溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
MyDll.h
#ifndef __MYDLL_H__
#define __MYDLL_H__
#include<CLIB_H\CLIB2_global.h>//包含CLIB0_print.h
//#include<transform\CLIB_transform.cpp>
#include <iostream>
using namespace std;
#include <stdio.h>
#include <Windows.h>
#include <TlHelp32.h>
#ifndef EXC
#define EXC extern"C" __declspec(dllexport) //
#define EX __declspec(dllexport) //extern"C"
#endif
/**/
//----共享節--------------------------
#pragma data_seg("MY_share")
int i共享G=-1;
//float *ΨLfG={0.0,0.0}; //Χ
float ΨLfG[]={0.0,0.0};//√
DWORD LiG[2]={0,0};//√
#pragma data_seg()
#pragma comment(linker,"/section:MY_share,rws")
volatile DWORD iG;
EXC void SetData(int temp)
{
i共享G=temp; ΨLfG[0]=0.56;PRINT1(+f,ΨLfG[0],f);
//ViG.push_back(temp);PTvector??(ViG);
//ViG[0]=temp;
LiG[0]=temp;
PRINT1(+push_back,temp,d);
}
EXC DWORD iGetData()
{
//PTvector??(ViG);
PRINT3(,i共享G,LiG[0],ΨLfG[0],d,d,f);
return i共享G;
}
////////////////////////////////////////////
typedef DWORD (WINAPI *♂Δ函數指針nt)
(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL CreateSuspended, //●●這個BOOL是int
DWORD dwStackSize,
DWORD dw1,
DWORD dw2,
LPVOID Unknown
);
typedef DWORD64(WINAPI *♂Δ函數指針nt64)
(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL CreateSuspended,
DWORD64 dwStackSize,
DWORD64 Unknown1,
DWORD64 Unknown2,
LPVOID Unknown3
);
//==============================
HANDLE hΔ打開進程(LPCTSTR lp尋找進程)//根據進程名查找進程PID
{
DWORD dw打開進程 = 0; HANDLE h打開進程 =0;
HANDLE h快照 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); //可以通過獲取進程信息為指定的進程、進程使用的堆[HEAP]、模塊[MODULE]、線程建立一個快照。
if(h快照 == INVALID_HANDLE_VALUE)
{
PRINT1(★獲得進程快照失敗:,GetLastError(),d);
return h打開進程;
}
PROCESSENTRY32 pe入口;//聲明進程入口對象
pe入口.dwSize = sizeof(PROCESSENTRY32);//填充進程入口對象大小
Process32First(h快照,&pe入口);//遍歷進程列表 //process32First是一個進程獲取函數,當我們利用函數CreateToolhelp32Snapshot()獲得當前運行進程的快照后,我們可以利用process32First函數來獲得第一個進程的句柄。
printf("lp尋找進程= %s\n",lp尋找進程);
do
{ //printf("pe入口.szExeFile= %s\n",pe入口.szExeFile);
if(!lstrcmp(pe入口.szExeFile,lp尋找進程))//查找指定進程名的PID
{
dw打開進程 = pe入口.th42ProcessID;
break;
}
}while (Process32Next(h快照,&pe入口));
h打開進程 = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dw打開進程);//|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE
CloseHandle(h快照);
return h打開進程;//返回
}
//========================================================
typedef DWORD (__stdcall* ♂ΔPrint)(LPCTSTR,...);//__stdcall
typedef DWORD (__stdcall* ♂cΔFUNC)(LPCTSTR);
typedef DWORD (__stdcall* ♂iΔFUNC)(DWORD);
typedef DWORD (__stdcall* ♂ΔFUNC)();
//線程參數結構體定義
typedef struct sd參數
{
char c[100]; //MessageBox函數中顯示的字符提示
♂ΔFUNC ΨΔ;
♂cΔFUNC ΨcΔ;
LPVOID ΨFunc;//MessageBox函數的入口地址
DWORD iFunc;//MessageBox函數的入口地址
DWORD i;
}卍參數;
//定義MessageBox類型的函數指針
//EXC DWORD __stdcall FuncTest2(卍參數 *&參數)//LPVOID LPVOID
void __stdcall FuncTest2(LPVOID 參數)
{
//參數->ΨΔ();//參數->c
/**/
卍參數* Ψ參數 = (卍參數*)參數;
//Ψ參數->ΨΔ();//ΧΧ出錯return ;
//Ψ參數->ΨcΔ(Ψ參數->c);
♂cΔFUNC ΨΔfunc = (♂cΔFUNC)Ψ參數->ΨFunc;ΨΔfunc(Ψ參數->c);
//ΨΔfunc = (♂cΔFUNC)Ψ參數->iFunc;ΨΔfunc(Ψ參數->c);
//Ψ參數->ΨcΔ(Ψ參數->c);
//♂iΔFUNC ΨΔfunc = (♂iΔFUNC)Ψ參數->ΨFunc;//ΨΔfunc(Ψ參數->i);
//printf(Ψ參數->c);
return ;
}
void __stdcall FuncTest1(LPVOID 參數)
{
卍參數* Ψ參數 = (卍參數*)參數;
♂ΔFUNC ΨΔfunc = (♂ΔFUNC)Ψ參數->ΨFunc;ΨΔfunc();
}
void __stdcall FuncTest()
//EXC DWORD __stdcall FuncTest(LPVOID 參數)
{
//PRINT1(~~,FuncTest,d);
return ;
}
EXC void __stdcall MyPrint(char*ch)
{
printf("▼ ch= %s\n",ch);
}
//------------------------------
inline void c_c(const char*c,char *c2__)
{
DWORD i長=strlen(c);uint i=0;
for( i=0;i<i長;i++)
{
c2__[i]=c[i];
}
c2__[i]='\0';
}
//========================================
bool bΔvista之后()
{
OSVERSIONINFO osvi;
ZeroMemory(&osvi, sizeof(OSVERSIONINFO));
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&osvi);
if( osvi.dwMajorVersion >= 6 )
return TRUE;
return FALSE;
}
//提升程序權限
BOOL bΔEnableDebugPrivilege()
{
HANDLE hToken;
BOOL fOk=false;
if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken))
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount=1;
if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid)) ;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(hToken,false,&tp,sizeof(tp),NULL,NULL)) ;
else
fOk = true;
CloseHandle(hToken);
}
return fOk;
}
//====提升進程訪問權限====================================
bool bΔ訪問權限()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
return false;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
{
CloseHandle(hToken);
return false;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
{
CloseHandle(hToken);
return false;
}
CloseHandle(hToken);
return true;
}
//========================================================
HANDLE hΔMyCreateRemoteThread1(HANDLE h打開進程, LPTHREAD_START_ROUTINE ΨΔ函數, LPVOID Ψ參數)
{
HANDLE hRemoteThread = NULL;
PRINT1(,bΔvista之后(),d);
FARPROC ΨΔNtCreateThreadEx = GetProcAddress(GetModuleHandle("ntdll.dll"), "NtCreateThreadEx");
//if(ΨΔNtCreateThreadEx==NULL){PRINT2(★,ΨΔNtCreateThreadEx,GetLastError(),d,d);return NULL;}
((♂Δ函數指針nt64)ΨΔNtCreateThreadEx)(&hRemoteThread,0x1FFFFF,NULL,h打開進程,ΨΔ函數,Ψ參數,FALSE,NULL,NULL,NULL,NULL);
if(WAIT_FAILED==WaitForSingleObject(hRemoteThread,INFINITE)){return NULL;}
return hRemoteThread;
}
HANDLE hΔMyCreateRemoteThread(HANDLE&h打開進程, LPTHREAD_START_ROUTINE ΨΔ函數, LPVOID Ψ參數)
{
HANDLE hRemoteThread = NULL;
//---- Vista, 7, Server2008--------------------------
if(bΔvista之后())
{
//typedef DWORD (FAR WINAPI *FARPROC)()
FARPROC ΨΔNtCreateThreadEx = GetProcAddress(GetModuleHandle("ntdll.dll"), "NtCreateThreadEx");
//if(ΨΔNtCreateThreadEx==NULL){PRINT2(★,ΨΔNtCreateThreadEx,GetLastError(),d,d);return NULL;}
((♂Δ函數指針nt64)ΨΔNtCreateThreadEx)(&hRemoteThread,0x1FFFFF,NULL,h打開進程,ΨΔ函數,Ψ參數,FALSE,NULL,NULL,NULL,NULL);
//if(hRemoteThread==NULL){PRINT2(★,hRemoteThread,GetLastError(),d,d);return NULL;}
PRINT1(√√,hRemoteThread,d);
}
//----2000, XP, Server2003--------------------------
else
{
hRemoteThread=CreateRemoteThread(h打開進程,NULL,0,ΨΔ函數,Ψ參數,0,NULL);
if( hRemoteThread == NULL )
{PRINT2(★2·,hRemoteThread,GetLastError(),d,d);
return NULL;
}
}
if(WAIT_FAILED==WaitForSingleObject(hRemoteThread,INFINITE)){return NULL;}//●●這個很重要,如果沒有可能會崩潰
return hRemoteThread;
}
////////////////////////////////////////////
template<typename T>
LPVOID ΨΔ寫地址到進程(HANDLE h打開進程,T*Ψ參數,DWORD iSize,BOOL b是函數=true)//●必須是指針引用,void*&Ψ參數__
{
SIZE_T dwHasWrite;LPVOID Ψ參數__ =NULL;
/**/
if(b是函數)
{Ψ參數__ = VirtualAllocEx(h打開進程,0,iSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);}
else
{Ψ參數__ = VirtualAllocEx(h打開進程,0,iSize,MEM_COMMIT,PAGE_READWRITE);}
//----將線程參數拷貝到宿主進程地址空間中--------------------------
if(WriteProcessMemory(h打開進程,Ψ參數__,Ψ參數,iSize,&dwHasWrite)) //把dll路徑寫入主進程
