源地址

  1. 注入程序
#include #include #include #include #include #include using namespace std;BOOL getProcess32Info(PROCESSENTRY32 *info, const TCHAR processName[]){HANDLE handle;handle = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);info->dwSize = sizeof(PROCESSENTRY32);Process32First(handle, info);while (Process32Next(handle, info) != FALSE){if (wcscmp(processName, info->szExeFile) == 0){return TRUE;}}}int InjectDll(const wchar_t *DllFullPath, const DWORD pid){HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, false, pid);if (hProc == 0){return -1;}int pathSize = (wcslen(DllFullPath) + 1) * sizeof(wchar_t);LPVOID buffer = VirtualAllocEx(hProc, 0, pathSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (buffer == 0){return -2;}if (!WriteProcessMemory(hProc, buffer, DllFullPath, pathSize, NULL)){return -3;}LPVOID pFunc = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "LoadLibraryW");CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)pFunc, buffer, 0, 0);}int main(){system("start %windir%\\system32\\notepad.exe");PROCESSENTRY32 info;if (getProcess32Info(&info, L"notepad.exe")){InjectDll(L"E:\\GlobalHook_Test.dll", info.th32ProcessID);}else{cout << "查找失败" << endl;}return 0;std::cout << "Hello World!\n";}
  1. 钩子
// dllmain.cpp : 定义 DLL 应用程序的入口点。#include "pch.h"#include "stdlib.h"#include using namespace std;BOOL APIENTRY DllMain( HMODULE hModule, DWORDul_reason_for_call, LPVOID lpReserved ){switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:{HWND hwnd = GetActiveWindow();MessageBox(hwnd, L"DLL已进入目标进程。", L"信息", MB_ICONINFORMATION);break;}case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH:case DLL_PROCESS_DETACH:break;}return TRUE;}

原地址

// dllmain.cpp : 定义 DLL 应用程序的入口点。#include "pch.h"#include "stdlib.h"#include #include #include #include using namespace std;//指定全局变量HHOOK global_Hook;//判断是否是需要注入的进程BOOL GetFirstModuleName(DWORD Pid, LPCTSTR ExeName){MODULEENTRY32 me32 = { 0 };me32.dwSize = sizeof(MODULEENTRY32);HANDLE hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, Pid);if (INVALID_HANDLE_VALUE != hModuleSnap){//先拿到自身进程名称BOOL bRet = Module32First(hModuleSnap, &me32);//对比如果是需要注入进程, 则返回真if (!_tcsicmp(ExeName, (LPCTSTR)me32.szModule)){CloseHandle(hModuleSnap);return TRUE;}CloseHandle(hModuleSnap);return FALSE;}CloseHandle(hModuleSnap);return FALSE;}//获取自身DLL名程char* GetMyDllName(){char szFileFullPath[MAX_PATH], szProcessName[MAX_PATH];//获取文件路径GetModuleFileNameA(NULL, szFileFullPath, MAX_PATH);int length = strlen(szFileFullPath);for (int i = length - 1; i >= 0; i--){//找到第一个\就可以马上获取进程名称了if (szFileFullPath == "\\"){i++;//结束符\0不能少 即i=lengthfor (int j = 0; i <= length; j++){szProcessName[j] = szFileFullPath[i++];}break;}}return szProcessName;}//设置全局消息回调函数LRESULT CALLBACK MyProc(int nCode, WPARAM wParam, LPARAM lParam){MessageBoxA(0, "wa haha", 0, 0);return CallNextHookEx(global_Hook, nCode, wParam, lParam);}//安装全局钩子 此处的GetMyDllName()函数 可以是外部其它DLL, 可将任意DLL进行注入extern "C" _declspec(dllexport) void SetHook(){global_Hook = SetWindowsHookEx(WH_CBT, MyProc, GetModuleHandleA(GetMyDllName()), 0);}//卸载全局钩子extern "C" __declspec(dllexport) void UnHook(){if (global_Hook){UnhookWindowsHookEx(global_Hook);}}BOOL APIENTRY DllMain( HMODULE hModule, DWORDul_reason_for_call, LPVOID lpReserved ){switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:{//当Dll被加载时触发, 判断自身当前父进程是否为BOOL flag = GetFirstModuleName(GetCurrentProcessId(), TEXT("InjectDll.exe"));if (flag == TRUE){MessageBoxA(0, "InjectDll", 0, 0);}break;}case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH:case DLL_PROCESS_DETACH:break;}return TRUE;}
#include #include #include #include #include #include using namespace std;BOOL getProcess32Info(PROCESSENTRY32 *info, const TCHAR processName[]){HANDLE handle;handle = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);info->dwSize = sizeof(PROCESSENTRY32);Process32First(handle, info);while (Process32Next(handle, info) != FALSE){if (wcscmp(processName, info->szExeFile) == 0){return TRUE;}}}int InjectDll(const wchar_t *DllFullPath, const DWORD pid){HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, false, pid);if (hProc == 0){return -1;}int pathSize = (wcslen(DllFullPath) + 1) * sizeof(wchar_t);LPVOID buffer = VirtualAllocEx(hProc, 0, pathSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);if (buffer == 0){return -2;}if (!WriteProcessMemory(hProc, buffer, DllFullPath, pathSize, NULL)){return -3;}LPVOID pFunc = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "LoadLibraryW");CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)pFunc, buffer, 0, 0);}int main(){/*system("start %windir%\\system32\\notepad.exe");PROCESSENTRY32 info;if (getProcess32Info(&info, L"notepad.exe")){InjectDll(L"E:\\GlobalHook_Test.dll", info.th32ProcessID);}else{cout << "查找失败" << endl;}return 0;*/HMODULE hMod = LoadLibrary(TEXT("E:\\GlobalHook_Test.dll"));//挂钩typedef void(*pSetHook)(void);pSetHook SetHook = (pSetHook)GetProcAddress(hMod, "SetHook");SetHook();while (1){Sleep(1000);}//卸载钩子typedef BOOL(*pUnSetHook)(HHOOK);pUnSetHook UnsetHook = (pUnSetHook)GetProcAddress(hMod, "UnHook");pUnSetHook();FreeLibrary(hMod);return 0;}