#include <iostream>
#include <Windows.h>
bool Inject(DWORD pid, char *szPath) {
HANDLE handle; // 进程内核对象句柄
LPVOID pRemoteAddress; // 分配的基地址
DWORD dwSize; // 写入字节数
// 获取进程内核对象
handle = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
// 申请内存空间
pRemoteAddress = VirtualAllocEx(
handle,
NULL,
1,
MEM_COMMIT,
PAGE_READWRITE
);
if (pRemoteAddress == NULL) {
return false;
}
// 向进程内存写入信息
int error = WriteProcessMemory(
handle,
pRemoteAddress,
szPath,
strlen(szPath) * 1 + 1,
&dwSize
);
if (error == 0) {
return false;
}
// 创建一个远程线程将dll载入目标进程
// LPTHREAD_START_ROUTINE是一种函数,该函数指向一个函数,通知宿主某个线程已开始执行
HANDLE pThread = CreateRemoteThread(
handle,
NULL,
0,
(LPTHREAD_START_ROUTINE)LoadLibraryA,
pRemoteAddress,
NULL, // 立即执行
NULL
);
if (pThread == NULL) {
printf("线程创建失败\n");
}
else {
printf("线程创建成功,线程Id为:%d\n",(int) pThread);
}
// 等待响应
WaitForSingleObject(pThread, -1);
VirtualFreeEx(
handle,
pRemoteAddress,
1,
MEM_DECOMMIT);
return true;
}
char path[] = "D:\\Test\\SharkDll\\Debug\\SharkDll.dll"; // dll路径
HWND hwnd; // 窗口句柄对象
const char* name = "微信"; // 进程名
DWORD pid; // 进程标识符
int main()
{
// 查找窗口句柄
hwnd = ::FindWindowA(NULL, name);
printf("进程句柄:%d\n", (int)hwnd);
// 获取进程标识符
GetWindowThreadProcessId(hwnd, &pid);
printf("进程的pid:%d\n", pid);
Inject(pid, path);
return 0;
}
原文:https://www.cnblogs.com/TNTBomb/p/13582654.html