1. Get remote process HANDLE (use OpenProcess).
2. For the DLL file in the name of the remote process allocates memory (VirtualAllocEx).
3. The DLL file name (full path) wrote allocated memory (WriteProcessMemory)
4. CreateRemoteThread and use your DLL LoadLibrary map near the remote process.
5. Wait for remote thread terminates (WaitForSingleObject), that is, waiting for LoadLibrary returns. That is when our DllMain (called with an argument based on the DLL_PROCESS_ATTACH) remote thread will return immediately to an end.
6. End code to retrieve remote thread (GetExitCodeThtread), namely LoadLibrary return value - after we load the DLL base address (HMODULE).
7. Release the memory allocated in step 2 (VirtualFreeEx).
8. The DLL is unloaded from the remote process with CreateRemoteThread and FreeLibrary. Step 6 passes made when calling HMODULE to FreeLibrary (via lpParameter parameter in CreateRemoteThread).
9. Waiting thread end (WaitSingleObject).
10. The use of C ++ / CLI prepared:
// InjectDll.h
#pragma once
#include <windows.h>
using namespace System;
namespace InjectDll {
REF InjectDllManager class public
{
public:
// szLibPath - to load Dll, hProcess - loaded remote processes Dll the length of the name to be loaded iLibPathSize-
void InjectLib2Process (szLibPath char [], the hProcess HANDLE, int iLibPathSize)
{
HANDLE hThread;
void * pLibRemote;
DWORD hLibModule; // base address of the DLL loaded (HMODULE);
HMODULE hKernel32 = GetModuleHandle (L "Kernel32");
// initialize szLibPath
// ...
// 1. in the remote process allocate memory for the szLibPath
// 2. write szLibPath to allocate memory
pLibRemote = VirtualAllocEx (hProcess, NULL, iLibPathSize,
MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory (hProcess, pLibRemote, (void *) szLibPath,
sizeof (szLibPath), NULL);
// Load "szLibPath.dll" to the remote process
// (via LoadLibrary & CreateRemoteThread)
hThread = CreateRemoteThread (hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE) GetProcAddress (hKernel32,
"LoadLibraryA"), pLibRemote, 0, NULL);
WaitForSingleObject ( hThread, INFINITE);
// obtain the base address of the DLL
GetExitCodeThread (hThread, & hLibModule);
// mopping up
the CloseHandle (hThread);
VirtualFreeEx (hProcess, pLibRemote, iLibPathSize, MEM_RELEASE);
// unloading LibSpu.dll from the target process
// (by & the FreeLibrary the CreateRemoteThread)
hThread the CreateRemoteThread = (the hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE) the GetProcAddress (hKernel32, "the FreeLibrary"), (void *) hLibModule, 0,NULL );
The WaitForSingleObject (hThread, of INFINITE);
// mopping
the CloseHandle (hThread);
}
};
}
Generating the Dll, then it is in the C # project references in, and finally write:
public partial class the Form1: Form1
{
public the Form1 ()
{
the InitializeComponent ();
}
Private void the Form1_Load (SENDER Object, EventArgs E)
{
InjectDll.InjectDllManager new new iManager = InjectDll.InjectDllManager ();
iManager.InjectLib2Process (....);
// ......
}
}
=====
I do not know what type void * sbyte * do not know how this type of statement, get tired.
InjectDll.InjectDllManager iManager
=
new
InjectDll.InjectDllManager();
//
iManager.InjectLib2Process("InjectDLL.dll",
System.Diagnostics.Process[] tempPro
=
System.Diagnostics.Process.GetProcessesByName(
"
explorer
"
);
char
[] dllName
=
{'I','n','j','e','c','t','D','L','L'}
;
string
aaa
=
@"
E:\我的文档\Visual Studio 2005\Projects\MYGameBOTS\Instore\bin\Debug\InjectDLL.dll
"
; iManager.InjectLib2Process(dllName,tempPro[
0
].Handle,aaa.Length);
Trouble help me
how to call the DLL (compiled http://files.cnblogs.com/wysky/InjectDLL.rar )
Reproduced in: https: //www.cnblogs.com/wysky/archive/2007/09/11/889386.html