MyDll.h
#ifndef __MYDLL_H__
#define __MYDLL_H__
#include
//#include
#include
using namespace std;
#include
#include
#include
#ifndef EXC
#define EXC extern"C" __declspec(dllexport) //
#define EX __declspec(dllexport) //extern"C"
#endif
/**/
//----共享節(jié)--------------------------
#pragma data_seg("MY_share")
int i共享G=-1;
//float *ΨLfG={0.0,0.0}; //Χ
float ΨLfG[]={0.0,0.0};//√
DWORD LiG[2]={0,0};//√
#pragma data_seg()
#pragma comment(linker,"/section:MY_share,rws")
volatile DWORD iG;
EXC void SetData(int temp)
{
i共享G=temp; ΨLfG[0]=0.56;PRINT1(+f,ΨLfG[0],f);
//ViG.push_back(temp);PTvector??(ViG);
//ViG[0]=temp;
LiG[0]=temp;
PRINT1(+push_back,temp,d);
}
EXC DWORD iGetData()
{
//PTvector??(ViG);
PRINT3(,i共享G,LiG[0],ΨLfG[0],d,d,f);
return i共享G;
}
////////////////////////////////////////////
typedef DWORD (WINAPI *♂Δ函數(shù)指針nt)
(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL CreateSuspended, //●●這個BOOL是int
DWORD dwStackSize,
DWORD dw1,
DWORD dw2,
LPVOID Unknown
);
typedef DWORD64(WINAPI *♂Δ函數(shù)指針nt64)
(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL CreateSuspended,
DWORD64 dwStackSize,
DWORD64 Unknown1,
DWORD64 Unknown2,
LPVOID Unknown3
);
//==============================
HANDLE hΔ打開進程(LPCTSTR lp尋找進程)//根據(jù)進程名查找進程PID
{
DWORD dw打開進程 = 0; HANDLE h打開進程 =0;
HANDLE h快照 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); //可以通過獲取進程信息為指定的進程、進程使用的堆[HEAP]、模塊[MODULE]、線程建立一個快照。
if(h快照 == INVALID_HANDLE_VALUE)
{
PRINT1(★獲得進程快照失敗:,GetLastError(),d);
return h打開進程;
}
PROCESSENTRY32 pe入口;//聲明進程入口對象
pe入口.dwSize = sizeof(PROCESSENTRY32);//填充進程入口對象大小
Process32First(h快照,&pe入口);//遍歷進程列表 //process32First是一個進程獲取函數(shù),當我們利用函數(shù)CreateToolhelp32Snapshot()獲得當前運行進程的快照后,我們可以利用process32First函數(shù)來獲得第一個進程的句柄。
printf("lp尋找進程= %s\n",lp尋找進程);
do
{ //printf("pe入口.szExeFile= %s\n",pe入口.szExeFile);
if(!lstrcmp(pe入口.szExeFile,lp尋找進程))//查找指定進程名的PID
{
dw打開進程 = pe入口.th42ProcessID;
break;
}
}while (Process32Next(h快照,&pe入口));
h打開進程 = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dw打開進程);//|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE
CloseHandle(h快照);
return h打開進程;//返回
}
//========================================================
typedef DWORD (__stdcall* ♂ΔPrint)(LPCTSTR,...);//__stdcall
typedef DWORD (__stdcall* ♂cΔFUNC)(LPCTSTR);
typedef DWORD (__stdcall* ♂iΔFUNC)(DWORD);
typedef DWORD (__stdcall* ♂ΔFUNC)();
//線程參數(shù)結(jié)構(gòu)體定義
typedef struct sd參數(shù)
{
char c[100]; //MessageBox函數(shù)中顯示的字符提示
♂ΔFUNC ΨΔ;
♂cΔFUNC ΨcΔ;
LPVOID ΨFunc;//MessageBox函數(shù)的入口地址
DWORD iFunc;//MessageBox函數(shù)的入口地址
DWORD i;
}卍參數(shù);
//定義MessageBox類型的函數(shù)指針
//EXC DWORD __stdcall FuncTest2(卍參數(shù) *&參數(shù))//LPVOID LPVOID
void __stdcall FuncTest2(LPVOID 參數(shù))
{
//參數(shù)->ΨΔ();//參數(shù)->c
/**/
卍參數(shù)* Ψ參數(shù) = (卍參數(shù)*)參數(shù);
//Ψ參數(shù)->ΨΔ();//ΧΧ出錯return ;
//Ψ參數(shù)->ΨcΔ(Ψ參數(shù)->c);
