远线程注入代码实现dll注入到进程

原理:
OpenProcess获得进程句柄。
VirtualAllocEx申请内存。
WriteProcessMemory将dll写入。
CreateRemoteThread执行LoadLibrary加载dll

效果图:

进程监视器查看计算器进程中存在所注入的dll模块,并且dllmain弹窗功能实现。

注入代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#include<stdio.h>
#include<windows.h>
#define NAME L"计算器"//被注入的进程标题
#define PATH L"C:\\Users\\admin\\Desktop\\dll.dll"//要注入的dll绝对路径
void main()
{
	DWORD pid;
	HWND hwnd = FindWindow(NULL,NAME);//通过窗口标题查找进程
	if(!hwnd)
		return;
	GetWindowThreadProcessId(hwnd,&pid);//获取窗口线程PID
	HANDLE hand = OpenProcess(PROCESS_ALL_ACCESS,NULL,pid);//打开进程句柄
	if(!hand)
		return;
	LPVOID lpaddress = VirtualAllocEx(hand,NULL,0x1000,MEM_COMMIT,PAGE_EXECUTE_READWRITE);//申请指定大小内存,分配读写执行权限
	if(!lpaddress)
		return;
	bool write = WriteProcessMemory(hand,lpaddress,PATH,0x1000,NULL);//实现注入
	if(!write)
		return;
	CreateRemoteThread(hand,NULL,NULL,(LPTHREAD_START_ROUTINE)LoadLibrary,lpaddress,NULL,NULL);//创建线程执行dll
}

dll弹出messagebox代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#include<windows.h>

BOOL WINAPI DllMain(HMODULE hModule,DWORD call,LPVOID lpreserved)
{
	switch(call)
	{
	case DLL_PROCESS_ATTACH:
		MessageBox(NULL,L"sucess!!!",L"注入",MB_OK);
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return true;
}