注入Dll：

1，OpenProcess獲得要注入進程的句柄

2，VirtualAllocEx在遠程進程中開辟出一段內存，長度為strlen(dllname)+1;

3，WriteProcessMemory將Dll的名字寫入第二步開辟出的內存中。

4，CreateRemoteThread將LoadLibraryA作為線程函數，參數為Dll的名稱，創建新線程

5，CloseHandle關閉線程句柄

卸載Dll：

1，CreateRemoteThread將GetModuleHandle注入到遠程進程中，參數為被注入的Dll名

2，GetExitCodeThread將線程退出的退出碼作為Dll模塊的句柄值。

3，CloseHandle關閉線程句柄

3，CreateRemoteThread將FreeLibraryA注入到遠程進程中，參數為第二步獲得的句柄值。

4，WaitForSingleObject等待對象句柄返回

5，CloseHandle關閉線程及進程句柄。

//Code?By?Pnig0s1992?

//Date:2012,3,13?

#include?<stdio.h>?

#include?<Windows.h>?

#include?<TlHelp32.h>?

?

?

DWORD?getProcessHandle(LPCTSTR?lpProcessName)//根據進程名查找進程PID?

{?

????DWORD?dwRet?=?0;?

????HANDLE?hSnapShot?=?CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);?

????if(hSnapShot?==?INVALID_HANDLE_VALUE)?

????{?

????????printf("\n獲得進程快照失敗%d",GetLastError());?

????????return?dwRet;?

????}?

?

????PROCESSENTRY32?pe32;//聲明進程入口對象?

????pe32.dwSize?=?sizeof(PROCESSENTRY32);//填充進程入口對象大小?

????Process32First(hSnapShot,&pe32);//遍歷進程列表?

????do??

????{?

????????if(!lstrcmp(pe32.szExeFile,lpProcessName))//查找指定進程名的PID?

????????{?

????????????dwRet?=?pe32.th32ProcessID;?

????????????break;?

????????}?

????}?while?(Process32Next(hSnapShot,&pe32));?

????CloseHandle(hSnapShot);?

????return?dwRet;//返回?

}?

?

INT?main(INT?argc,CHAR?*?argv[])?

{?

????DWORD?dwPid?=?getProcessHandle((LPCTSTR)argv[1]);?

????LPCSTR?lpDllName?=?"EvilDll.dll";?

????HANDLE?hProcess?=?OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwPid);?

????if(hProcess?==?NULL)?

????{?

????????printf("\n獲取進程句柄錯誤%d",GetLastError());?

????????return?-1;?

????}?

????DWORD?dwSize?=?strlen(lpDllName)+1;??

????DWORD?dwHasWrite;?

????LPVOID?lpRemoteBuf?=?VirtualAllocEx(hProcess,NULL,dwSize,MEM_COMMIT,PAGE_READWRITE);?

????if(WriteProcessMemory(hProcess,lpRemoteBuf,lpDllName,dwSize,&dwHasWrite))?

????{?

????????if(dwHasWrite?!=?dwSize)?

????????{?

????????????VirtualFreeEx(hProcess,lpRemoteBuf,dwSize,MEM_COMMIT);?

????????????CloseHandle(hProcess);?

????????????return?-1;?

????????}?

?

????}else?

????{?

????????printf("\n寫入遠程進程內存空間出錯%d。",GetLastError());?

????????CloseHandle(hProcess);?

????????return?-1;?

????}?

?

????DWORD?dwNewThreadId;?

????LPVOID?lpLoadDll?=?LoadLibraryA;?

????HANDLE?hNewRemoteThread?=?CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpLoadDll,lpRemoteBuf,0,&dwNewThreadId);?

????if(hNewRemoteThread?==?NULL)?

????{?

????????printf("\n建立遠程線程失敗%d",GetLastError());?

????????CloseHandle(hProcess);?

????????return?-1;?

????}?

?

????WaitForSingleObject(hNewRemoteThread,INFINITE);?

????CloseHandle(hNewRemoteThread);?

?

????//準備卸載之前注入的Dll?

????DWORD?dwHandle,dwID;?

????LPVOID?pFunc?=?GetModuleHandleA;//獲得在遠程線程中被注入的Dll的句柄?

????HANDLE?hThread?=?CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,lpRemoteBuf,0,&dwID);?

????WaitForSingleObject(hThread,INFINITE);?

????GetExitCodeThread(hThread,&dwHandle);//線程的結束碼即為Dll模塊兒的句柄?

????CloseHandle(hThread);?

????pFunc?=?FreeLibrary;?

????hThread?=?CreateRemoteThread(hThread,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,(LPVOID)dwHandle,0,&dwID);?//將FreeLibraryA注入到遠程線程中去卸載Dll?

????WaitForSingleObject(hThread,INFINITE);?

????CloseHandle(hThread);?

????CloseHandle(hProcess);?

????return?0;?

}?

http://blog.51cto.com/pnig0s1992/804484

總結

以上是生活随笔為你收集整理的Dll注入经典方法完整版的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。