为了方便那些不懂或者不想用C++的同志,我把C++的dll注入器源码转换成了C#的,这是一个很简单实用的注入器,用到了CreateRemoteThread,WriteProcessMemory ,VirtualAllocEx这几个Api
1 using System; 2 using System.Diagnostics; 3 using System.IO; 4 using System.Runtime.InteropServices; 5 using System.Text; 6 7 namespace GijSoft.DllInjection 8 { 9 public enum DllInjectionResult 10 { 11 DllNotFound, 12 GameProcessNotFound, 13 InjectionFailed, 14 Success 15 } 16 17 public sealed class DllInjector 18 { 19 static readonly IntPtr INTPTR_ZERO = (IntPtr)0; 20 21 [DllImport("kernel32.dll", SetLastError = true)] 22 static extern IntPtr OpenProcess(uint dwDesiredAccess, int bInheritHandle, uint dwProcessId); 23 24 [DllImport("kernel32.dll", SetLastError = true)] 25 static extern int CloseHandle(IntPtr hObject); 26 27 [DllImport("kernel32.dll", SetLastError = true)] 28 static extern IntPtr GetProcAddress(IntPtr hModule, string lpProcName); 29 30 [DllImport("kernel32.dll", SetLastError = true)] 31 static extern IntPtr GetModuleHandle(string lpModuleName); 32 33 [DllImport("kernel32.dll", SetLastError = true)] 34 static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, IntPtr dwSize, uint flAllocationType, uint flProtect); 35 36 [DllImport("kernel32.dll", SetLastError = true)] 37 static extern int WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] buffer, uint size, int lpNumberOfBytesWritten); 38 39 [DllImport("kernel32.dll", SetLastError = true)] 40 static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttribute, IntPtr dwStackSize, IntPtr lpStartAddress, 41 IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); 42 43 static DllInjector _instance; 44 45 public static DllInjector GetInstance 46 { 47 get 48 { 49 if (_instance == null) 50 { 51 _instance = new DllInjector(); 52 } 53 return _instance; 54 } 55 } 56 57 DllInjector() { } 58 59 public DllInjectionResult Inject(string sProcName, string sDllPath) 60 { 61 if (!File.Exists(sDllPath)) 62 { 63 return DllInjectionResult.DllNotFound; 64 } 65 66 uint _procId = 0; 67 68 Process[] _procs = Process.GetProcesses(); 69 for (int i = 0; i < _procs.Length; i++) 70 { 71 if (_procs[i].ProcessName == sProcName) 72 { 73 _procId = (uint)_procs[i].Id; 74 break; 75 } 76 } 77 78 if (_procId == 0) 79 { 80 return DllInjectionResult.GameProcessNotFound; 81 } 82 83 if (!bInject(_procId, sDllPath)) 84 { 85 return DllInjectionResult.InjectionFailed; 86 } 87 88 return DllInjectionResult.Success; 89 } 90 91 bool bInject(uint pToBeInjected, string sDllPath) 92 { 93 IntPtr hndProc = OpenProcess((0x2 | 0x8 | 0x10 | 0x20 | 0x400), 1, pToBeInjected); 94 95 if (hndProc == INTPTR_ZERO) 96 { 97 return false; 98 } 99 100 IntPtr lpLLAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); 101 102 if (lpLLAddress == INTPTR_ZERO) 103 { 104 return false; 105 } 106 107 IntPtr lpAddress = VirtualAllocEx(hndProc, (IntPtr)null, (IntPtr)sDllPath.Length, (0x1000 | 0x2000), 0X40); 108 109 if (lpAddress == INTPTR_ZERO) 110 { 111 return false; 112 } 113 114 byte[] bytes = Encoding.ASCII.GetBytes(sDllPath); 115 116 if (WriteProcessMemory(hndProc, lpAddress, bytes, (uint)bytes.Length, 0) == 0) 117 { 118 return false; 119 } 120 121 if (CreateRemoteThread(hndProc, (IntPtr)null, INTPTR_ZERO, lpLLAddress, lpAddress, 0, (IntPtr)null) == INTPTR_ZERO) 122 { 123 return false; 124 } 125 126 CloseHandle(hndProc); 127 128 return true; 129 } 130 } 131 }
注意:使用时必须安装.netFramework