dll的寫法如下:
yufd.cpp
#include <Windows.h> #include<stdio.h> #include "yufd.h" char pcName[1024] = ""; char className[1024] = ""; HWND h = 0; extern "C" _declspec(dllexport) int TxEntry() { //int id = GetCurrentProcessId(); // while(true) { // EnumWindows(EnumWindowsProc,-1);//枚舉所有窗口 //HWND h = FindWindow("QQTangWinClass",""); HANDLE d = (HANDLE)GetCurrentProcess(); if(d>0) { sprintf_s(pcName,"%d",d); MessageBox(NULL,"成功",pcName,MB_ICONSTOP); break; } else MessageBox(NULL,"還未","d",MB_ICONSTOP); Sleep(2000); } return 1; }
yufd.h
extern "C" _declspec(dllexport) int TxEntry(); BOOL CALLBACK EnumWindowsProc(HWND hwnd,LPARAM lParam);
開始實現注入代碼:
// ConsoleApplication3.cpp : 定義控制台應用程序的入口點。 // #include "stdafx.h" #include "windows.h" #include "Tlhelp32.h" #include<stdio.h> #include<string> using namespace std; #define FLATJMPCODE_LENGTH 5 //x86 平坦內存模式下,絕對跳轉指令長度 #define FLATJMPCMD_LENGTH 1 //機械碼0xe9長度 #define FLATJMPCMD 0xe9 //對應匯編的jmp指令 // 記錄被打樁函數的內容,以便恢復 BYTE g_apiBackup[FLATJMPCODE_LENGTH+FLATJMPCMD_LENGTH]; bool setStub(LPVOID ApiFun,LPVOID HookFun) { HANDLE file_handler = GetCurrentProcess(); //獲取進程偽句柄 DWORD oldProtect,TempProtectVar; char newCode[6]; //用於讀取函數原有內存信息 int SIZE = FLATJMPCODE_LENGTH+FLATJMPCMD_LENGTH; //需要修改的內存大小 if(!VirtualProtectEx(file_handler,ApiFun,SIZE,PAGE_READWRITE,&oldProtect)) //修改內存為可讀寫 { return false; } if(!ReadProcessMemory(file_handler,ApiFun,newCode,SIZE,NULL)) //讀取內存 { return false; } memcpy((void*)g_apiBackup,(const void*)newCode, sizeof(g_apiBackup)); //保存被打樁函數信息 *(BYTE*)ApiFun = FLATJMPCMD; *(DWORD*)((BYTE*)ApiFun + FLATJMPCMD_LENGTH) = (DWORD)HookFun - (DWORD)ApiFun - FLATJMPCODE_LENGTH; //樁函數注入 VirtualProtectEx(file_handler,ApiFun,SIZE,oldProtect,&TempProtectVar); //恢復保護屬性 } void test() { MessageBox(NULL,"hook","",1); } int _tmain(int argc, _TCHAR* argv[]) { typedef int (*proc)(); HMODULE h=LoadLibrary("yufd.dll"); BYTE* v = (BYTE*)GetProcAddress(h,"TxEntry"); //v(); proc tt = (proc)v; tt(); string str ; //strcat(str,); str += "{"; for(int i=0;i<100;i++) { //printf("%d,",*(v+i)); char ss[10] ; sprintf_s(ss,"%d,", *(v+i)); str += ss; } str +="}"; FILE *file; errno_t err = fopen_s(&file,"log.txt","w"); if(err==0) { fprintf(file,"%s",str); } else { printf("Thefile'crt_fopen_s.c'wasnotopened\n"); } fclose(file); /*PROCESSENTRY32 uProcess; uProcess.th32ProcessID = warpid; CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,uProcess.th32ProcessID);*/ //{195} //HANDLE file_handler = GetCurrentProcess(); //獲取進程偽句柄 setStub(v,test); tt(); //system("pause"); return 0; }