HOOK64 32转换

// Injection64bit.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"
#include <windows.h>
#include <Strsafe.h>

BOOL InjectDll(TCHAR szPath[MAX_PATH], DWORD dwPid);
int _tmain(int argc, _TCHAR* argv[])
{
    if (argc < 3) exit(0);
    // 第2个命令行参数为DLL路径,
    // 第3个命令行参数为要注入的程序PID
    DWORD dwPid = _wtoi(argv[2]);
    InjectDll(argv[1], dwPid);
    return 0;
}

BOOL InjectDll(TCHAR szPath[MAX_PATH], DWORD dwPid)
{
    // szPath:DLL路径
    // dwPid: 要注入的进程PID
    //1.打开要注入DLL的进程
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
    if (!hProcess)
    {
        MessageBox(NULL, L"打开进程失败!", NULL, MB_OK);
        return FALSE;
    }
    //2.将Dll路径写进远进程内存
    //2.1.计算注入的DLL路径所占空间
    DWORD dwLength = 0;
    HRESULT hret = NULL;
    hret = StringCchLength(szPath, MAX_PATH, (size_t*)&dwLength);
    if (STRSAFE_E_INVALID_PARAMETER == hret)
    {
        CloseHandle(hProcess);
        MessageBox(NULL, L"DLL路径错误!", NULL, MB_OK);
        return FALSE;
    }
    DWORD dwSize = (dwLength + 1)* sizeof(TCHAR);
    //2.2.在要注入的进程内开辟空间用于存放DLL路径
    LPVOID lpVirAddr = NULL;
    lpVirAddr = VirtualAllocEx(hProcess,//进程句柄
        NULL,            //申请的内存地址
        dwSize,            //申请的内存的大小
        MEM_COMMIT,        //申请的内存属性
        PAGE_READWRITE);//申请的内存分页类型
    if (NULL == lpVirAddr)
    {
        CloseHandle(hProcess);
        MessageBox(NULL, L"内存申请失败!", NULL, MB_OK);
        return FALSE;
    }
    //2.3将DLL路径写入申请的内存
    if (!WriteProcessMemory(
        hProcess,//进程句柄
        lpVirAddr,//要写入的内存地址
        szPath,//要写入的数据地址
        dwSize,//写入大小
        NULL))//返回成功写入的数据的大小
    {
        if (lpVirAddr) VirtualFreeEx(hProcess, (PVOID)lpVirAddr, 0, MEM_RELEASE);
        if (hProcess) CloseHandle(hProcess);
        MessageBox(NULL, L"写入内存失败!", NULL, MB_OK);
        return FALSE;
    }
    //3.获取Loadlibrary地址
    PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(
        GetModuleHandle(L"Kernel32"), "LoadLibraryW");
    if (!pfnThreadRtn)
    {
        if (lpVirAddr) VirtualFreeEx(hProcess, (PVOID)lpVirAddr, 0, MEM_RELEASE);
        if (hProcess) CloseHandle(hProcess);
        MessageBox(NULL, L"LoadLibraryW地址获取失败!", NULL, MB_OK);
        return FALSE;
    }
    //4.创建远线程加载DLL
    HANDLE hThread = CreateRemoteThread(
        hProcess, //进程句柄
        NULL, //安全类型
        0, //栈大小
        pfnThreadRtn, //线程回调函数地址
        (PVOID)lpVirAddr, //线程回调函数参数
        0, //创建标志,创建立刻执行
        NULL); //传出值,线程ID
    if (NULL == hThread)
    {
        if (lpVirAddr) VirtualFreeEx(hProcess, (PVOID)lpVirAddr, 0, MEM_RELEASE);
        if (hProcess) CloseHandle(hProcess);
        return FALSE;
    }
    //5.等待远线程结束
    WaitForSingleObject(hThread, INFINITE);
    //6.释放相关资源并关闭句柄
    if (lpVirAddr) VirtualFreeEx(hProcess, (PVOID)lpVirAddr, 0, MEM_RELEASE);
    if (hThread) CloseHandle(hThread);
    if (hProcess) CloseHandle(hProcess);
    return TRUE;
}

 

posted @ 2016-04-08 20:15  天还是那么蓝  阅读(269)  评论(0编辑  收藏  举报