{//PRINT2(,dwHasWrite,iSize,d,d);
if(dwHasWrite != iSize)
{
VirtualFreeEx(h打開進程,Ψ參數__,iSize,MEM_COMMIT); //即為目標進程的句柄,可在其它進程中釋放申請的虛擬內存空間。MEM_RELEASE
CloseHandle(h打開進程);
PRINT1(★!!!VirtualFreeEx失敗:,GetLastError(),d);
return Ψ參數__;
}
}
else
{
PRINT1(★!!!寫入遠程進程內存空間出錯:,GetLastError(),d);
CloseHandle(h打開進程);
return Ψ參數__;
}
return Ψ參數__;
}
////////////////////////////////////////////
DWORD WINAPI ΔMyThreadProc1( LPVOID pParam )
{
MessageBox( NULL, "DLL已進入線程1。", "信息", MB_ICONINFORMATION );
return 0;
}
DWORD WINAPI ΔMyThreadProc2( LPVOID pParam )
{
MessageBox( NULL, "DLL已進入線程2。", "信息", MB_ICONINFORMATION );
return 0;
}
//========================================================
bool APIENTRY DllMain( HANDLE hModule,DWORD ul_reason_for_call,LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
//MessageBox( NULL, "√√DLL已進入目標進程。", "信息", MB_ICONINFORMATION );
PRINT0(▼▼ DLL已進入目標進程。);//SetData(28);
DWORD dwThreadId;
//HANDLE myThread1 = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ΔMyThreadProc1, NULL, 0, &dwThreadId);
//HANDLE myThread2 = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ΔMyThreadProc2, NULL, 0, &dwThreadId);
//PRINT1(,iG,d);//Χ
break;
}
case DLL_PROCESS_DETACH:
{
PRINT0(▼▼ ~~DLL已從目標進程卸載。);
//MessageBox( NULL, "√√DLL已從目標進程卸載。", "信息", MB_ICONINFORMATION );
break;
}
}
return TRUE;
}
#endif
-----------------------------------------------------------------------------------
main.cpp
//#include<E:/blender/blenderLib/CLIB.cpp>
#include "MyDll.h"
void __stdcall myprint2()
{
//putchar('M');//Χ
int i=9+7;
return ;
}
////////////////////////////////////////////
int main()
{
//bΔEnableDebugPrivilege() ;
bΔ訪問權限();const DWORD dwThreadSize = 4096;
SIZE_T dwHasWrite;DWORD dwWriteBytes;
const char *c參數= "B:/MyDll64在.dll";
//const char c參數= 'B';
HANDLE h打開進程 = hΔ打開進程("main_w64.exe");//●最好用英文不容易出錯.
if(h打開進程 == NULL)
{
PRINT1(★ 打開進程 失敗!:,GetLastError(),d);
return -1;
}
else
{
PRINT1(▼ 找到·,h打開進程,d);
}
LPVOID ΨΔ函數= NULL;
卍參數 參數;//DWORD 代表 unsigned long
ZeroMemory(&參數, sizeof(卍參數));//PRINT2(,sizeof(卍參數),sizeof(參數),d,d);//√
int iSize = strlen(c參數)+1;strcat(參數.c, "Hello_IMDJS \0");//c_c(c參數,參數.c);
//----FuncTest1--------------------------
ΨΔ函數=VirtualAllocEx(h打開進程,0,dwThreadSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);if(!ΨΔ函數){PRINT1(★新建ΨΔ函數失敗!,h打開進程,d);return 0;} if(!WriteProcessMemory(h打開進程,ΨΔ函數,&FuncTest1,dwThreadSize,0)){PRINT1(★寫Δ函數失敗!,h打開進程,d);return 0;}
參數.ΨFunc=GetProcAddress(GetModuleHandle("msvcrt.dll"),"printf");
PRINT1(,參數.ΨFunc,d);
LPVOID Ψ參數 =ΨΔ寫地址到進程(h打開進程,&參數,sizeof(卍參數),true);
//====NtCreateThreadEx====================================
HANDLE hRemoteThread=NULL;
hRemoteThread=CreateRemoteThread(h打開進程,NULL,0, (LPTHREAD_START_ROUTINE) ΨΔ函數,Ψ參數,0,&dwWriteBytes);
PRINT1(,hRemoteThread,d);
//------------------------------------------------------------
//VirtualFreeEx(h打開進程, Ψ參數, 0, MEM_RELEASE);
CloseHandle(h打開進程);
//if(WAIT_FAILED==WaitForSingleObject(hRemoteThread,INFINITE)){return NULL;}
//system("pause");
return 1;
}
main_w.cpp(宿主)
#include<CLIB_H\CLIB2_global.h>//包含CLIB0_print.h
void FuncPuls()
{
DWORD c=5;
PRINT1(a+b=, c,d);//PRINT1(main·, iG,d);
}
//------------------------------
void main()
{
//char* ch="MYPRINT";putchar('M');
FuncPuls();
system("pause");
}
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
