cyonjan/WeChatFerry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c8e6558cb6
WeChatFerry/sdk/injector.cpp

91 lines
2.8 KiB
C++
Raw Normal View History

Update Injector
2022-08-14 07:15:05 +08:00
#include "injector.h"
Initial commit
2021-02-12 23:21:57 +08:00
Bump gRPC
2022-10-15 20:25:42 +08:00
HANDLE InjectDll(DWORD pid, LPCWSTR dllPath, HMODULE *injectedBase)
Initial commit
2021-02-12 23:21:57 +08:00
{
HANDLE hThread;
Bump gRPC
2022-10-15 20:25:42 +08:00
SIZE_T cszDLL = (wcslen(dllPath) + 1) * sizeof(WCHAR);
// 1. 打开目标进程
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (hProcess == NULL) {
MessageBox(NULL, L"打开进程失败", L"InjectDll", 0);
return NULL;
}
// 2. 在目标进程的内存里开辟空间
LPVOID pRemoteAddress = VirtualAllocEx(hProcess, NULL, cszDLL, MEM_COMMIT, PAGE_READWRITE);
if (pRemoteAddress == NULL) {
Update Injector
2022-08-14 07:15:05 +08:00
MessageBox(NULL, L"DLL 路径写入失败", L"InjectDll", 0);
Bump gRPC
2022-10-15 20:25:42 +08:00
return NULL;
Initial commit
2021-02-12 23:21:57 +08:00
}
Bump gRPC
2022-10-15 20:25:42 +08:00
// 3. 把 dll 的路径写入到目标进程的内存空间中
WriteProcessMemory(hProcess, pRemoteAddress, dllPath, cszDLL, NULL);
Update Injector
2022-08-14 07:15:05 +08:00
// 3. 创建一个远程线程,让目标进程调用 LoadLibrary
Bump gRPC
2022-10-15 20:25:42 +08:00
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibrary, pRemoteAddress, 0, NULL);
if (hThread == NULL) {
Update Injector
2022-08-14 07:15:05 +08:00
MessageBox(NULL, L"LoadLibrary 调用失败", L"InjectDll", 0);
Bump gRPC
2022-10-15 20:25:42 +08:00
return NULL;
Initial commit
2021-02-12 23:21:57 +08:00
}
Bump gRPC
2022-10-15 20:25:42 +08:00
WaitForSingleObject(hThread, -1);
GetExitCodeThread(hThread, (LPDWORD)injectedBase);
Initial commit
2021-02-12 23:21:57 +08:00
CloseHandle(hThread);
Update Injector
2022-08-14 07:15:05 +08:00
VirtualFreeEx(hProcess, pRemoteAddress, 0, MEM_RELEASE);
Bump gRPC
2022-10-15 20:25:42 +08:00
// CloseHandle(hProcess); // Close when exit
return hProcess;
Initial commit
2021-02-12 23:21:57 +08:00
}
Bump gRPC
2022-10-15 20:25:42 +08:00
bool EjectDll(HANDLE process, HMODULE dllBase)
Initial commit
2021-02-12 23:21:57 +08:00
{
Bump gRPC
2022-10-15 20:25:42 +08:00
HANDLE hThread = NULL;
Initial commit
2021-02-12 23:21:57 +08:00
Update Injector
2022-08-14 07:15:05 +08:00
// 使目标进程调用 FreeLibrary卸载 DLL
Bump gRPC
2022-10-15 20:25:42 +08:00
hThread = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)FreeLibrary, (LPVOID)dllBase, 0, NULL);
if (hThread == NULL) {
Update Injector
2022-08-14 07:15:05 +08:00
MessageBox(NULL, L"FreeLibrary 调用失败!", L"EjectDll", 0);
Bump gRPC
2022-10-15 20:25:42 +08:00
return false;
Initial commit
2021-02-12 23:21:57 +08:00
}
Bump gRPC
2022-10-15 20:25:42 +08:00
WaitForSingleObject(hThread, INFINITE);
Update Injector
2022-08-14 07:15:05 +08:00
CloseHandle(hThread);
Bump gRPC
2022-10-15 20:25:42 +08:00
CloseHandle(process);
return true;
}
static void *GetFuncAddr(LPCWSTR dllPath, HMODULE dllBase, LPCSTR funcName)
{
HMODULE hLoaded = LoadLibrary(dllPath);
if (hLoaded == NULL) {
return NULL;
}
void *absAddr = GetProcAddress(hLoaded, funcName);
Format codes
2022-10-16 22:14:06 +08:00
DWORD offset = (DWORD)absAddr - (DWORD)hLoaded;
Bump gRPC
2022-10-15 20:25:42 +08:00
FreeLibrary(hLoaded);
return (void *)((DWORD)dllBase + offset);
}
bool CallDllFunc(HANDLE process, LPCWSTR dllPath, HMODULE dllBase, LPCSTR funcName, DWORD *ret)
{
void *pFunc = GetFuncAddr(dllPath, dllBase, funcName);
if (pFunc == NULL) {
return false;
}
HANDLE hThread = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, NULL, 0, NULL);
if (hThread == NULL) {
return false;
}
WaitForSingleObject(hThread, INFINITE);
if (ret != NULL) {
GetExitCodeThread(hThread, ret);
}
CloseHandle(hThread);
return true;
Initial commit
2021-02-12 23:21:57 +08:00
}
Reference in New Issue Copy Permalink