♂cΔFUNC ΨΔfunc = (♂cΔFUNC)Ψ參數(shù)->ΨFunc;ΨΔfunc(Ψ參數(shù)->c);
//ΨΔfunc = (♂cΔFUNC)Ψ參數(shù)->iFunc;ΨΔfunc(Ψ參數(shù)->c);
//Ψ參數(shù)->ΨcΔ(Ψ參數(shù)->c);
//♂iΔFUNC ΨΔfunc = (♂iΔFUNC)Ψ參數(shù)->ΨFunc;//ΨΔfunc(Ψ參數(shù)->i);
//printf(Ψ參數(shù)->c);
return ;
}
void __stdcall FuncTest1(LPVOID 參數(shù))
{
卍參數(shù)* Ψ參數(shù) = (卍參數(shù)*)參數(shù);
♂ΔFUNC ΨΔfunc = (♂ΔFUNC)Ψ參數(shù)->ΨFunc;ΨΔfunc();
}
void __stdcall FuncTest()
//EXC DWORD __stdcall FuncTest(LPVOID 參數(shù))
{
//PRINT1(~~,FuncTest,d);
return ;
}
EXC void __stdcall MyPrint(char*ch)
{
printf("▼ ch= %s\n",ch);
}
//------------------------------
inline void c_c(const char*c,char *c2__)
{
DWORD i長=strlen(c);uint i=0;
for( i=0;i {
c2__[i]=c[i];
}
c2__[i]='\0';
}
//========================================
bool bΔvista之后()
{
OSVERSIONINFO osvi;
ZeroMemory(&osvi, sizeof(OSVERSIONINFO));
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&osvi);
if( osvi.dwMajorVersion >= 6 )
return TRUE;
return FALSE;
}
//提升程序權(quán)限
BOOL bΔEnableDebugPrivilege()
{
HANDLE hToken;
BOOL fOk=false;
if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken))
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount=1;
if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid)) ;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(hToken,false,&tp,sizeof(tp),NULL,NULL)) ;
else
fOk = true;
CloseHandle(hToken);
}
return fOk;
}
//====提升進程訪問權(quán)限====================================
bool bΔ訪問權(quán)限()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
return false;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
{
CloseHandle(hToken);
return false;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
{
CloseHandle(hToken);
return false;
}
CloseHandle(hToken);
return true;
}
//========================================================
HANDLE hΔMyCreateRemoteThread1(HANDLE h打開進程, LPTHREAD_START_ROUTINE ΨΔ函數(shù), LPVOID Ψ參數(shù))
{
HANDLE hRemoteThread = NULL;
PRINT1(,bΔvista之后(),d);
FARPROC ΨΔNtCreateThreadEx = GetProcAddress(GetModuleHandle("ntdll.dll"), "NtCreateThreadEx");
//if(ΨΔNtCreateThreadEx==NULL){PRINT2(★,ΨΔNtCreateThreadEx,GetLastError(),d,d);return NULL;}
((♂Δ函數(shù)指針nt64)ΨΔNtCreateThreadEx)(&hRemoteThread,0x1FFFFF,NULL,h打開進程,ΨΔ函數(shù),Ψ參數(shù),FALSE,NULL,NULL,NULL,NULL);
if(WAIT_FAILED==WaitForSingleObject(hRemoteThread,INFINITE)){return NULL;}
return hRemoteThread;
}
HANDLE hΔMyCreateRemoteThread(HANDLE&h打開進程, LPTHREAD_START_ROUTINE ΨΔ函數(shù), LPVOID Ψ參數(shù))
{
HANDLE hRemoteThread = NULL;
//---- Vista, 7, Server2008--------------------------
if(bΔvista之后())
{
//typedef DWORD (FAR WINAPI *FARPROC)()
FARPROC ΨΔNtCreateThreadEx = GetProcAddress(GetModuleHandle("ntdll.dll"), "NtCreateThreadEx");
//if(ΨΔNtCreateThreadEx==NULL){PRINT2(★,ΨΔNtCreateThreadEx,GetLastError(),d,d);return NULL;}
((♂Δ函數(shù)指針nt64)ΨΔNtCreateThreadEx)(&hRemoteThread,0x1FFFFF,NULL,h打開進程,ΨΔ函數(shù),Ψ參數(shù),FALSE,NULL,NULL,NULL,NULL);
