测试环境
系统:Windows 10 64bit
注入目标: Ps2模拟器
主要思路:
1.使用进程PID打开进程,获得句柄
2.使用进程句柄申请内存空间
3.把dll路径写入内存
4.创建远程线程,调用LoadLibrary
5.释放收尾工作或者卸载dll
主要函数:
主要代码:
1 bool InjectDll(SIZE_T szPid)
2 {
3 //1.远线程注入
4 HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ,
5 NULL, szPid);
6
7 if (hProcess == INVALID_HANDLE_VALUE) {
8 printf("打开进程失败!");
9 return false;
10 }
11 //2.在远程进程中申请空间
12 LPVOID pszDllName = VirtualAllocEx(hProcess, NULL, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
13 //3.在远程进程中写入数据
14 TCHAR* szDllName = PATH;
15 if (!WriteProcessMemory(hProcess, pszDllName, szDllName, MAX_PATH, NULL)) {
16 return false;
17 }
18 //4.在远程进程中创建远程线程
19 HANDLE hlnjecthread = CreateRemoteThread(
20 hProcess, //远程进程句柄
21 NULL, //安全属性
22 0, //栈大小
23 (LPTHREAD_START_ROUTINE)LoadLibrary, //进程处理函数
24 pszDllName, //传入参数
25 NULL, //默认创建后的状态
26 NULL); //线程ID
27
28 if (hlnjecthread == NULL) {
29 return false;
30 }
31 //5.等待线程结束返回
32 DWORD dw = WaitForSingleObject(hlnjecthread, -1);
33 //6.获取线程退出码,即LoadLibray的返回值,即Dll的首地址
34 DWORD dwExitCode;
35 GetExitCodeThread(hlnjecthread, &dwExitCode);
36 HMODULE hMod = (HMODULE)dwExitCode;
37 //7.释放空间
38 if (!VirtualFreeEx(hProcess, pszDllName, 4096, MEM_DECOMMIT)) {
39 return false;
40 }
41 CloseHandle(hProcess);
42
43 return true;
44 }
DLL代码:
1 BOOL CDllForPsApp::InitInstance()
2 {
3 CWinApp::InitInstance();
4 //__debugbreak();
5 OutputDebugString(L"注入成功!");
6
7 CString Cstr;
8 Cstr.Format(L"原资源:%d,原资源:%d",
9 *g_pCapital, *g_pResources);
10 OutputDebugString(Cstr.GetBuffer());
11
12 *g_pCapital = 5555555;
13 *g_pResources = 5555555;
14
15 return TRUE;
16 }
注入效果:
