DLL注入：改变程序运行流程使其主动加载目标DLL-CreateRemoteThread法

改变程序流程通常就是改变线程EIP、创建新线程或者修改目标进程的代码使其执行LoadLibrary来加载目标DLL。

CreateRemoteThread法：就是目标进程中申请一块内存储存目标DLL路径，然后调用CreateRemoteThread创建一个线程函数是LoadLibrary，参数是存放目标DLL路径的内存指针。

代码如下：

void InjectDLL::InjectDLLToProcessMethodOne(wchar_t* targetProcName, char* dllPath)
{
	DWORD targetPid = GetProcessPid(targetProcName);
	HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPid);
	if (hProc == NULL)
	{
		cout << "进程加载错误!" << endl;
		return;
	}
	LPTSTR AllocatedMem = (LPTSTR)VirtualAllocEx(hProc, NULL, strlen(dllPath)+1, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if (AllocatedMem == NULL)
	{
		cout << "内存分配失败!" << endl;
		return;
	}
	if (WriteProcessMemory(hProc, AllocatedMem, dllPath, strlen(dllPath), NULL) == 0)
	{
		cout << "dll路径写入失败!" << endl;
		return;
	}
	//LoadLibraryA函数位于kernel32.dll中，GetModuleHandle函数只能获取已经映射到当前进程的模块
	HMODULE mKernel = GetModuleHandleA("kernel32");
	if (mKernel == NULL)
	{
		cout << "kernel32句柄获取失败!" << endl;
		return;
	}
	LPTHREAD_START_ROUTINE lpStartAddress = (LPTHREAD_START_ROUTINE)GetProcAddress(mKernel, "LoadLibraryA");
	if (lpStartAddress == NULL)
	{
		cout << "获取LoadLibraryA失败" << endl;
		return;
	}
	HANDLE mHandle = CreateRemoteThread(hProc, NULL, 0, lpStartAddress, AllocatedMem, 0, NULL);
	if (mHandle == NULL)
	{
		cout << "创建线程失败!" << endl;
		return;
	}
}

DWORD InjectDLL::GetProcessPid(wchar_t* processName)
{
	HANDLE lpSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (INVALID_HANDLE_VALUE == lpSnapshot)
	{
		cout << "进程快照获取失败！" << endl;
		return 0;
	}
	PROCESSENTRY32 pe32 = { 0 };
	pe32.dwSize = sizeof(pe32);
	Process32First(lpSnapshot, &pe32);
	do
	{
		if (_wcsicmp(processName, pe32.szExeFile) == 0)
			return pe32.th32ProcessID;
	} while (Process32Next(lpSnapshot, &pe32));
	return 0;
}