C++注入记事本

 1 #include <iostream>;
 2 using namespace std;
 3 #include <windows.h>;
 4 #include <tlhelp32.h>;
 5 #include <tchar.h>;
 6 
 7 BOOL CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam);
 8 HWND GetMainWindow();
 9 
10 extern "C" BOOL APIENTRY DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
11 {
12     HWND hWnd;
13     HWND hParWnd, hButWnd;
14     int d, d1;
15     switch (fdwReason)
16     {
17     case DLL_PROCESS_ATTACH:
18 
19         hWnd = GetMainWindow();
20         if (hWnd)
21             hWnd = ::FindWindowEx(hWnd, 0, TEXT("EDIT"), NULL);
22         if (hWnd)
23         {
24             ::MessageBox(hWnd, TEXT("开始注入"), TEXT("提示"), MB_OK);
25             for (int i = 0; i < 100; i++)
26             {
27                 PostMessageW(hWnd, WM_CHAR, L'我', 1);
28                 PostMessageW(hWnd, WM_CHAR, L'喜', 1);
29                 PostMessageW(hWnd, WM_CHAR, L'欢', 1);
30                 PostMessageW(hWnd, WM_CHAR, L'你', 1);
31                 PostMessageW(hWnd, WM_KEYDOWN,VK_RETURN, 1);
32             }
33         }
34         else
35         {
36             ::MessageBox(hWnd, TEXT("记事本不存在"), TEXT("提示"), MB_OK);
37         }
38         break;
39     case DLL_PROCESS_DETACH:
40         // detach from process
41         break;
42 
43     case DLL_THREAD_ATTACH:
44         // attach to thread
45         break;
46 
47     case DLL_THREAD_DETACH:
48         // detach from thread
49         break;
50     }
51     return TRUE; // succesful
52 }
53 
54 BOOL CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam)
55 {
56     DWORD dwCurProcessId = *((DWORD*)lParam);
57     DWORD dwProcessId = 0;
58 
59     GetWindowThreadProcessId(hwnd, &dwProcessId);
60     if (dwProcessId == dwCurProcessId && GetParent(hwnd) == NULL)
61     {
62         *((HWND *)lParam) = hwnd;
63         return FALSE;
64     }
65     return TRUE;
66 }
67 
68 
69 HWND GetMainWindow()
70 {
71     DWORD dwCurrentProcessId = GetCurrentProcessId();
72     if (!EnumWindows(EnumWindowsProc, (LPARAM)&dwCurrentProcessId))
73     {
74         return (HWND)dwCurrentProcessId;
75     }
76     return NULL;
77 }

Dll文件

  1 #include <iostream>;
  2 using namespace std;
  3 #include <windows.h>;
  4 #include <tlhelp32.h>;
  5 #include <tchar.h>;
  6 
  7 HANDLE hThread = NULL;
  8 //进程名称查找进程ID
  9 DWORD ProcessFind(LPCTSTR Exename) //进程名称
 10 {
 11     HANDLE hProcess = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
 12     if (!hProcess)
 13     {
 14         return FALSE;
 15     }
 16     PROCESSENTRY32 info;
 17     info.dwSize = sizeof(PROCESSENTRY32);
 18     if (!Process32First(hProcess, &info))
 19     {
 20         return FALSE;
 21     }
 22     while (TRUE)
 23     {
 24         /*for (int i = 0; i <= 25; i++) {
 25             char c = info.szExeFile[i];
 26             cout << c;
 27         }*/
 28         cout << endl;
 29         if (_tcscmp(info.szExeFile, Exename) == 0)
 30         {
 31             return info.th32ProcessID;//返回进程的ID
 32         }
 33         if (!Process32Next(hProcess, &info))
 34         {
 35             return FALSE;
 36         }
 37     }
 38     return FALSE;
 39 
 40 }
 41 
 42 int dll_inject() {
 43     //Dll文件地址,改成你自己的地址
 44     const TCHAR *pLocDll = TEXT("F:\\工作\\项目\\控制台\\injection\\injection\\x64\\Release\\injectionDll.dll");
 45 
 46     HANDLE hThread = NULL;
 47 
 48     //记事本进程名称
 49     DWORD ProcessID = ProcessFind(TEXT("notepad.exe"));
 50     if (!ProcessID) {
 51         cout << "查找不到当前程序" << endl;
 52     }
 53     else {
 54         //获取进程ID
 55         HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, TRUE, ProcessID);
 56 
 57         //获取dll大小
 58         SIZE_T PathSize = (_tcslen(TEXT("injectionDll.dll")) + 1) * sizeof(TCHAR);
 59 
 60         //申请内存
 61         LPVOID StartAddress = VirtualAllocEx(hProcess, NULL, PathSize, MEM_COMMIT, PAGE_READWRITE);
 62 
 63         //写入内存
 64         bool bSuccess = WriteProcessMemory(hProcess, StartAddress, TEXT("injectionDll.dll"), PathSize, 0);
 65         if (!bSuccess)
 66         {
 67             cout << "写入失败" << endl;
 68         }
 69         else {
 70             //在寄主申请内存
 71             LPVOID strRmt = VirtualAllocEx(hProcess, nullptr, MAX_PATH, MEM_COMMIT, PAGE_READWRITE);
 72             //获得注入DLL大小
 73             size_t lenLocDll = 2 * _tcslen(pLocDll);
 74             //判断寄主申请内存是否成功
 75             if (strRmt) {
 76                 //把DLL写入寄主内存
 77                 BOOL ret = WriteProcessMemory(hProcess, strRmt, pLocDll, lenLocDll, nullptr);
 78                 //获得LoadLibraryW的函数地址以使用LoadLibrary函数
 79                 LPTHREAD_START_ROUTINE loadlib = LPTHREAD_START_ROUTINE(GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW"));
 80                 //注入
 81                 hThread = CreateRemoteThread(hProcess, nullptr, 0, loadlib, LPVOID(strRmt), 0, nullptr);
 82             }
 83             
 84             /*
 85             HANDLE hThread = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("kernel32.dll")), "LoadLibrary"), StartAddress, 0, 0);*/
 86 
 87             if (hThread == NULL)
 88             {
 89                 cout << "在进程中注入失败:";
 90                 cout << GetLastError() << endl;
 91                 return -1;
 92             }
 93 
 94             WaitForSingleObject(hThread, INFINITE);
 95             //到这里已经完成dll的加载即注入了，通过dll函数执行我们要完成的任务
 96             //释放
 97             VirtualFreeEx(hProcess, StartAddress,0, MEM_RELEASE);
 98             CloseHandle(hThread);
 99             CloseHandle(hProcess);
100         }
101     }
102 }
103 int main()
104 {
105     dll_inject();
106     system("pause");
107 }

主程序

注入DLL之后释放失败了，每次注入过一次之后，第二次注入都要重启记事本才能重新注入，有没有大神告诉我怎么解决

posted on 2019-01-30 22:58 韦俊宇阅读(588) 评论(0) 编辑收藏举报