在其他进程中,创建一个新的线程来 LoadLibraryA 我们的 Dll。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
/*作者:exchen(Sysprogram) 编写日期:2011年4月2日 博客:http://blog.csdn.net/SysProgram */ #include <windows.h> #include <stdio.h> void main() { //打开进程句柄 HANDLE hProcess; hProcess = OpenProcess(PROCESS_ALL_ACCESS,false,1956); if (hProcess == NULL) { printf("Open Process error/n"); return; } //给进程分配内存 LPVOID BaseAddress; char *strDllName = {"C:\\dlltest.dll"}; int len = strlen(strDllName) + 1; BaseAddress = VirtualAllocEx(hProcess,NULL,len,MEM_COMMIT,PAGE_READWRITE); //写进程内存 if (WriteProcessMemory(hProcess,BaseAddress,strDllName,len,NULL) == false) { printf("Write Memory error\n"); return; } //创建远程线程 FARPROC ProcAddress; HMODULE hModule = GetModuleHandle("Kernel32.dll"); ProcAddress = GetProcAddress(hModule,"LoadLibraryA"); HANDLE hThread; hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)ProcAddress, BaseAddress, 0, NULL); //等待线程完成 WaitForSingleObject(hThread,INFINITE); //释放内存,关闭句柄 VirtualFreeEx(hProcess,BaseAddress,0,MEM_RELEASE); CloseHandle(hThread); CloseHandle(hProcess); } |
转载请注明:exchen's blog » 远程线程 DLL 注入