首先感谢宇宙青年Yonsm提供的例子,源代码我也下来看了,不过多了点-_-最后还是自己写了个简洁的。
代码同时参考了Yonsm和一篇国外的文章,已经实际测试能用。
以下代码演示将test.dll注入电话进程并触发test.dll里的导出函数HelloWorld
首先是注入的exe:
代码:
//取得CProg.exe进程句柄的OpenProcess就不贴了,大家都知道@@
//卸载钩子函数
bool UninstallHook(HANDLE hProcessDest,HINSTANCE hInst){
CALLBACKINFO ci;
ci.hProcess = hProcessDest;
ci.pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(GetModuleHandle(L"COREDLL"), L"FreeLibrary"), hProcessDest);
ci.pvArg0 = hInst; //HINSTANCE returned by LoadLibrary
DWORD dw = PerformCallBack4(&ci, 0,0,0); //returns 1 if correctly unloaded
return (bool)dw;
}
//安装钩子
bool InstallHook( HANDLE hProcessDest )
{
BOOL bMode = SetKMode(TRUE);
DWORD dwPerm = SetProcPermissions(0xFFFFFFFF);
CALLBACKINFO ci;
ci.hProcess = hProcessDest;
ci.pFunction = (FARPROC)GetProcAddress(GetModuleHandle( _T("coredll.dll") ),_T("LoadLibraryW") );
ci.pvArg0 = MapPtrToProcess(_T("test.dll"),GetCurrentProcess()); //先注入dll
HINSTANCE hInst = (HINSTANCE) PerformCallBack4(&ci,0,0,0);
if ( 0 == GetLastError())
{
//MessageBox(NULL,TEXT("Success inje"),TEXT("success"),MB_OK);// (NULL,TEXT("PerformCallBack4() run successful......\n",TEXT("test"),MB_OK));
//get the proc address
FARPROC pHook = GetProcAddress(hInst, (LPCTSTR)L"HelloWorld"); //关键的地方!获取注入dll的函数地址
ci.hProcess = hProcessDest;
ci.pFunction = (FARPROC)MapPtrToProcess(pHook, hProcessDest);
ci.pvArg0 = NULL;
DWORD dw = PerformCallBack4(&ci, 0, 0, 0); //再次注入!这次是函数地址!然后相关的导出函数就运作了
//UninstallHook(hProcessDest,hInst);
SetKMode(bMode);
SetProcPermissions(dwPerm);
return (bool)dw;
}else{
LPWSTR tt;
wsprintf(tt,TEXT("GetLastError:%d"),GetLastError());
MessageBox(NULL,tt,TEXT("fail"),MB_OK);
}
SetKMode(bMode);
SetProcPermissions(dwPerm);
return false;
}
代码:
extern "C" __declspec(dllexport) bool WINAPI HelloWorld()
{
MessageBox(NULL,TEXT("Hello World by 小金"),TEXT("success"),MB_OK);
return true;
}