{"id":52,"date":"2025-06-22T20:59:42","date_gmt":"2025-06-22T12:59:42","guid":{"rendered":"http:\/\/www.xuanbin.top\/?p=52"},"modified":"2025-06-22T20:59:43","modified_gmt":"2025-06-22T12:59:43","slug":"dll%e6%b3%a8%e5%85%a5-%e8%bf%9c%e7%a8%8b%e7%ba%bf%e7%a8%8b%e6%b3%a8%e5%85%a5","status":"publish","type":"post","link":"http:\/\/www.xuanbin.top\/index.php\/2025\/06\/22\/dll%e6%b3%a8%e5%85%a5-%e8%bf%9c%e7%a8%8b%e7%ba%bf%e7%a8%8b%e6%b3%a8%e5%85%a5\/","title":{"rendered":"DLL\u6ce8\u5165\u2014\u2014\u8fdc\u7a0b\u7ebf\u7a0b\u6ce8\u5165"},"content":{"rendered":"\n

\u6700\u8fd1\u770b\u4e66\u770b\u5230\u4e86DLL\u6ce8\u5165\uff0c\u4e8e\u662f\u6253\u7b97\u5b9e\u73b0\u4e00\u4e0b\u5404\u79cd\u6ce8\u5165\u65b9\u5f0f\u3002<\/p>\n\n\n\n

\u8fdc\u7a0b\u7ebf\u7a0b\u6ce8\u5165\u7684\u601d\u8def\u5927\u81f4\u662f\uff1a\u5b9a\u4f4d\u6ce8\u5165\u76ee\u6807\u8fdb\u7a0b\u2014\u2014\u5728\u76ee\u6807\u8fdb\u7a0b\u7533\u8bf7\u4e00\u5757\u5185\u5b58\u2014\u2014\u5c06\u8981\u6ce8\u5165\u7684dll\u7684\u8def\u5f84\u5199\u5165\u76ee\u6807\u8fdb\u7a0b\u5185\u5b58\u2014\u2014\u83b7\u53d6LoadLibraryW API\u7684\u5730\u5740\u2014\u2014\u2014\u2014\u5728\u76ee\u6807\u8fdb\u7a0b\u4e2d\u8fd0\u884c\u7ebf\u7a0b\u3002<\/p>\n\n\n\n

\u5b9a\u4f4d\u6ce8\u5165\u76ee\u6807\u8fdb\u7a0b<\/h2>\n\n\n\n
\tif (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, dwPID)))\n\t{\n\t\tprintf(\"error2\");\n\t\treturn false;\n\t}<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u8fd9\u4e2aAPI\u7684\u4f5c\u7528\u662f\u6253\u5f00\u4e00\u4e2a\u8fdb\u7a0b\u5e76\u8fd4\u56de\u8fd9\u4e2a\u8fdb\u7a0b\u7684\u53e5\u67c4\uff0c\u901a\u8fc7PID\u6765\u5b9a\u4f4d\u67d0\u4e2a\u8fdb\u7a0b\u8fdb\u800c\u8fd4\u56de\u5b83\u7684\u53e5\u67c4\u3002<\/p>\n\n\n\n
\u4e09\u4e2a\u53c2\u6570\u5206\u522b\u4e3a\uff1a\u8be5\u8fdb\u7a0b\u5bf9\u6253\u5f00\u8fdb\u7a0b\u7684\u6743\u9650\u3001\u662f\u5426\u7ee7\u627f\u8fdb\u7a0b\u53e5\u67c4\u3001\u76ee\u6807\u8fdb\u7a0b\u7684PID\u3002<\/p>\n\n\n\n
\u7533\u8bf7\u5185\u5b58\u7a7a\u95f4<\/h2>\n\n\n\n
pRemoteBuf = VirtualAllocEx(hProcess, NULL, BufSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\nif (pRemoteBuf == 0)\n{\n    printf(\"error3\");\n    return false;\n}<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u8fd9\u4e2aAPI\u7684\u4f5c\u7528\u662f\u5728\u76ee\u6807\u8fdb\u7a0b\u7533\u8bf7\u4e00\u6bb5\u5185\u5b58\u7a7a\u95f4\u5e76\u8fd4\u56de\u6240\u7533\u8bf7\u7684\u5185\u5b58\u7a7a\u95f4\u7684\u5730\u5740\u3002<\/p>\n\n\n\n
\u4e94\u4e2a\u53c2\u6570\u5206\u522b\u4e3a\uff1a\u76ee\u6807\u8fdb\u7a0b\u7684\u53e5\u67c4\u3001\u6307\u5b9a\u8981\u5206\u914d\u7684\u9875\u9762\u533a\u57df\u6240\u9700\u7684\u8d77\u59cb\u5730\u5740\u7684\u6307\u9488\u3001\u6240\u9700\u5206\u914d\u5185\u5b58\u7a7a\u95f4\u7684\u5927\u5c0f\u3001\u5185\u5b58\u5206\u914d\u7c7b\u578b\u3001\u5185\u5b58\u4fdd\u62a4\u6743\u9650\u3002<\/p>\n\n\n\n
\u5199\u5165dll\u8def\u5f84<\/h2>\n\n\n\n
