今天因为测试东西,所以写了一个向别进程注入dll的小程序,代码比较简单,方法也很单一,不过有时候搞测试的时候又找不到这样的工具,所以写了一个.
使用方法:
/p [进程名]
/pid [进程id]
/d [要注入的dll]
/w [等待时间]
/p 和/pid 后面可以同时跟多个参数,用,连接,例如
/p notepad.exe,explorer.exe
/pid 1232,1345
/p 和 /pid 不要同时使用,不然最前面的不能被注入
下载
同时贴出源代码:
#include <Windows.h>
#include <tlhelp32.h>
#include <stdio.h>
DWORD* FindTarget( LPCTSTR lpszProcess )
{
char* pSzcmd = new char [strlen(lpszProcess)+1];
strcpy(pSzcmd,lpszProcess);
char* pszcmdbak = pSzcmd;
char* pvlist[100];
int b = 0;
pvlist[0] = 0;
for (int i=0;pSzcmd[i] != 0;i++)
{
if (pSzcmd[i] == 0x2C)
{
pSzcmd[i] = 0;
pvlist[b] = pSzcmd;
b++;
pSzcmd = pSzcmd+i+1;
}
}
pvlist[b] = pSzcmd;
pvlist[b+1] = 0;
DWORD* pdwPids = new DWORD [100];
pdwPids[0] = 0;
DWORD pdwI = 0;
HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof( PROCESSENTRY32 );
Process32First( hSnapshot, &pe32 );
do
{
for (int i=0;pvlist[i] !=0;i++)
{
if ( strcmpi( pe32.szExeFile, pvlist[i] ) == 0 )
{
if (pdwI > 99)
break;
pdwPids[pdwI] = pe32.th32ProcessID;
pdwI++;
pdwPids[pdwI] = 0;
}
}
} while ( Process32Next( hSnapshot, &pe32 ) );
CloseHandle( hSnapshot );
delete pszcmdbak;
return pdwPids;
}
void main(int argc, char* argv[])
{
if (argc < 3)
{
printf("Need process name and dll name to inject!\n"
"explame:inject.exe /pid 1210 /d c:\\inject.dll");
return;
}
/*
HANDLE phFile = CreateFile(argv[2], GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (phFile == INVALID_HANDLE_VALUE)
{
printf("");
}
*/
DWORD* pPids = new DWORD [100];
DWORD* pProcessIDs = 0;
char *pszDLL = 0;
DWORD pWait = 1000;
for (int i=0;i<argc;i++)
{
if (strcmpi(argv[i],"/pid") == 0)
{
int a = 0;
char* pszids = new char [strlen(argv[i+1])+1];
strcpy(pszids,argv[i+1]);
char* ps2 = pszids;
for (int x = 0;ps2[x] != 0;x++)
{
if (ps2[x] == 0x2C)
{
ps2[x] = 0;
pPids[a] = atol(ps2);
ps2 = ps2+x+1;
x = 0;
a++;
}
}
pPids[a] = atol(ps2);
pPids[a+1] = 0;
pProcessIDs = pPids;
delete pszids;
continue;
}
if (strcmpi(argv[i],"/p") == 0)
{
pProcessIDs=FindTarget(argv[i+1]);
continue;
}
if (strcmpi(argv[i],"/d") == 0)
{
pszDLL = argv[i+1];
continue;
}
if (strcmpi(argv[i],"/w") == 0)
{
pWait = atol(argv[i+1]);
continue;
}
}
if (pProcessIDs == 0 || pProcessIDs[0] == 0)
{
printf("Not find anyone process!");
return;
}
if (pszDLL == 0)
{
printf("must have a dll for inject!");
return;
}
for (int i=0;pProcessIDs[i] != 0;i++)
{
HANDLE phProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, pProcessIDs[i]);
if (phProcess == INVALID_HANDLE_VALUE)
{
printf("Error while open process!");
return;
}
DWORD dwSize, dwWritten;
dwSize = lstrlenA( pszDLL ) + 1;
LPVOID lpBuf = VirtualAllocEx( phProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE );
if ( NULL == lpBuf )
{
printf("Error while Alloc memory!");
CloseHandle( phProcess );
return;
}
if ( WriteProcessMemory( phProcess, lpBuf, (LPVOID)pszDLL, dwSize, &dwWritten ) )
{
if ( dwWritten != dwSize )
{
VirtualFreeEx( phProcess, lpBuf, dwSize, MEM_DECOMMIT );
CloseHandle( phProcess );
printf("Error while Write data to memory!");
return;
}
}
else
{
CloseHandle( phProcess );
printf("Error while Write data to memory!");
return;
}
DWORD dwID;
LPVOID pFunc = LoadLibraryA;
HANDLE hThread = CreateRemoteThread( phProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, lpBuf, 0, &dwID );
WaitForSingleObject(hThread,pWait);
VirtualFreeEx( phProcess, lpBuf, dwSize, MEM_DECOMMIT );
CloseHandle( hThread );
CloseHandle(phProcess);
}
delete pProcessIDs;
return;
}
来源:https://www.cnblogs.com/lifeengines/archive/2006/11/21/566791.html