以下代码演示将test.dll注入电话进程并触发test.dll里的导出函数HelloWorld
首先是注入的exe:
//
取得CProg.exe进程句柄的OpenProcess就不贴了,大家都知道@@
// 卸载钩子函数
bool UninstallHook(HANDLE hProcessDest,HINSTANCE hInst){
CALLBACKINFO ci;
ci.hProcess = hProcessDest;
ci.pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(GetModuleHandle(L " COREDLL " ), L " FreeLibrary " ), hProcessDest);
ci.pvArg0 = hInst; // HINSTANCE returned by LoadLibrary
DWORD dw = PerformCallBack4( & ci, 0 , 0 , 0 ); // returns 1 if correctly unloaded
return ( bool )dw;
}
// 安装钩子
bool InstallHook( HANDLE hProcessDest )
{
BOOL bMode = SetKMode(TRUE);
DWORD dwPerm = SetProcPermissions( 0xFFFFFFFF );
CALLBACKINFO ci;
ci.hProcess = hProcessDest;
ci.pFunction = (FARPROC)GetProcAddress(GetModuleHandle( _T( " coredll.dll " ) ),_T( " LoadLibraryW " ) );
ci.pvArg0 = MapPtrToProcess(_T( " test.dll " ),GetCurrentProcess()); // 先注入dll
HINSTANCE hInst = (HINSTANCE) PerformCallBack4( & ci, 0 , 0 , 0 );
if ( 0 == GetLastError())
{
// MessageBox(NULL,TEXT("Success inje"),TEXT("success"),MB_OK); // (NULL,TEXT("PerformCallBack4() run successful
\n",TEXT("test"),MB_OK));
// get the proc address
FARPROC pHook = GetProcAddress(hInst, (LPCTSTR)L " HelloWorld " ); // 关键的地方!获取注入dll的函数地址
ci.hProcess = hProcessDest;
ci.pFunction = (FARPROC)MapPtrToProcess(pHook, hProcessDest);
ci.pvArg0 = NULL;
DWORD dw = PerformCallBack4( & ci, 0 , 0 , 0 ); // 再次注入!这次是函数地址!然后相关的导出函数就运作了
// UninstallHook(hProcessDest,hInst);
SetKMode(bMode);
SetProcPermissions(dwPerm);
return ( bool )dw;
} else {
LPWSTR tt;
wsprintf(tt,TEXT( " GetLastError:%d " ),GetLastError());
MessageBox(NULL,tt,TEXT( " fail " ),MB_OK);
}
SetKMode(bMode);
SetProcPermissions(dwPerm);
return false ;
}
// 卸载钩子函数
bool UninstallHook(HANDLE hProcessDest,HINSTANCE hInst){
CALLBACKINFO ci;
ci.hProcess = hProcessDest;
ci.pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(GetModuleHandle(L " COREDLL " ), L " FreeLibrary " ), hProcessDest);
ci.pvArg0 = hInst; // HINSTANCE returned by LoadLibrary
DWORD dw = PerformCallBack4( & ci, 0 , 0 , 0 ); // returns 1 if correctly unloaded
return ( bool )dw;
}
// 安装钩子
bool InstallHook( HANDLE hProcessDest )
{
BOOL bMode = SetKMode(TRUE);
DWORD dwPerm = SetProcPermissions( 0xFFFFFFFF );
CALLBACKINFO ci;
ci.hProcess = hProcessDest;
ci.pFunction = (FARPROC)GetProcAddress(GetModuleHandle( _T( " coredll.dll " ) ),_T( " LoadLibraryW " ) );
ci.pvArg0 = MapPtrToProcess(_T( " test.dll " ),GetCurrentProcess()); // 先注入dll
HINSTANCE hInst = (HINSTANCE) PerformCallBack4( & ci, 0 , 0 , 0 );
if ( 0 == GetLastError())
{
// MessageBox(NULL,TEXT("Success inje"),TEXT("success"),MB_OK); // (NULL,TEXT("PerformCallBack4() run successful
\n",TEXT("test"),MB_OK));// get the proc address
FARPROC pHook = GetProcAddress(hInst, (LPCTSTR)L " HelloWorld " ); // 关键的地方!获取注入dll的函数地址
ci.hProcess = hProcessDest;
ci.pFunction = (FARPROC)MapPtrToProcess(pHook, hProcessDest);
ci.pvArg0 = NULL;
DWORD dw = PerformCallBack4( & ci, 0 , 0 , 0 ); // 再次注入!这次是函数地址!然后相关的导出函数就运作了
// UninstallHook(hProcessDest,hInst);
SetKMode(bMode);
SetProcPermissions(dwPerm);
return ( bool )dw;
} else {
LPWSTR tt;
wsprintf(tt,TEXT( " GetLastError:%d " ),GetLastError());
MessageBox(NULL,tt,TEXT( " fail " ),MB_OK);
}
SetKMode(bMode);
SetProcPermissions(dwPerm);
return false ;
}
DLL的导出代码:
extern
"
C
"
__declspec(dllexport)
bool
WINAPI HelloWorld()
{
MessageBox(NULL,TEXT( " Hello World by 小金 " ),TEXT( " success " ),MB_OK);
return true ;
}
{
MessageBox(NULL,TEXT( " Hello World by 小金 " ),TEXT( " success " ),MB_OK);
return true ;
}
扫一扫
795
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
