dll的编写,调用,分析

发表于 | 分类于 | 作者:ESE

dll的编写

dll是啥?

windows下的动态链接库,

dll的编写

创建一个dll,添加一个
dll.h

1
2
3
#pragma once
extern "C" _declspec(dllexport) int _stdcall add(int a, int b);
extern "C" _declspec(dllexport) int _stdcall sub(int a, int b);

dll.cpp

1
2
3
4
5
6
7
8
9
10
11
12
#include "stdafx.h"
#include "dll.h"
int _stdcall add(int a, int b)
{
	return a + b;
}
int _stdcall sub(int a, int b)
{
	return a - b;
}

用dependency walker查看dll

dll的调用

隐式链接就是在程序开始执行时就将DLL文件加载到应用程序当中。实现隐式链接很容易,只要将导入函数关键字_declspec(dllimport)函数名等写到应用程序相应的头文件中就可以了。

静态

由于dll文件不能单独调试,所以需要创建一个调试dll工程的project,创建一个test项目

1
2
3
4
5
6
7
8
9
10
11
#pragma comment(lib,"dll.lib")
extern "C"_declspec(dllimport) int add(int a,int b);
extern "C"_declspec(dllimport) int sub(int a,int b);
#include
#include"dll.h"
void main()
{
	int a;
	a=add(8,10)
	printf("8+10= %d\n",a);
}

动态

MFC调用,dll文件拷贝到工程的根目录下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#include <stdio.h>
#include <windows.h>
typedef int(*PADD)(int x, int y);
void main()
{
	HMODULE hModule = LoadLibrary("dll.dll");
	PADD newadd = (PADD)GetProcAddress(hModule, "add");
	int i = 0;
	i = newadd(1, 2);
	printf("The result is %d\n", i);
	FreeLibrary(hModule);
}

dll简单注入

目标程序

1
2
3
4
5
6
7
8
9
10
11
12
13
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
int main()
{
	int pid = GetCurrentProcessId();
	printf("pid = %d\n", pid);
	system("pause");
	return 0;
}

dll程序

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"
DWORD MyThread(LPVOID Parameter)
{
	MessageBox(0, L"ESE dll injector successfully", L"my dll", 3);
	return 0;
}
BOOL APIENTRY DllMain(HMODULE hModule,
	DWORD  ul_reason_for_call,
	LPVOID lpReserved
	)
{
	switch (ul_reason_for_call) //判断dll的状态
	{
	case DLL_PROCESS_ATTACH:
		CreateThread(0, 255, (LPTHREAD_START_ROUTINE)MyThread, NULL, 0, 0);
		break;
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}


注入程序

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
// dll_injector.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <windows.h>
#include <winnt.h>
int main()
{
	int processId = 0;
	printf("输入一个pid:");
	scanf("%d", &processId);
	HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, false, processId); //参数1:多少权限 参数2:  参数3:要注入进程pid
	if (hProc == NULL) {
		printf("OpenProcess Failure");
		system("pause");
	}
	char path[MAX_PATH];
	printf("dll path:");
	scanf("%s", &path);
    
    //得到地址
	LPVOID allocAddress = VirtualAllocEx(hProc, NULL, MAX_PATH, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if (allocAddress == NULL) {
		printf("VirtualAllocEx Failure");
		system("pause");
	}
	SIZE_T writed = 0;
	BOOL isWrite = WriteProcessMemory(hProc, allocAddress, path, strlen(path) + 1, &writed);
	if (isWrite == NULL) {
		printf("WriteProcessMemory Failure");
		system("pause");
	}
	
	//为什么不读其它dll的,因为在系统不重启都用一样的
	LPVOID LoadLibAddr = (LPVOID)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
	if (LoadLibAddr == NULL) {
		printf("GetProcAddress Failure");
		system("pause");
	}
	HANDLE hThread = CreateRemoteThreadEx(hProc, 0, 255, (LPTHREAD_START_ROUTINE)LoadLibAddr, allocAddress, 0, NULL, 0);
	if (hThread == NULL) {
		printf("CreateRemoteThreadEx Failure");
		system("pause");
	}
	
	VirtualFreeEx(hProc, allocAddress, MAX_PATH + 1, MEM_RELEASE);
	CloseHandle(hProc);
	CloseHandle(hThread);
	system("pause");
	return 0;
}

结果

Donate
-------------本文结束感谢您的阅读-------------