测试环境
系统:Windows 10 64bit
注入目标: Ps2模拟器
主要思路:
1.使用进程PID打开进程,获得句柄
2.使用进程句柄申请内存空间
3.把dll路径写入内存
4.创建远程线程,调用LoadLibrary
5.释放收尾工作或者卸载dll
主要函数:
主要代码:
1 bool InjectDll(SIZE_T szPid) 2 { 3 //1.远线程注入 4 HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, 5 NULL, szPid); 6 7 if (hProcess == INVALID_HANDLE_VALUE) { 8 printf("打开进程失败!"); 9 return false; 10 } 11 //2.在远程进程中申请空间 12 LPVOID pszDllName = VirtualAllocEx(hProcess, NULL, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 13 //3.在远程进程中写入数据 14 TCHAR* szDllName = PATH; 15 if (!WriteProcessMemory(hProcess, pszDllName, szDllName, MAX_PATH, NULL)) { 16 return false; 17 } 18 //4.在远程进程中创建远程线程 19 HANDLE hlnjecthread = CreateRemoteThread( 20 hProcess, //远程进程句柄 21 NULL, //安全属性 22 0, //栈大小 23 (LPTHREAD_START_ROUTINE)LoadLibrary, //进程处理函数 24 pszDllName, //传入参数 25 NULL, //默认创建后的状态 26 NULL); //线程ID 27 28 if (hlnjecthread == NULL) { 29 return false; 30 } 31 //5.等待线程结束返回 32 DWORD dw = WaitForSingleObject(hlnjecthread, -1); 33 //6.获取线程退出码,即LoadLibray的返回值,即Dll的首地址 34 DWORD dwExitCode; 35 GetExitCodeThread(hlnjecthread, &dwExitCode); 36 HMODULE hMod = (HMODULE)dwExitCode; 37 //7.释放空间 38 if (!VirtualFreeEx(hProcess, pszDllName, 4096, MEM_DECOMMIT)) { 39 return false; 40 } 41 CloseHandle(hProcess); 42 43 return true; 44 }
DLL代码:
1 BOOL CDllForPsApp::InitInstance() 2 { 3 CWinApp::InitInstance(); 4 //__debugbreak(); 5 OutputDebugString(L"注入成功!"); 6 7 CString Cstr; 8 Cstr.Format(L"原资源:%d,原资源:%d", 9 *g_pCapital, *g_pResources); 10 OutputDebugString(Cstr.GetBuffer()); 11 12 *g_pCapital = 5555555; 13 *g_pResources = 5555555; 14 15 return TRUE; 16 }
注入效果:
