dll注入可用於編寫外掛程式和病毒不易發現。
void cinjectdlltooldlg::startinject(char *path, int pid)
//在該程序申請記憶體,用來存放path資料
lpvoid dlladdr = virtualallocex(hpro, null, pathlen, mem_commit, page_readwrite);
if (!dlladdr)
//在申請的記憶體中寫入path
dword wnum = 0;
if (!writeprocessmemory(hpro, dlladdr, path, pathlen, &wnum))
//獲取loadlibrary函式位址
farproc pfun = getprocaddress(getmodulehandle("kernel32.dll"), "loadlibrarya");
if (!pfun)
dword dwpid;
handle hthread = createremotethread(hpro, null, 0, (lpthread_start_routine)pfun, dlladdr, 0, &dwpid);
if (!hthread)
dword errornum = getlasterror();
waitforsingleobject(hthread, infinite);
closehandle(hthread);
closehandle(hpro);
}
這個只適用於xp系統,win7系統不可以隨便createremotethread了,返回值一直為null
具體方法引用看雪:vista&win7下createremotethread應用的若干問題和解決方案
dll解除安裝與注入流程大體相同,先建立 程序快照找到相應的執行緒模組,獲取freelibrary位址,再建立遠端執行緒解除安裝
void uninjectdll(char *szdllname, dword dwpid)
//建立程序快照
handle hsnap = createtoolhelp32snapshot(th32cs_snapmodule,dwpid);
moduleentry32 me32 = ;
me32.dwsize = sizeof(moduleentry32);
bool isnext = module32first(hsnap,&me32);
bool flag = false;
while(isnext)
isnext = module32next(hsnap,&me32);
} if(flag == false)
closehandle(hsnap);
handle hpro = openprocess(process_all_access,false,dwpid);
farproc pfun = getprocaddress(getmodulehandle("kernel32.dll"),"freelibrary");
handle hthread = createremotethread(hpro,null,0,(lpthread_start_routine)pfun,me32.szmodule,0,null);
if(!hthread)
afxmessagebox("解除安裝成功");
waitforsingleobject(hthread,infinite);
closehandle(hthread);
closehandle(hpro);
}
遠端注入與解除安裝DLL
提公升本程序許可權 bool getprivilege closehandle tokenhandle return bret 注入dll dllpath為dll的絕對路徑 bool injectdll dword pid,ptchar dllpath,int maxpathlen virtualf...
DLL解除安裝
dll解除安裝 dll ejection 是將強制插入程序的dll彈出的一種技術,原理是驅使目標程序呼叫freelibrary api,即將freelibrary api的位址傳遞給createremotethread 的lpstartaddress引數並把要解除安裝的dll的控制代碼傳遞給lppa...
DLL解除安裝
主要來說與dll注入類似,dll注入是驅使目標程序呼叫loadlibrary api,dll解除安裝則是驅動目標程序呼叫freelibrary api 引用指數 記錄dll被呼叫的次數,解除安裝時也要解除安裝相同的次數。include windows.h include tjhelp32.h inc...