//if(hRemoteThread==NULL){PRINT2(★,hRemoteThread,GetLastError(),d,d);return NULL;}
PRINT1(√√,hRemoteThread,d);
}
//----2000, XP, Server2003--------------------------
else
{
hRemoteThread=CreateRemoteThread(h打開進程,NULL,0,ΨΔ函數(shù),Ψ參數(shù),0,NULL);
if( hRemoteThread == NULL )
{PRINT2(★2·,hRemoteThread,GetLastError(),d,d);
return NULL;
}
}
if(WAIT_FAILED==WaitForSingleObject(hRemoteThread,INFINITE)){return NULL;}//●●這個很重要,如果沒有可能會崩潰
return hRemoteThread;
}
////////////////////////////////////////////
template
LPVOID ΨΔ寫地址到進程(HANDLE h打開進程,T*Ψ參數(shù),DWORD iSize,BOOL b是函數(shù)=true)//●必須是指針引用,void*&Ψ參數(shù)__
{
SIZE_T dwHasWrite;LPVOID Ψ參數(shù)__ =NULL;
/**/
if(b是函數(shù))
{Ψ參數(shù)__ = VirtualAllocEx(h打開進程,0,iSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);}
else
{Ψ參數(shù)__ = VirtualAllocEx(h打開進程,0,iSize,MEM_COMMIT,PAGE_READWRITE);}
//----將線程參數(shù)拷貝到宿主進程地址空間中--------------------------
if(WriteProcessMemory(h打開進程,Ψ參數(shù)__,Ψ參數(shù),iSize,&dwHasWrite)) //把dll路徑寫入主進程
{//PRINT2(,dwHasWrite,iSize,d,d);
if(dwHasWrite != iSize)
{
VirtualFreeEx(h打開進程,Ψ參數(shù)__,iSize,MEM_COMMIT); //即為目標進程的句柄,可在其它進程中釋放申請的虛擬內(nèi)存空間。MEM_RELEASE
CloseHandle(h打開進程);
PRINT1(★!!!VirtualFreeEx失敗:,GetLastError(),d);
return Ψ參數(shù)__;
}
}
else
{
PRINT1(★!!!寫入遠程進程內(nèi)存空間出錯:,GetLastError(),d);
CloseHandle(h打開進程);
return Ψ參數(shù)__;
}
return Ψ參數(shù)__;
}
////////////////////////////////////////////
DWORD WINAPI ΔMyThreadProc1( LPVOID pParam )
{
MessageBox( NULL, "DLL已進入線程1。", "信息", MB_ICONINFORMATION );
return 0;
}
DWORD WINAPI ΔMyThreadProc2( LPVOID pParam )
{
MessageBox( NULL, "DLL已進入線程2。", "信息", MB_ICONINFORMATION );
return 0;
}
//========================================================
bool APIENTRY DllMain( HANDLE hModule,DWORD ul_reason_for_call,LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
//MessageBox( NULL, "√√DLL已進入目標進程。", "信息", MB_ICONINFORMATION );
PRINT0(▼▼ DLL已進入目標進程。);//SetData(28);
DWORD dwThreadId;
//HANDLE myThread1 = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ΔMyThreadProc1, NULL, 0, &dwThreadId);
//HANDLE myThread2 = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ΔMyThreadProc2, NULL, 0, &dwThreadId);
//PRINT1(,iG,d);//Χ
break;
}
case DLL_PROCESS_DETACH:
{
PRINT0(▼▼ ~~DLL已從目標進程卸載。);
//MessageBox( NULL, "√√DLL已從目標進程卸載。", "信息", MB_ICONINFORMATION );
break;
}
}
return TRUE;
}
#endif
-----------------------------------------------------------------------------------
main.cpp
//#include
#include "MyDll.h"
void __stdcall myprint2()
{
//putchar('M');//Χ
int i=9+7;
return ;
}
////////////////////////////////////////////
int main()
{
//bΔEnableDebugPrivilege() ;
bΔ訪問權(quán)限();const DWORD dwThreadSize = 4096;
SIZE_T dwHasWrite;DWORD dwWriteBytes;
const char *c參數(shù)= "B:/MyDll64在.dll";
//const char c參數(shù)= 'B';
HANDLE h打開進程 = hΔ打開進程("main_w64.exe");//●最好用英文不容易出錯.
