1 #include "stdafx.h" 2 3 BOOL CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam); 4 HWND GetMainWindow(); 5 6 extern "C" BOOL APIENTRY DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) 7 { 8 HWND hWnd; 9 HWND hParWnd,hButWnd; 10 int d, d1; 11 switch (fdwReason) 12 { 13 case DLL_PROCESS_ATTACH: 14 15 hWnd = GetMainWindow(); 16 if (hWnd) 17 hWnd = ::FindWindowEx(hWnd, 0, TEXT("EDIT"), NULL); 18 if (hWnd) 19 { 20 ::MessageBox(hWnd, TEXT("开始注入"), TEXT("提示"), MB_OK); 21 for (int i = 0; i < 100; i++) 22 { 23 PostMessageW(hWnd, WM_CHAR, L‘我‘, 1); 24 PostMessageW(hWnd, WM_CHAR, L‘喜‘, 1); 25 PostMessageW(hWnd, WM_CHAR, L‘欢‘, 1); 26 PostMessageW(hWnd, WM_CHAR, L‘你‘, 1); 27 } 28 } 29 else 30 { 31 ::MessageBox(hWnd, TEXT("记事本不存在"), TEXT("提示"), MB_OK); 32 } 33 break; 34 case DLL_PROCESS_DETACH: 35 // detach from process 36 break; 37 38 case DLL_THREAD_ATTACH: 39 // attach to thread 40 break; 41 42 case DLL_THREAD_DETACH: 43 // detach from thread 44 break; 45 } 46 return TRUE; // succesful 47 } 48 49 BOOL CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam) 50 { 51 DWORD dwCurProcessId = *((DWORD*)lParam); 52 DWORD dwProcessId = 0; 53 54 GetWindowThreadProcessId(hwnd, &dwProcessId); 55 if (dwProcessId == dwCurProcessId && GetParent(hwnd) == NULL) 56 { 57 *((HWND *)lParam) = hwnd; 58 return FALSE; 59 } 60 return TRUE; 61 } 62 63 64 HWND GetMainWindow() 65 { 66 DWORD dwCurrentProcessId = GetCurrentProcessId(); 67 if (!EnumWindows(EnumWindowsProc, (LPARAM)&dwCurrentProcessId)) 68 { 69 return (HWND)dwCurrentProcessId; 70 } 71 return NULL; 72 }
1 #include "stdafx.h" 2 HANDLE hThread = NULL; 3 //进程名称查找进程ID 4 DWORD ProcessFind(LPCTSTR Exename) //进程名称 5 { 6 HANDLE hProcess = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); 7 if (!hProcess) 8 { 9 return FALSE; 10 } 11 PROCESSENTRY32 info; 12 info.dwSize = sizeof(PROCESSENTRY32); 13 if (!Process32First(hProcess, &info)) 14 { 15 return FALSE; 16 } 17 while (TRUE) 18 { 19 /*for (int i = 0; i <= 25; i++) { 20 char c = info.szExeFile[i]; 21 cout << c; 22 }*/ 23 cout << endl; 24 if (_tcscmp(info.szExeFile, Exename) == 0) 25 { 26 return info.th32ProcessID;//返回进程的ID 27 } 28 if (!Process32Next(hProcess, &info)) 29 { 30 return FALSE; 31 } 32 } 33 return FALSE; 34 35 } 36 37 int dll_inject() { 38 //Dll文件地址,改成你自己的地址 39 const TCHAR *pLocDll = _T("G:\\vs c++\\injection\\x64\\Release\\injectionDll.dll"); 40 41 HANDLE hThread = NULL; 42 43 //记事本进程名称 44 DWORD ProcessID = ProcessFind(TEXT("notepad.exe")); 45 if (!ProcessID) { 46 cout << "查找不到当前程序" << endl; 47 } 48 else { 49 //获取进程ID 50 HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, TRUE, ProcessID); 51 52 //获取dll大小 53 SIZE_T PathSize = (_tcslen(_T("injectionDll.dll")) + 1) * sizeof(TCHAR); 54 55 //申请内存 56 LPVOID StartAddress = VirtualAllocEx(hProcess, NULL, PathSize, MEM_COMMIT, PAGE_READWRITE); 57 58 //写入内存 59 bool bSuccess = WriteProcessMemory(hProcess, StartAddress, _T("injectionDll.dll"), PathSize, 0); 60 if (!bSuccess) 61 { 62 cout << "写入失败" << endl; 63 } 64 else { 65 //在寄主申请内存 66 LPVOID strRmt = VirtualAllocEx(hProcess, nullptr, MAX_PATH, MEM_COMMIT, PAGE_READWRITE); 67 //获得注入DLL大小 68 size_t lenLocDll = 2 * _tcslen(pLocDll); 69 //判断寄主申请内存是否成功 70 if (strRmt) { 71 //把DLL写入寄主内存 72 BOOL ret = WriteProcessMemory(hProcess, strRmt, pLocDll, lenLocDll, nullptr); 73 //获得LoadLibraryW的函数地址以使用LoadLibrary函数 74 LPTHREAD_START_ROUTINE loadlib = LPTHREAD_START_ROUTINE(GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryW")); 75 //注入 76 hThread = CreateRemoteThread(hProcess, nullptr, 0, loadlib, LPVOID(strRmt), 0, nullptr); 77 } 78 79 /* 80 HANDLE hThread = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("kernel32.dll")), "LoadLibrary"), StartAddress, 0, 0);*/ 81 82 if (hThread == NULL) 83 { 84 cout << "在进程中注入失败:"; 85 cout << GetLastError() << endl; 86 return -1; 87 } 88 89 WaitForSingleObject(hThread, INFINITE); 90 //到这里已经完成dll的加载即注入了,通过dll函数执行我们要完成的任务 91 //释放 92 VirtualFreeEx(hProcess, StartAddress,0, MEM_RELEASE); 93 CloseHandle(hThread); 94 CloseHandle(hProcess); 95 } 96 } 97 } 98 int main() 99 { 100 dll_inject(); 101 system("pause"); 102 }
释放失败了,每次只能执行一次,第二次在执行的时候只能重开记事本,大佬来解决一下啊
原文:https://www.cnblogs.com/weijunyu/p/10340151.html