C++ - CreateRemoteThread DLL Injection [Windows 7]

本文关键字：Windows Injection CreateRemoteThread DLL C++ 更新时间：2023-10-16

无论我看到通过CreateRemoteThread注入的方法是相同的，但是抓取进程ID的方法不是…我的函数将返回正确的进程ID，我对这方面的任何帮助都不感兴趣，所以我将取消该部分，只包括实际的注入。

我只是在学习DLL注入，并试图在notepad.exe上。如果注入成功，记事本的标题将从"Untitled - notepad "变为"Hooked"。

#define DLL_NAME "injectme.dll"
.....
BOOL InjectRemoteThread(DWORD ProcessID)
{
    HANDLE RemoteProc;
    char buf[50]        =   {0};
    LPVOID MemAlloc;
    LPVOID LoadLibAddress;
    // Process ID does show correctly!
    WCHAR id[100];
    StringCbPrintf(id, 100, L"%d", ProcessID); // id contains the process ID... is confirmed in comparing ID shown in tasklist and the messagebox.
    MessageBox(NULL, id, L"Process ID", MB_ICONINFORMATION);
    // Process ID does show correctly!
    if ( !ProcessID )
    {
        MessageBox(NULL, (LPCWSTR)GetLastError(), L"An error occured", NULL);
        return 0;
    }
    RemoteProc          =   OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, ProcessID);
    if ( !RemoteProc )
    {
        MessageBox(NULL, (LPCWSTR)GetLastError(), L"An error occured", NULL);
        return 0;
    }
    LoadLibAddress      =   (LPVOID)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
    MemAlloc            =   (LPVOID)VirtualAllocEx(RemoteProc, NULL, strlen(DLL_NAME)+1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
    WriteProcessMemory(RemoteProc, (LPVOID)MemAlloc, DLL_NAME, strlen(DLL_NAME)+1, NULL);
    CreateRemoteThread(RemoteProc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddress, (LPVOID)MemAlloc, NULL, NULL);
    CloseHandle(RemoteProc);
    VirtualFreeEx(RemoteProc, (LPVOID)MemAlloc, 0, MEM_RELEASE | MEM_DECOMMIT);
    return 1;
}

DLL工作在使用另一个人的注入器，但我不明白为什么…

我发现问题了…我觉得自己好蠢。任何遇到类似问题的人:不要使用相对路径，使用绝对路径。

我改变

#define DLL_NAME "injectme.dll"

#define DLL_NAME "C:\Users\Raikazu\Documents\Visual Studio 2012\Projects\Hooking\Release\injectme.dll"