以下代码演示将test.dll注入电话进程并触发test.dll里的导出函数HelloWorld
首先是注入的exe:
//取得CProg.exe进程句柄的OpenProcess就不贴了,大家都知道@@
//卸载钩子函数
bool UninstallHook(HANDLE hProcessDest,HINSTANCE hInst){
CALLBACKINFO ci;
ci.hProcess = hProcessDest;
ci.pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(GetModuleHandle(L"COREDLL"), L"FreeLibrary"), hProcessDest);
ci.pvArg0 = hInst; //HINSTANCE returned by LoadLibrary
DWORD dw = PerformCallBack4(&ci, 0,0,0); //returns 1 if correctly unloaded
return (bool)dw;
}
//安装钩子
bool InstallHook( HANDLE hProcessDest )
{
BOOL bMode = SetKMode(TRUE);
DWORD dwPerm = SetProcPermissions(0xFFFFFFFF);
CALLBACKINFO ci;
ci.hProcess = hProcessDest;
ci.pFunction = (FARPROC)GetProcAddress(GetModuleHandle( _T("coredll.dll") ),_T("LoadLibraryW") );
ci.pvArg0 = MapPtrToProcess(_T("test.dll"),GetCurrentProcess()); //先注入dll
HINSTANCE hInst = (HINSTANCE) PerformCallBack4(&ci,0,0,0);
if ( 0 == GetLastError())
{
//MessageBox(NULL,TEXT("Success inje"),TEXT("success"),MB_OK);// (NULL,TEXT("PerformCallBack4() run successful
\n",TEXT("test"),MB_OK));
//get the proc address
FARPROC pHook = GetProcAddress(hInst, (LPCTSTR)L"HelloWorld"); //关键的地方!获取注入dll的函数地址
ci.hProcess = hProcessDest;
ci.pFunction = (FARPROC)MapPtrToProcess(pHook, hProcessDest);
ci.pvArg0 = NULL;
DWORD dw = PerformCallBack4(&ci, 0, 0, 0); //再次注入!这次是函数地址!然后相关的导出函数就运作了
//UninstallHook(hProcessDest,hInst);
SetKMode(bMode);
SetProcPermissions(dwPerm);
return (bool)dw;
}else{
LPWSTR tt;
wsprintf(tt,TEXT("GetLastError:%d"),GetLastError());
MessageBox(NULL,tt,TEXT("fail"),MB_OK);
}
SetKMode(bMode);
SetProcPermissions(dwPerm);
return false;
}
//卸载钩子函数
bool UninstallHook(HANDLE hProcessDest,HINSTANCE hInst){
CALLBACKINFO ci;
ci.hProcess = hProcessDest;
ci.pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(GetModuleHandle(L"COREDLL"), L"FreeLibrary"), hProcessDest);
ci.pvArg0 = hInst; //HINSTANCE returned by LoadLibrary
DWORD dw = PerformCallBack4(&ci, 0,0,0); //returns 1 if correctly unloaded
return (bool)dw;
}
//安装钩子
bool InstallHook( HANDLE hProcessDest )
{
BOOL bMode = SetKMode(TRUE);
DWORD dwPerm = SetProcPermissions(0xFFFFFFFF);
CALLBACKINFO ci;
ci.hProcess = hProcessDest;
ci.pFunction = (FARPROC)GetProcAddress(GetModuleHandle( _T("coredll.dll") ),_T("LoadLibraryW") );
ci.pvArg0 = MapPtrToProcess(_T("test.dll"),GetCurrentProcess()); //先注入dll
HINSTANCE hInst = (HINSTANCE) PerformCallBack4(&ci,0,0,0);
if ( 0 == GetLastError())
{
//MessageBox(NULL,TEXT("Success inje"),TEXT("success"),MB_OK);// (NULL,TEXT("PerformCallBack4() run successful
\n",TEXT("test"),MB_OK));//get the proc address
FARPROC pHook = GetProcAddress(hInst, (LPCTSTR)L"HelloWorld"); //关键的地方!获取注入dll的函数地址
ci.hProcess = hProcessDest;
ci.pFunction = (FARPROC)MapPtrToProcess(pHook, hProcessDest);
ci.pvArg0 = NULL;
DWORD dw = PerformCallBack4(&ci, 0, 0, 0); //再次注入!这次是函数地址!然后相关的导出函数就运作了
//UninstallHook(hProcessDest,hInst);
SetKMode(bMode);
SetProcPermissions(dwPerm);
return (bool)dw;
}else{
LPWSTR tt;
wsprintf(tt,TEXT("GetLastError:%d"),GetLastError());
MessageBox(NULL,tt,TEXT("fail"),MB_OK);
}
SetKMode(bMode);
SetProcPermissions(dwPerm);
return false;
}
DLL的导出代码:
extern "C" __declspec(dllexport) bool WINAPI HelloWorld()
{
MessageBox(NULL,TEXT("Hello World by 小金"),TEXT("success"),MB_OK);
return true;
}
{
MessageBox(NULL,TEXT("Hello World by 小金"),TEXT("success"),MB_OK);
return true;
}
