In the previous article, "Thread Remote Injectment" describes how to make your own code in other processes and define a thread, write execution code in the thread body, and then use the VirtualaLalkEx function as a thread body and The character constant used in the thread is used to invoke the memory area in the target process, and then write these data into the address space of the target process through the WriteProcessMemory function. Finally, through the CreateremoteThread function, let your thread run in the target process. The above method needs to open up sufficient storage space for threads and constants in the target process, and this space is difficult to determine, and a missed error will occur. Let me introduce another way to perform your own code in other processes, let the target process load our own DLL module. First let's create a DLL module (later we will load this DLL into the target process, let the target process to run the code in the DLL). The DLL module we created is very simple, just get the ID of the DLL process, and then displayed through the MessageBox function, of course, some complex code can be written. However, we just introduce the method here, there is a display result to :). Below is the code of the DLL module: //test.dll Source code // #include
The next step is to get the function entry address LoadLibraryA PTHREAD_START_ROUTINE pfnLoadLibraryA = (PTHREAD_START_ROUTINE) GetProcAddress (GetModuleHandle ( "Kernel32.dll"), "LoadLibraryA"); because kernel32.dll module is the core module of the system, the function of the module in the address All processes are all the same. The entrance address of the LoadLibrarya function we get in this process also applies to other processes.
All conditions already have, finally we use the CreateremoteThread function, use the entry address of the loadLibrarya function and the DLL's file name as a parameter, allow the target process to load our own DLL, as for what code you want to run in your DLL, Look at it! This is the case that this is the case. The complete code is given below: #include cbNeeded)) {GetModuleBaseName (hProcess, hMod, szProcessName, sizeof (szProcessName)); if (_stricmp (szProcessName, pszProcessName)) {CloseHandle (hProcess);! return processId [i];}}}} CloseHandle (hProcess); return 0;} int main (int Argc, char * argv []) {std :: cout << "please input the name of target process! << std :: endl; // Waiting for the input process name std :: string strprocessname STD :: CIN >> STRPROCESSNAME; // In order to see the absolute path char szdllpath [max_path] = "d: //test.dll"; char szfilename [max_path] = "D: // Test. DLL "; // Lifting Process Access Access EnableDebugPriv (); if (StrProcessName.empty ()) {MessageBox (Null," The Target Process Name IS INVALID! "," Notice ", MB_ICONSTOP); Return -1;} // Depending on the process name to get the process ID dWord dwtargetprocessid = getSpecifiedProcessId (strprocessname.c_str ()); handle htargetprocess = openprocess (Process_All_access, False, DW TargetProcessid; if (! Htargetprocess) {MessageBox (Null, "Open Target Process Failed!", "NOTICE", MB_ICONSTOP); RETURN-1;} / / Calculate the storage space of the DLL file name INT MemorySize = (Strlen szDllPath) 1) * sizeof (char); // open space in the target process, the DLL file name used to store char * pszFileNameRemote = (char *) VirtualAllocEx (hTargetProcess, 0, memorySize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE) ; If (! Pszfilenameremote) {MessageBox (Null, "Alloc DLL Name String in Target Process Failed!", "Notice", MB_ICONSTOP); RETURN -1;
