今天因為測試東西，所以寫了一個向別進程注入dll的小程序,代碼比較簡單,方法也很單一,不過有時候搞測試的時候又找不到這樣的工具,所以寫了一個.

使用方法:
/p [進程名]
/pid [進程id]
/d [要注入的dll]
/w [等待時間]

/p 和/pid?后面可以同時跟多個參數,用,連接,例如
/p notepad.exe,explorer.exe

/pid 1232,1345

/p 和 /pid 不要同時使用，不然最前面的不能被注入

下載

同時貼出源代碼:
#include <Windows.h>
#include <tlhelp32.h>
#include <stdio.h>

DWORD* FindTarget( LPCTSTR lpszProcess )
{
?char*?pSzcmd = new char [strlen(lpszProcess)+1];
?strcpy(pSzcmd,lpszProcess);
?char*?pszcmdbak = pSzcmd;
?char*?pvlist[100];
?int b = 0;
?pvlist[0] = 0;
?for (int i=0;pSzcmd[i] != 0;i++)
?{
??if (pSzcmd[i] == 0x2C)
??{
???pSzcmd[i] = 0;
???pvlist[b] = pSzcmd;
???b++;
???pSzcmd = pSzcmd+i+1;
??}
?}
?pvlist[b] = pSzcmd;
?pvlist[b+1] = 0;
?DWORD*?pdwPids = new DWORD [100];
?pdwPids[0] = 0;
?DWORD?pdwI = 0;
?HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
?PROCESSENTRY32 pe32;
?pe32.dwSize = sizeof( PROCESSENTRY32 );
?Process32First( hSnapshot, &pe32 );
?do
?{
??for (int i=0;pvlist[i] !=0;i++)
??{
???if ( strcmpi( pe32.szExeFile, pvlist[i] ) == 0 )
???{
????if (pdwI > 99)
?????break;
????pdwPids[pdwI] = pe32.th32ProcessID;
????pdwI++;
????pdwPids[pdwI] = 0;
???}
??}
?} while ( Process32Next( hSnapshot, &pe32 ) );
?CloseHandle( hSnapshot );
?delete pszcmdbak;
?return pdwPids;
}

?

void main(int argc, char* argv[])
{

?if (argc < 3)
?{
??printf("Need process name and dll name to inject!\n"
???"explame:inject.exe /pid 1210 /d c:\\inject.dll");
??return;
?}
?/*
?HANDLE phFile = CreateFile(argv[2], GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
?if (phFile == INVALID_HANDLE_VALUE)
?{
??printf("");
?}
?*/
?DWORD*?pPids = new DWORD [100];
?DWORD*?pProcessIDs = 0;
?char?*pszDLL = 0;
?DWORD?pWait = 1000;
?for (int i=0;i<argc;i++)
?{
??if (strcmpi(argv[i],"/pid") == 0)
??{
???int a = 0;
???char*?pszids = new char [strlen(argv[i+1])+1];
???strcpy(pszids,argv[i+1]);
???char*?ps2 = pszids;

???for (int x = 0;ps2[x] != 0;x++)
???{
????if (ps2[x] == 0x2C)
????{
?????ps2[x] = 0;
?????pPids[a] = atol(ps2);
?????ps2 = ps2+x+1;
?????x = 0;
?????a++;
????}
???}
???pPids[a] = atol(ps2);
???pPids[a+1] = 0;
???pProcessIDs = pPids;
???delete pszids;
???continue;
??}
??if (strcmpi(argv[i],"/p") == 0)
??{
???pProcessIDs=FindTarget(argv[i+1]);
???continue;
??}
??if (strcmpi(argv[i],"/d") == 0)
??{
???pszDLL = argv[i+1];
???continue;
??}
??if (strcmpi(argv[i],"/w") == 0)
??{
???pWait = atol(argv[i+1]);
???continue;
??}
?}
?if (pProcessIDs == 0 || pProcessIDs[0] == 0)
?{
??printf("Not find anyone process!");
??return;
?}
?if (pszDLL == 0)
?{
??printf("must have a dll for inject!");
??return;
?}
?for (int i=0;pProcessIDs[i] != 0;i++)
?{
??HANDLE phProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, pProcessIDs[i]);
??if (phProcess == INVALID_HANDLE_VALUE)
??{
???printf("Error while open process!");
???return;
??}

??DWORD dwSize, dwWritten;
??dwSize = lstrlenA( pszDLL ) + 1;
??LPVOID lpBuf = VirtualAllocEx( phProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE );
??if ( NULL == lpBuf )
??{
???printf("Error while Alloc memory!");
???CloseHandle( phProcess );
???return;
??}
??if ( WriteProcessMemory( phProcess, lpBuf, (LPVOID)pszDLL, dwSize, &dwWritten ) )
??{
???if ( dwWritten != dwSize )
???{
????VirtualFreeEx( phProcess, lpBuf, dwSize, MEM_DECOMMIT );
????CloseHandle( phProcess );
????printf("Error while Write data to memory!");
????return;
???}
??}
??else
??{
???CloseHandle( phProcess );
???printf("Error while Write data to memory!");
???return;
??}

??DWORD dwID;
??LPVOID pFunc = LoadLibraryA;
??HANDLE hThread = CreateRemoteThread( phProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, lpBuf, 0, &dwID );

??WaitForSingleObject(hThread,pWait);
??VirtualFreeEx( phProcess, lpBuf, dwSize, MEM_DECOMMIT );
??CloseHandle( hThread );
??CloseHandle(phProcess);
?}
?delete?pProcessIDs;
?return;
}

轉載于:https://www.cnblogs.com/lifeengines/archive/2006/11/21/566791.html

總結

以上是生活随笔為你收集整理的dll注入工具的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。