cyonjan/WeChatFerry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9ce7f59d80
WeChatFerry/SDK/injector.cpp
Changhua 19f83f3c0c Update Injector
2022-08-14 07:15:05 +08:00

71 lines
2.5 KiB
C++
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#include "injector.h"
int InjectDll(DWORD pid, const WCHAR *dllPath)
{
HANDLE hThread;
DWORD dwWriteSize = 0;
// 1. 获取目标进程,并在目标进程的内存里开辟空间
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
LPVOID pRemoteAddress = VirtualAllocEx(hProcess, NULL, 1, MEM_COMMIT, PAGE_READWRITE);
// 2. 把 dll 的路径写入到目标进程的内存空间中
if (pRemoteAddress) {
WriteProcessMemory(hProcess, pRemoteAddress, dllPath, wcslen(dllPath) * 2 + 2, &dwWriteSize);
} else {
MessageBox(NULL, L"DLL 路径写入失败", L"InjectDll", 0);
return -1;
}
// 3. 创建一个远程线程,让目标进程调用 LoadLibrary
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibrary, pRemoteAddress, NULL, NULL);
if (hThread) {
WaitForSingleObject(hThread, -1);
} else {
MessageBox(NULL, L"LoadLibrary 调用失败", L"InjectDll", 0);
return -2;
}
CloseHandle(hThread);
VirtualFreeEx(hProcess, pRemoteAddress, 0, MEM_RELEASE);
CloseHandle(hProcess);
return 0;
}
int EjectDll(DWORD pid, const WCHAR *dllPath)
{
DWORD dwHandle, dwID;
HANDLE hThread = NULL;
DWORD dwWriteSize = 0;
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
LPVOID pRemoteAddress = VirtualAllocEx(hProcess, NULL, 1, MEM_COMMIT, PAGE_READWRITE);
if (pRemoteAddress)
WriteProcessMemory(hProcess, pRemoteAddress, dllPath, wcslen(dllPath) * 2 + 2, &dwWriteSize);
else {
MessageBox(NULL, L"DLL 路径写入失败", L"EjectDll", 0);
return -1;
}
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetModuleHandleW, pRemoteAddress, 0, &dwID);
if (hThread) {
WaitForSingleObject(hThread, INFINITE);
GetExitCodeThread(hThread, &dwHandle);
} else {
MessageBox(NULL, L"GetModuleHandleW 调用失败!", L"EjectDll", 0);
return -2;
}
CloseHandle(hThread);
// 使目标进程调用 FreeLibrary卸载 DLL
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)FreeLibrary, (LPVOID)dwHandle, 0, &dwID);
if (hThread) {
WaitForSingleObject(hThread, INFINITE);
} else {
MessageBox(NULL, L"FreeLibrary 调用失败!", L"EjectDll", 0);
return -3;
}
CloseHandle(hThread);
VirtualFreeEx(hProcess, pRemoteAddress, 0, MEM_RELEASE);
CloseHandle(hProcess);
return 0;
}
Reference in New Issue View Git Blame Copy Permalink