{//仅仅支持ANSI路径//find the wndHWND hwnd = FindWindow(NULL,"1.txt - 记事本");//get pid
DWORD tid,pid;tid = GetWindowThreadProcessId(hwnd,&pid);if (0==pid)//for test
{pid = GetCurrentProcessId();}HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);////接下来的方法是使远程线程调用LoadLibrary//kernel32的HMODULE hModule = GetModuleHandle("Kernel32");PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(hModule,"LoadLibraryA");//路径不要有宽字符//在远程线程中写入地址char* pszLibFileRemote = (char*) VirtualAllocEx(hProcess, NULL, MAX_PATH, MEM_COMMIT, PAGE_READWRITE);WriteProcessMemory(hProcess, pszLibFileRemote, (PVOID)"D:\\coding\\dll_hook\\dllInj\\demo\\demo\\debug\\ForHook.dll", MAX_PATH, NULL);HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, pfnThreadRtn, //
pszLibFileRemote, 0, NULL);//
WaitForSingleObject(hThread, INFINITE);} //上面的程序忘记了释放申请的内存
//看看能否删除dll便知道有没有注入,关闭记事本会自动释放dll。
)
.docx)
