C++编写一个注入的DLL
C++编写一个注入的DLL
简单的dll对话框
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
MessageBox(NULL, "Hooked", "OK", MB_OK);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
使用ollyDbg注入微信进程
1把微信进程附加打开
发现微信窗口都点不开 这里直给暂停了
我们点击运行,窗口恢复
选择我们生成的DLL可执行文件
成功!
简单的DLL注入程序c++
// dll 注入exe.cpp : 定义应用程序的入口点。
//
#include "framework.h"
#include "dll 注入exe.h"
#include "resource.h"
#include <stdio.h>
#include <TlHelp32.h>
#define MAX_LOADSTRING 100
INT_PTR Dlgproc(
HWND unnamedParam1,
UINT unnamedParam2,
WPARAM unnamedParam3,
LPARAM unnamedParam4
);
// 全局变量:
HINSTANCE hInst; // 当前实例
WCHAR szTitle[MAX_LOADSTRING]; // 标题栏文本
WCHAR szWindowClass[MAX_LOADSTRING]; // 主窗口类名
// 此代码模块中包含的函数的前向声明:
ATOM MyRegisterClass(HINSTANCE hInstance);
BOOL InitInstance(HINSTANCE, int);
LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);
INT_PTR CALLBACK About(HWND, UINT, WPARAM, LPARAM);
int APIENTRY wWinMain(_In_ HINSTANCE hInstance,
_In_opt_ HINSTANCE hPrevInstance,
_In_ LPWSTR lpCmdLine,
_In_ int nCmdShow)
{
//打开对话框
DialogBox(NULL, MAKEINTRESOURCE(IDD_DLLEXE_DIALOG), NULL, &Dlgproc);
return 0;
}
char DllFileName[] = "C:\\Users\\Ninja\\Desktop\\wetool微信\\Wechathoot.dll";
DWORD dllPathSize = strlen(DllFileName) + 1;
INT_PTR Dlgproc(HWND uHwnd,UINT uUint,WPARAM uWparam,LPARAM uLparam){
switch (uUint) {
case WM_COMMAND:
if (uWparam == IDD_INJECT)
{
//点击注入按钮
wchar_t buff[0x100] = { 0 };
DWORD weChatProcessId = 0;
// 1) 遍历系统中的进程,找到微信的进程(CreateToolhelp32Snapshot、Process32Next)
HANDLE handle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
swprintf_s(buff, L"CreateToolhelp32Snapshot=%p", handle);
OutputDebugString(buff);
PROCESSENTRY32 processentry32 = { 0 };
//这个结构体需要有一个初始值的大小
processentry32.dwSize = sizeof(processentry32);
BOOL next = Process32Next(handle, &processentry32);
while(next == TRUE) {
if (wcscmp(processentry32.szExeFile , L"WeChat.exe") == 0) {
//如果这个等于微信的可执行文件的名字
weChatProcessId = processentry32.th32ProcessID;
break;
}
next = Process32Next(handle, &processentry32);
}
if (weChatProcessId == 0) {
MessageBox(NULL, L"没找到微信的进程!", L"错误", MB_OK);
return false;
}
// 2) 打开微信进程,获得Handle(OpenProcess)
HANDLE openHandle = OpenProcess(PROCESS_ALL_ACCESS, TRUE, weChatProcessId);
if (NULL == openHandle) {
MessageBox(NULL, L"打开微信的进程失败!", L"错误", MB_OK);
return false;
}
// 3) 打开微信进程中的DLL文件路径字符串申请内存空间(VirtualAllocEx)
LPVOID allocAddress = VirtualAllocEx(openHandle, NULL, dllPathSize, MEM_COMMIT, PAGE_READWRITE);
if (NULL == allocAddress) {
MessageBox(NULL, L"分配内存空间失败!", L"错误", MB_OK);
return false;
}
swprintf_s(buff, L"VirtualAllocEx=%p", allocAddress);
OutputDebugString(buff);
// 4) 把DLL文件路径字符串写入到申请的内存空间(WriteProcessMemory)
BOOL res = WriteProcessMemory(openHandle, allocAddress, DllFileName, dllPathSize, NULL);
if (res == 0) {
MessageBox(NULL, L"把DLL文件路径字符串写入到申请的内存空间失败!", L"错误", MB_OK);
return false;
}
// 5) 从kerne32.dll中获取LoadLibraryA的函数地址(GetModuleHandler、GetProcAddress)
HMODULE hMODULE = GetModuleHandle(L"kernel32.dll");
FARPROC fARPROC = GetProcAddress(hMODULE, "LoadLibraryA");
if (NULL == fARPROC) {
MessageBox(NULL, L" 从kerne32.dll中获取LoadLibraryA的函数地址失败!", L"错误", MB_OK);
return false;
}
// 6) 在微信中启动内存指定了文件名路径诶DLL(CreateRemoteThread)
//也就是调用DLL中的DLLMain(以DLL_PROCESS_ATTACH)为参数
HANDLE hANDLE = CreateRemoteThread(openHandle, NULL, 0,(LPTHREAD_START_ROUTINE ) fARPROC, allocAddress, 0, NULL);
if (NULL == hANDLE) {
MessageBox(NULL, L" 微信中启动内存指定了文件名路径诶DLL失败!", L"错误", MB_OK);
return false;
}
}
break;
case WM_CLOSE:
//关闭对话框事件
EndDialog(uHwnd, 0);
}
return false;
}
点击微信按钮看到这个远程进程和微信的进程已经在一起了
