- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
注入所有满足条件的程序
我判断的是进程名
复制代码
const char* GName = "elementclient.exe";
以下为注入部分代码
HANDLE th = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
PROCESSENTRY32 pe32;
Process32First(th,&pe32);
DWORD dwProcessID = 0;
do
{
if(!strcmp(GName,pe32.szExeFile))
{
dwProcessID = pe32.th32ProcessID;
HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE,dwProcessID);
if(NULL == hProcess)
{
AfxMessageBox("打开进程失败!");
return;
}
// 向目标进程地址空间写入DLL名称
DWORD dwWritten;
LPCSTR lpszDll;
char path[1024];
CString tempDll;
WIN32_FIND_DATA fdata;
lpszDll = "MyHook.dll"; //此处设置Dll名称
GetCurrentDirectory(1024,path);
tempDll = path;
tempDll += "\\";
tempDll += lpszDll;
if (FindFirstFile(tempDll,&fdata)==INVALID_HANDLE_VALUE)
{
AfxMessageBox("DLL不存在,请检查!");
return;
}
DWORD dwSize = tempDll.GetLength() + 1;
LPVOID lpBuf = VirtualAllocEx( hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE );
if ( NULL == lpBuf )
{
CloseHandle( hProcess );
AfxMessageBox("申请内存出错!");
return;
// 失败处理
}
if ( WriteProcessMemory( hProcess, lpBuf, (LPVOID)tempDll.GetBuffer(tempDll.GetLength()), dwSize, &dwWritten ) )
{
// 要写入字节数与实际写入字节数不相等,仍属失败
if ( dwWritten != dwSize )
{
VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );
CloseHandle( hProcess );
AfxMessageBox("写入内存大小不符!");
return;
// 失败处理
}
else
{
tempDll.ReleaseBuffer();
}
}
else
{
CloseHandle( hProcess );
AfxMessageBox("写入内存出错!");
return;
// 失败处理
}
// 使目标进程调用LoadLibrary,加载DLL
DWORD dwID;
LPVOID pFunc = LoadLibraryA;
HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, lpBuf, 0, &dwID );
// 等待LoadLibrary加载完毕
WaitForSingleObject( hThread, INFINITE );
// 释放目标进程中申请的空间
VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );
CloseHandle( hThread );
CloseHandle( hProcess ); }
} while (Process32Next(th,&pe32));
Dll入口处
InitInstance函数内加入
::CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)CreateDialogBox,(LPVOID)pCWndWGGameWg,NULL,NULL);
新建个函数
void CreateDialogBox(CMyHookDlg *pCWndWGGameWg)
{
HWND h = GetHwndByPid(GetCurrentProcessId());
DWORD GameTid =GetWindowThreadProcessId(h,NULL);
HHOOK keyhhk =SetWindowsHookEx(WH_KEYBOARD,(HOOKPROC)KeyboardProc,theApp.m_hInstance,GameTid);
bool hwndok = FALSE; //设置一个死循环
do
{
Sleep(10000); //延迟无意义
}while (hwndok == FALSE);
}
同时新增GetHwndByPid()函数
// 进程ID取窗口句柄
// 枚举窗口信息
typedef struct myWindowInfo
{
HWND hwnd1;
char WindowText[255];
char ClassName[255];
DWORD dwProcessId;
DWORD dwThreadId;
}WindowInfo;
typedef WindowInfo * PWindowInfo;
typedef WindowInfo * LPWindowInfo;
DWORD EnumWindowInfo(WindowInfo WInfo[]);
HWND m_hwndFind[100];
int m_num = 0 ;
BOOL CALLBACK EnumWindowsProc(HWND hWnd, LPARAM lParam)
{
//判断窗口是否可见
if(::GetWindowLong(hWnd,GWL_STYLE)& WS_VISIBLE)
{
m_hwndFind[m_num] = hWnd;//
m_num++;//
}
return true;
}
DWORD EnumWindowInfo(WindowInfo WInfo[])//枚举窗口信息,成功返回窗口数量,失败返回
{
int i = 0;
WindowInfo Winpro;
m_num=0;
::EnumWindows(EnumWindowsProc,NULL);
for(i = 0;i <m_num;i++)
{
Winpro.hwnd1 = m_hwndFind;
::GetWindowText(m_hwndFind,Winpro.WindowText,128);
::GetClassName(m_hwndFind,Winpro.ClassName,MAX_PATH-1);
Winpro.dwThreadId=::GetWindowThreadProcessId(m_hwndFind,&Winpro.dwProcessId);
WInfo=Winpro;
}
return i;
}
HWND GetHwndByPid(DWORD ProcessId)//进程ID取窗口句柄
{
WindowInfo WinInfo1[255];
HWND _hwnd=0;
DWORD aa=EnumWindowInfo(WinInfo1);
for (DWORD i=0;i<aa;i++)
{
if (WinInfo1.dwProcessId==ProcessId)
{
_hwnd=WinInfo1.hwnd1;
if (0 ==::GetWindowLong(WinInfo1.hwnd1,GWL_HWNDPARENT))
{
return WinInfo1.hwnd1;
}
}
}
return _hwnd;
} |
|
发表于 2012-10-17 21:15:03
