该楼层疑似违规已被系统折叠 隐藏此楼查看此楼

然后新建一个win32 application 的工程 新建c++ source file 写入：

#include

#include

int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd)

{

char DllName[MAX_PATH]="C:\\Program Files\\Microsoft Visual Studio\\MyProjects\\dll注入dll\\Debug\\dll注入dll.dll";//就是刚才写的dll的地址+文件名

HANDLE hProcessSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);

PROCESSENTRY32 pe32={sizeof(pe32)};

if(Process32First(hProcessSnap,&pe32))

{

do

{

if(strcmp(pe32.szExeFile,"EXPLORER.EXE")==0) //我注入的是explorer

{

break;

}

}

while(Process32Next(hProcessSnap,&pe32));

}

DWORD TargetProcessId=pe32.th32ProcessID;

CloseHandle(hProcessSnap);

HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,TargetProcessId);

int cbSize=lstrlen(DllName)+1;

LPVOID lpRemoteDllName=VirtualAllocEx(hProcess,NULL,(DWORD)cbSize,MEM_COMMIT,PAGE_READWRITE);

WriteProcessMemory(hProcess,lpRemoteDllName,DllName,(DWORD)cbSize,NULL);

HMODULE hModule=GetModuleHandle("kernel32.dll");

LPTHREAD_START_ROUTINE pfnStartRoutine=(LPTHREAD_START_ROUTINE)GetProcAddress(hModule,"LoadLibraryA");

HANDLE hRemoteThread=CreateRemoteThread(hProcess,NULL,0,pfnStartRoutine,lpRemoteDllName,0,NULL);

WaitForSingleObject(hRemoteThread,INFINITE);

CloseHandle(hRemoteThread);

CloseHandle(hProcess);

return 0;

}

compile build之后执行，你就看到了一个messagebox，而在资源管理器中则没有这个进程。

当然，杀毒软件会报毒，说有木马，别管就是了。有些低端的木马是用了这个技术。