該樓層疑似違規已被系統折疊 隐藏此樓檢視此樓
然後建立一個win32 application 的工程 建立c++ source file 寫入:
#include
#include
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd)
{
char DllName[MAX_PATH]="C:\\Program Files\\Microsoft Visual Studio\\MyProjects\\dll注入dll\\Debug\\dll注入dll.dll";//就是剛才寫的dll的位址+檔案名
HANDLE hProcessSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 pe32={sizeof(pe32)};
if(Process32First(hProcessSnap,&pe32))
{
do
{
if(strcmp(pe32.szExeFile,"EXPLORER.EXE")==0) //我注入的是explorer
{
break;
}
}
while(Process32Next(hProcessSnap,&pe32));
}
DWORD TargetProcessId=pe32.th32ProcessID;
CloseHandle(hProcessSnap);
HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,TargetProcessId);
int cbSize=lstrlen(DllName)+1;
LPVOID lpRemoteDllName=VirtualAllocEx(hProcess,NULL,(DWORD)cbSize,MEM_COMMIT,PAGE_READWRITE);
WriteProcessMemory(hProcess,lpRemoteDllName,DllName,(DWORD)cbSize,NULL);
HMODULE hModule=GetModuleHandle("kernel32.dll");
LPTHREAD_START_ROUTINE pfnStartRoutine=(LPTHREAD_START_ROUTINE)GetProcAddress(hModule,"LoadLibraryA");
HANDLE hRemoteThread=CreateRemoteThread(hProcess,NULL,0,pfnStartRoutine,lpRemoteDllName,0,NULL);
WaitForSingleObject(hRemoteThread,INFINITE);
CloseHandle(hRemoteThread);
CloseHandle(hProcess);
return 0;
}
compile build之後執行,你就看到了一個messagebox,而在資料總管中則沒有這個程序。
當然,防毒軟體會報毒,說有木馬,别管就是了。有些低端的木馬是用了這個技術。