if(h打開進程 == NULL)
{
PRINT1(★ 打開進程 失敗!:,GetLastError(),d);
return -1;
}
else
{
PRINT1(▼ 找到·,h打開進程,d);
}
LPVOID ΨΔ函數(shù)= NULL;
卍參數(shù) 參數(shù);//DWORD 代表 unsigned long
ZeroMemory(&參數(shù), sizeof(卍參數(shù)));//PRINT2(,sizeof(卍參數(shù)),sizeof(參數(shù)),d,d);//√
int iSize = strlen(c參數(shù))+1;strcat(參數(shù).c, "Hello_IMDJS \0");//c_c(c參數(shù),參數(shù).c);
//----FuncTest1--------------------------
ΨΔ函數(shù)=VirtualAllocEx(h打開進程,0,dwThreadSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);if(!ΨΔ函數(shù)){PRINT1(★新建ΨΔ函數(shù)失敗!,h打開進程,d);return 0;} if(!WriteProcessMemory(h打開進程,ΨΔ函數(shù),&FuncTest1,dwThreadSize,0)){PRINT1(★寫Δ函數(shù)失敗!,h打開進程,d);return 0;}
參數(shù).ΨFunc=GetProcAddress(GetModuleHandle("msvcrt.dll"),"printf");
PRINT1(,參數(shù).ΨFunc,d);
LPVOID Ψ參數(shù) =ΨΔ寫地址到進程(h打開進程,&參數(shù),sizeof(卍參數(shù)),true);
//====NtCreateThreadEx====================================
HANDLE hRemoteThread=NULL;
hRemoteThread=CreateRemoteThread(h打開進程,NULL,0, (LPTHREAD_START_ROUTINE) ΨΔ函數(shù),Ψ參數(shù),0,&dwWriteBytes);
PRINT1(,hRemoteThread,d);
//------------------------------------------------------------
//VirtualFreeEx(h打開進程, Ψ參數(shù), 0, MEM_RELEASE);
CloseHandle(h打開進程);
//if(WAIT_FAILED==WaitForSingleObject(hRemoteThread,INFINITE)){return NULL;}
//system("pause");
return 1;
}
main_w.cpp(宿主)
#include
void FuncPuls()
{
DWORD c=5;
PRINT1(a+b=, c,d);//PRINT1(main·, iG,d);
}
//------------------------------
void main()
{
//char* ch="MYPRINT";putchar('M');
FuncPuls();
system("pause");
}
成都創(chuàng)新互聯(lián)公司,為您提供重慶網(wǎng)站建設(shè)公司、重慶網(wǎng)站制作、網(wǎng)站營銷推廣、網(wǎng)站開發(fā)設(shè)計,對服務崗亭等多個行業(yè)擁有豐富的網(wǎng)站建設(shè)及推廣經(jīng)驗。成都創(chuàng)新互聯(lián)公司網(wǎng)站建設(shè)公司成立于2013年,提供專業(yè)網(wǎng)站制作報價服務,我們深知市場的競爭激烈,認真對待每位客戶,為客戶提供賞心悅目的作品。 與客戶共同發(fā)展進步,是我們永遠的責任!