本文介绍了一个C++程序示例,该程序能够将指定的DLL文件注入到目标进程中,并通过获取目标进程的线程ID来设置窗口钩子。涉及的技术包括使用Windows API函数如CreateToolhelp32Snapshot、Process32First等进行进程快照创建和遍历,以及LoadLibrary、GetProcAddress、SetWindowsHookEx等函数的应用。
#include <windows.h>
#include <tlhelp32.h>
#include <shlwapi.h>
//#include <iostream.h>
//#include <fstream>
//#include <string.h>
//#include <sstream>
//using namespace std;
#define PROC_NAME "iexplore.exe"
#define DLL_NAME "dll.dll"
void LoadDll(char *procName, char *dllName);
unsigned long GetTargetThreadIdFromProcname(char *procName);
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
LoadDll(PROC_NAME, DLL_NAME);
return 0;
}
void LoadDll(char *procName, char *dllName)
{
HMODULE hDll;
// unsigned long cbtProcAddr;
hDll = LoadLibrary(dllName);
//cbtProcAddr = GetProcAddress(hDll, "CBTProc");
unsigned long kk = GetTargetThreadIdFromProcname(procName);
SetWindowsHookEx(WH_CBT,(long (__stdcall *)(int,unsigned int,long))GetProcAddress(hDll, "CBTProc"), hDll, kk);
// return TRUE;
}
unsigned long GetTargetThreadIdFromProcname(char *procName)
{
PROCESSENTRY32 pe;
HANDLE thSnapshot, hProcess;
BOOL retval, ProcFound = false;
unsigned long pTID, threadID;
thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(thSnapshot == INVALID_HANDLE_VALUE)
{
MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL);
return false;
}
pe.dwSize = sizeof(PROCESSENTRY32);
retval = Process32First(thSnapshot, &pe);
while(retval)
{ //StrStrI(pe.szExeFile, procName);
if(StrStrI(pe.szExeFile, procName))
{
ProcFound = true;
break;
}
retval = Process32Next(thSnapshot,&pe);
pe.dwSize = sizeof(PROCESSENTRY32);
}
CloseHandle(thSnapshot);
_asm {
mov eax, fs:[0x18]
add eax, 36
mov [pTID], eax
}
hProcess = OpenProcess(PROCESS_VM_READ, false, pe.th32ProcessID);
ReadProcessMemory(hProcess, (const void *)pTID, &threadID, 4, NULL);
CloseHandle(hProcess);
return threadID;
}
扫一扫
1644
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
