注入的一种方法

 

 

 

#include <windows.h>

#include <tlhelp32.h>

#include <shlwapi.h>

//#include <iostream.h>

//#include <fstream>

//#include <string.h>

//#include <sstream>

//using   namespace   std;  

#define PROC_NAME "iexplore.exe" 

#define DLL_NAME "dll.dll" 

 

void LoadDll(char *procName, char *dllName); 

unsigned long GetTargetThreadIdFromProcname(char *procName); 

 

int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow) 

{ 

    LoadDll(PROC_NAME, DLL_NAME); 

 

    return 0; 

} 

 

void LoadDll(char *procName, char *dllName) 

{ 

    HMODULE hDll; 

//    unsigned long cbtProcAddr; 

 

    hDll        = LoadLibrary(dllName); 

    //cbtProcAddr = GetProcAddress(hDll, "CBTProc"); 

    unsigned long kk = GetTargetThreadIdFromProcname(procName); 

    SetWindowsHookEx(WH_CBT,(long (__stdcall *)(int,unsigned int,long))GetProcAddress(hDll, "CBTProc"), hDll, kk); 

 

//    return TRUE; 

} 

 

unsigned long GetTargetThreadIdFromProcname(char *procName) 

{ 

   PROCESSENTRY32 pe; 

   HANDLE thSnapshot, hProcess; 

   BOOL retval, ProcFound = false; 

   unsigned long pTID, threadID; 

 

   thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 

 

   if(thSnapshot == INVALID_HANDLE_VALUE) 

   { 

      MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL); 

      return false; 

   } 

 

   pe.dwSize = sizeof(PROCESSENTRY32); 

 

    retval = Process32First(thSnapshot, &pe); 

 

   while(retval) 

   { //StrStrI(pe.szExeFile, procName);

      if(StrStrI(pe.szExeFile, procName))  

      { 

         ProcFound = true; 

         break; 

      } 

 

      retval    = Process32Next(thSnapshot,&pe); 

      pe.dwSize = sizeof(PROCESSENTRY32); 

   } 

 

   CloseHandle(thSnapshot); 

 

   _asm { 

      mov eax, fs:[0x18] 

      add eax, 36 

      mov [pTID], eax 

   } 

 

   hProcess = OpenProcess(PROCESS_VM_READ, false, pe.th32ProcessID); 

   ReadProcessMemory(hProcess, (const void *)pTID, &threadID, 4, NULL); 

   CloseHandle(hProcess); 

 

   return threadID; 

}