)
        {
            VirtualFreeEx(hProcess,lpRemoteBuf,dwSize,MEM_COMMIT);
            CloseHandle(hProcess);
            return -1;
        }

    }
 else
    {
        printf("\n写入远程进程内存空间出错%d。",GetLastError());
        CloseHandle(hProcess);
        return -1;
    }

  //创建一个在其它进程地址空间中运行的线程(也称:创建远程线程),成功返回新线程句柄.
    DWORD dwThreadId = 0;
    LPVOID lpLoadDll = LoadLibraryA;
    HANDLE hRemoteThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpLoadDll,lpRemoteBuf,0,&dwThreadId);
    if(hRemoteThread == NULL)
    {
        printf("\n建立远程线程失败%d",GetLastError());
        CloseHandle(hProcess);
        return -1;
    }

    WaitForSingleObject(hRemoteThread,INFINITE);
    CloseHandle(hRemoteThread);


    //准备卸载之前注入的Dll
    DWORD dwHandle,dwID;
    LPVOID pFunc = GetModuleHandleA;//获得在远程线程中被注入的Dll的句柄
    HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,lpRemoteBuf,0,&dwID);
    WaitForSingleObject(hThread,INFINITE);
    GetExitCodeThread(hThread,&dwHandle);//线程的结束码即为Dll模块儿的句柄
    CloseHandle(hThread);

    pFunc = FreeLibrary;
    hThread = CreateRemoteThread(hThread,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,(LPVOID)dwHandle,0,&dwID); //将FreeLibraryA注入到远程线程中去卸载Dll
    WaitForSingleObject(hThread,INFINITE);
    CloseHandle(hThread);
    CloseHandle(hProcess);

    return 0;
}