Loading... > 刘某人重新回来啦~ > 带MFC窗口,以更方便数据遍历和功能测试。 # 一、带MFC的Dll 使用VS2019 创建带MFC的动态链接库(DLL),项目属性设置使用静态MFC。 新建名为DbgWin的对话框界面。 在DLL工程名cpp中(比如我DLL工程名叫GameCore,则目标文件为 GameCore.cpp)添加头文件 DbgWin.h 引用。 并添加如下代码: ```c++ DbgWin* m_dbgWin; DWORD WINAPI ShowDialog(LPARAM lp) { AFX_MANAGE_STATE(AfxGetStaticModuleState()); //MFC宏,必须,确保资源正确加载 m_dbgWin = new DbgWin; m_dbgWin->DoModal(); //以模态方式创建窗口 m_dbgWin->ShowWindow(SW_SHOWNORMAL); //显示窗口,可hook消息处理函数,通过按键显示、隐藏窗口 return 0; } ``` 修改`BOOL CGameCoreApp::InitInstance()`函数为: ```c++ BOOL CGameCoreApp::InitInstance() { CWinApp::InitInstance(); ::CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)ShowDialog, NULL, NULL, NULL); return TRUE; } ``` 设计如下MFC界面:  # 二、DLL注入 ```c/c++ #include <iostream> #include <Windows.h> #include <string.h> #include <thread> #include <chrono> int main() { char* commandLineCopy = NULL; std::string tmpString = "D:\\Program Files (x86)\\{此处隐藏}.exe"; commandLineCopy = (char*)tmpString.c_str(); int cdSize = strlen(commandLineCopy) + 1; // 创建进程并暂停 LPSTARTUPINFOA startInfo = new STARTUPINFOA(); PROCESS_INFORMATION processInfo = { 0 }; ZeroMemory(startInfo, sizeof(STARTUPINFOA)); startInfo->cb = sizeof(STARTUPINFOA); if (!CreateProcessA(NULL, (LPSTR)"D:\\Program Files (x86)\\{此处隐藏}.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, "D:\\Program Files (x86)\\{此处隐藏}", startInfo, &processInfo)) { delete startInfo; return false; } auto pid = processInfo.dwProcessId; //打开进程,获取进程句柄 HANDLE targetProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); if (targetProc == NULL) { return false; } std::string tmpChar = "H:\\2Project\\testMFCLibrary1\\x64\\Debug\\GameCore.dll"; char* pChar = (char*)tmpChar.c_str(); int dllLen = strlen(pChar) + 1; // 1.目标进程申请空间 LPVOID pDLLPath = VirtualAllocEx(targetProc, NULL, dllLen, MEM_COMMIT, PAGE_READWRITE); if (pDLLPath == NULL) { //qDebug() << "VirtualAllocEx error"; return false; } SIZE_T wLen = 0; // 2.将DLL路径写进目标进程内存空间 int ret = WriteProcessMemory(targetProc, pDLLPath, pChar, dllLen, &wLen); if (ret == 0) { //qDebug() << "WriteProcessMemory error"; return false; } // 3.获取LoadLibraryA函数地址 FARPROC myLoadLibrary = GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA"); if (myLoadLibrary == NULL) { //qDebug() << "GetProcAddress error"; return false; } // 4.在目标进程执行LoadLibrary 注入指定的线程 HANDLE tHandle = CreateRemoteThread(targetProc, NULL, NULL, (LPTHREAD_START_ROUTINE)myLoadLibrary, pDLLPath, NULL, NULL); if (tHandle == NULL) { //qDebug() << "CreateRemoteThread error"; return false; } WaitForSingleObject(tHandle, INFINITY); // 恢复线程 ResumeThread(processInfo.hThread); CloseHandle(tHandle); CloseHandle(targetProc); delete startInfo; } ``` # 三、下一步工作 1. DLL隐藏 2. 安全内存读写及主线程调用call实现 最后修改:2021 年 09 月 22 日 11 : 37 AM © 禁止转载
1 条评论
给博主点赞,系列文章很棒