visual studio 2019 详细步骤实现DLL注入

一、创建新项目——动态链接库

源文件代码：

#include "pch.h"
#include"windows.h"
#include"tchar.h"
#pragma comment(lib,"urlmon.lib")



HMODULE g_hMod = NULL;

DWORD WINAPI ThreadProc(LPVOID lParam)
{
	MessageBox(NULL, TEXT("myhack.dll Injection!!!"), TEXT("warn"), 0);
	return 0;

}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
	HANDLE hThread = NULL;

	g_hMod = (HMODULE)hModule;

    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
		OutputDebugString(L"myhack.dll Injection!!!");
		
		hThread = CreateThread(NULL, 0, ThreadProc, NULL, 0, NULL);
		CloseHandle(hThread);
        break;
    }
    return TRUE;
}

生成——生成解决方案

找到路径内的Dll2.dll

二、创建新项目——控制台应用

源代码：

#include
#include"tchar.h"
#include
BOOL InjectDll(DWORD dwPID, LPCTSTR szDllPath)
{
	HANDLE hProcess = NULL, hThread = NULL;
	HMODULE hMod = NULL;
	LPVOID pRemoteBuf = NULL;
	DWORD dwBufSize = (DWORD)(_tcslen(szDllPath) + 1) * sizeof(TCHAR);
	LPTHREAD_START_ROUTINE pThreadProc;
	//1.使用dwPID获取目标进程句柄
	if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID))) {
		_tprintf(L"OpenProcess(%d) failed!![%d]\n", dwPID, GetLastError());
		return FALSE;
	}
	//2.在目标进程中分配szDllName大小的内存
	pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize , MEM_COMMIT, PAGE_READWRITE);
	//3.将myhack.dll路径写入	分配的内存。
	WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllPath, dwBufSize, NULL);
	//4.获取LoadLibrary（）API的地址
	hMod = GetModuleHandle(L"kernel32.dll");
	pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hMod, "LoadLibraryW");
	//5.在notepad中运行线程.
	hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, pRemoteBuf, 0, NULL);
	WaitForSingleObject(hThread, INFINITE);
	CloseHandle(hThread);
	CloseHandle(hProcess);

	return TRUE;
}

int _tmain(int argc, TCHAR *argv[])
{
	if (argc != 3) {
		_tprintf(L"USAGE : %s pid dll_path\n", argv[0]);
		//MessageBox(NULL, TEXT("0"), TEXT("warn"),0);
		return 1;
	}
	//injectdll
	if (InjectDll((DWORD)_tstol(argv[1]), argv[2]))
		_tprintf(L"InjectDll(\"%s\") sucess!!!\n", argv[2]);
		//MessageBox(NULL, TEXT("1"), TEXT("warn"), 0);
	else
		_tprintf(L"InjectDll(\"%s\") failed!!!\n", argv[2]);
		//MessageBox(NULL, TEXT("2"), TEXT("warn"), 0);


}

生成——生成解决方案

在此路径内找到exe文件

将上一步生成的dll文件放入此文件夹

我把exe重命名为Inject.exe
dll重命名为myhack.exe

打开notepad.exe
下载链接：https://pan.baidu.com/s/1_ZFI4niw1rYRU_yvT2cUdA
提取码：tq41

打开process explorer
链接：https://pan.baidu.com/s/1OOTde_GjICum92wF4ktPug
提取码：1fhr

找到notepad的pid

我这里是21808

打开debugview
链接：https://pan.baidu.com/s/11gbzZrdYqO5LBgOojaDYHQ
提取码：x6g1

打开cmd，以管理员身份运行

cd到存放exe和dll文件的目录

输入 Inject.exe 20808 myhack.dll

输出如上图

此时查看debugview

再查看notepad

再查看process explorer

表示myhack.dll注入成功

参考书籍《逆向工程核心原理》