\tif (!WriteProcessMemory(hProcess, pRemoteBuf, szDllPath, BufSize, NULL))\n\t{\n\t\tprintf(\"error4\");\n\t\treturn false;\n\t}<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u8fd9\u4e2aAPI\u7684\u4f5c\u7528\u662f\u5728\u76ee\u6807\u8fdb\u7a0b\u7684\u4e00\u6bb5\u5185\u5b58\u7a7a\u95f4\u4e2d\u5199\u5165\uff0c\u5e76\u8fd4\u56de\u662f\u5426\u5199\u5165\u6210\u529f\u3002<\/p>\n\n\n\n
\u4e94\u4e2a\u53c2\u6570\u5206\u522b\u4e3a\uff1a\u76ee\u6807\u8fdb\u7a0b\u7684\u53e5\u67c4\u3001\u5199\u5165\u7684\u5185\u5b58\u5730\u5740\u3001\u5199\u5165\u7684\u6570\u636e\u3001\u5199\u5165\u6570\u636e\u7684\u957f\u5ea6\u3001\u63a5\u6536\u4f20\u8f93\u5230\u76ee\u6807\u8fdb\u7a0b\u7684\u5b57\u8282\u6570\u7684\u6307\u9488\uff08\u53ef\u4e3aNULL\uff09\u3002<\/p>\n\n\n\n
\u83b7\u53d6\u52a0\u8f7d\u51fd\u6570\u5730\u5740<\/h2>\n\n\n\n
lpLoadLibrary = GetProcAddress(GetModuleHandleW(L\"kernel32.dll\"),\"LoadLibraryW\");<\/code><\/pre>\n\n\n\n
\u6709\u4e24\u4e2aAPI\uff0c\u5747\u8f83\u4e3a\u7b80\u5355\u3002GetModuleHandleW\u8f93\u5165\u6587\u4ef6\u540d\u8fd4\u56de\u6587\u4ef6\u53e5\u67c4\uff0cGetProcAddress\u8f93\u5165\u53e5\u67c4\u4e0e\u67e5\u627e\u51fd\u6570\u540d\u8fd4\u56de\u67e5\u627e\u51fd\u6570\u540d\u7684\u5730\u5740\u3002\u5728\u8fd9\u91ccGetModuleHandleW\u8fd4\u56de\u4e86kernel32.dll\u7684\u53e5\u67c4\uff0cGetProcAddress\u8fd4\u56de\u4e86kernel32.dll\u4e2dLoadLibraryW API\u7684\u5730\u5740\u3002<\/p>\n\n\n\n
\u5728\u76ee\u6807\u8fdb\u7a0b\u4e2d\u8fd0\u884c\u7ebf\u7a0b<\/h2>\n\n\n\n
\thThread = CreateRemoteThread(\n\t\thProcess,\n\t\tNULL,\n\t\t0,\n\t\t(LPTHREAD_START_ROUTINE)lpLoadLibrary,\n\t\tpRemoteBuf,\n\t\t0,\n\t\tNULL\n\t);<\/code><\/pre>\n\n\n\n
CreateRemoteThread API\uff0c\u76f8\u6bd4\u4e8eCreateThread\u533a\u522b\u5728\u4e8e\u4e3a\u76ee\u6807\u8fdb\u7a0b\u521b\u5efa\u7ebf\u7a0b\u3002<\/p>\n\n\n\n
\u4e03\u4e2a\u53c2\u6570\u5206\u522b\u4e3a\uff1a\u76ee\u6807\u8fdb\u7a0b\u53e5\u67c4\u3001\u5b50\u8fdb\u7a0b\u662f\u5426\u7ee7\u627f\u53e5\u67c4\u3001\u5806\u6808\u521d\u59cb\u5927\u5c0f\uff08\u4e3a0\u65f6\u9ed8\u8ba4\u5927\u5c0f\uff09\u3001\u7ebf\u7a0b\u51fd\u6570\u5730\u5740\u3001\u7ebf\u7a0b\u51fd\u6570\u53c2\u6570\u6307\u9488\u3001\u63a7\u5236\u7ebf\u7a0b\u521b\u5efa\u7684\u6807\u5fd7\u3002<\/p>\n\n\n\n
\u5b8c\u6574\u4ee3\u7801\uff1a<\/p>\n\n\n\n
#include<Windows.h>\n#include<stdio.h>\n#include <string>\nBOOL InjectDLL(int dwPID, const wchar_t* szDllPath)\n{\n\tHANDLE hProcess = NULL, hThread = NULL;\n\tLPVOID pRemoteBuf = NULL;\n\tint BufSize = (wcslen(szDllPath) + 1) * sizeof(wchar_t);\n\tLPVOID lpLoadLibrary = NULL;\n\n\t\/\/\u6253\u5f00\u76ee\u6807\u8fdb\u7a0b\n\tif (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, dwPID)))\n\t{\n\t\tprintf(\"error2\");\n\t\treturn false;\n\t}\n\n\t\/\/\u5728\u76ee\u6807\u8fdb\u7a0b\u4e2d\u5206\u914d\u4e00\u5757\u5185\u5b58\n\tpRemoteBuf = VirtualAllocEx(hProcess, NULL, BufSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\n\tif (pRemoteBuf == 0)\n\t{\n\t\tprintf(\"error3\");\n\t\treturn false;\n\t}\n\t\/\/\u83b7\u53d6LoadLibraryW\u7684\u5730\u5740\n\tlpLoadLibrary = GetProcAddress(GetModuleHandleW(L\"kernel32.dll\"),\"LoadLibraryW\");\n\n\t\/\/\u5199\u5165dll\u8def\u5f84\u5230\u76ee\u6807\u8fdb\u7a0b\u5185\u5b58\n\tif (!WriteProcessMemory(hProcess, pRemoteBuf, szDllPath, BufSize, NULL))\n\t{\n\t\tprintf(\"error4\");\n\t\treturn false;\n\t}\n\n\t\/\/\u5728\u76ee\u6807\u8fdb\u7a0b\u8fd0\u884c\u7ebf\u7a0b\n\thThread = CreateRemoteThread(\n\t\thProcess,\n\t\tNULL,\n\t\t0,\n\t\t(LPTHREAD_START_ROUTINE)lpLoadLibrary,\n\t\tpRemoteBuf,\n\t\t0,\n\t\tNULL\n\t);\n\n\tWaitForSingleObject(hThread, INFINITE);\n\tCloseHandle(hThread);\n\tCloseHandle(hProcess);\n\treturn true;\n}\nint wmain(int argc, wchar_t* argv[])\n{\n\tif (argc != 3)\n\t{\n\t\tprintf(\"error1\");\n\t\treturn 1;\n\t}\n\tif (InjectDLL(std::stol(argv[1]), argv[2]))\n\t{\n\t\tprintf(\"success!\");\n\t}\n\telse\n\t{\n\t\tprintf(\"failed!\");\n\t}\n\treturn 0;\n}<\/code><\/pre>\n\n\n\n
\u6d4b\u8bd5DLL<\/h2>\n\n\n\n
#include \"pch.h\"\n\nBOOL APIENTRY DllMain(HMODULE hModule,\n    DWORD  ul_reason_for_call,\n    LPVOID lpReserved\n)\n{\n    switch (ul_reason_for_call)\n    {\n\n    case DLL_PROCESS_ATTACH: {\n        HWND hwnd = GetActiveWindow();\n        MessageBox(hwnd, L\"DLL\u5df2\u8fdb\u5165\u76ee\u6807\u8fdb\u7a0b\u3002\", L\"\u4fe1\u606f\", MB_ICONINFORMATION);\n        OutputDebugStringW(L\"dllinject\");\n\n    }\n    }\n    return TRUE;\n}\n\u901a\u8fc7\u5f39\u7a97\u5224\u65ad\u662f\u5426\u6ce8\u5165\u6210\u529f\u3002<\/code><\/pre>\n\n\n\n
\u6d4b\u8bd5<\/h2>\n\n\n\n
cmd\u8f93\u5165\u76ee\u6807\u8fdb\u7a0b\u7684PID\u4e0e\u8981\u6ce8\u5165\u7684DLL\u3002<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u503c\u5f97\u6ce8\u610f\u7684\u662f\uff0c\u76ee\u6807\u8fdb\u7a0b\u662f64\u4f4d\u621632\u4f4d\u7a0b\u5e8f\uff0c\u6ce8\u5165\u5668\u4e0eDLL\u9700\u4e0e\u76ee\u6807\u8fdb\u7a0b\u4fdd\u6301\u4e00\u81f4\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u6700\u8fd1\u770b\u4e66\u770b\u5230\u4e86DLL\u6ce8\u5165\uff0c\u4e8e\u662f\u6253\u7b97\u5b9e\u73b0\u4e00\u4e0b\u5404\u79cd\u6ce8\u5165\u65b9\u5f0f\u3002 \u8fdc\u7a0b\u7ebf\u7a0b\u6ce8\u5165\u7684\u601d\u8def\u5927\u81f4\u662f\uff1a\u5b9a\u4f4d\u6ce8\u5165\u76ee\u6807\u8fdb\u7a0b\u2014\u2014\u5728\u76ee\u6807\u8fdb\u7a0b\u7533\u8bf7\u4e00\u5757\u5185\u5b58\u2014\u2014 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-52","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/posts\/52","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/comments?post=52"}],"version-history":[{"count":2,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/posts\/52\/revisions"}],"predecessor-version":[{"id":60,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/posts\/52\/revisions\/60"}],"wp:attachment":[{"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/media?parent=52"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/categories?post=52"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/tags?post=52"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}