用exe控制另一个exe并调用函数
MyDll.h
#ifndef __MYDLL_H__
#define __MYDLL_H__
#include
//#include
#include
using namespace std;
#include
#include
#include
#ifndef EXC
#define EXC extern"C" __declspec(dllexport) //
#define EX __declspec(dllexport) //extern"C"
#endif
/**/
//----共享节--------------------------
#pragma data_seg("MY_share")
int i共享G=-1;
//float *ΨLfG={0.0,0.0}; //Χ
float ΨLfG[]={0.0,0.0};//√
DWORD LiG[2]={0,0};//√
#pragma data_seg()
#pragma comment(linker,"/section:MY_share,rws")
volatile DWORD iG;
EXC void SetData(int temp)
{
i共享G=temp; ΨLfG[0]=0.56;PRINT1(+f,ΨLfG[0],f);
//ViG.push_back(temp);PTvector??(ViG);
//ViG[0]=temp;
LiG[0]=temp;
PRINT1(+push_back,temp,d);
}
EXC DWORD iGetData()
{
//PTvector??(ViG);
PRINT3(,i共享G,LiG[0],ΨLfG[0],d,d,f);
return i共享G;
}
////////////////////////////////////////////
typedef DWORD (WINAPI *♂Δ函数指针nt)
(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL CreateSuspended, //●●这个BOOL是int
DWORD dwStackSize,
DWORD dw1,
DWORD dw2,
LPVOID Unknown
);
typedef DWORD64(WINAPI *♂Δ函数指针nt64)
(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL CreateSuspended,
DWORD64 dwStackSize,
DWORD64 Unknown1,
DWORD64 Unknown2,
LPVOID Unknown3
);
//==============================
HANDLE hΔ打开进程(LPCTSTR lp寻找进程)//根据进程名查找进程PID
{
DWORD dw打开进程 = 0; HANDLE h打开进程 =0;
HANDLE h快照 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); //可以通过获取进程信息为指定的进程、进程使用的堆[HEAP]、模块[MODULE]、线程建立一个快照。
if(h快照 == INVALID_HANDLE_VALUE)
{
PRINT1(★获得进程快照失败:,GetLastError(),d);
return h打开进程;
}
PROCESSENTRY32 pe入口;//声明进程入口对象
pe入口.dwSize = sizeof(PROCESSENTRY32);//填充进程入口对象大小
Process32First(h快照,&pe入口);//遍历进程列表 //process32First是一个进程获取函数,当我们利用函数CreateToolhelp32Snapshot()获得当前运行进程的快照后,我们可以利用process32First函数来获得第一个进程的句柄。
printf("lp寻找进程= %s\n",lp寻找进程);
do
{ //printf("pe入口.szExeFile= %s\n",pe入口.szExeFile);
if(!lstrcmp(pe入口.szExeFile,lp寻找进程))//查找指定进程名的PID
{
dw打开进程 = pe入口.th42ProcessID;
break;
}
}while (Process32Next(h快照,&pe入口));
h打开进程 = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dw打开进程);//|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE
CloseHandle(h快照);
return h打开进程;//返回
}
//========================================================
typedef DWORD (__stdcall* ♂ΔPrint)(LPCTSTR,...);//__stdcall
typedef DWORD (__stdcall* ♂cΔFUNC)(LPCTSTR);
typedef DWORD (__stdcall* ♂iΔFUNC)(DWORD);
typedef DWORD (__stdcall* ♂ΔFUNC)();
//线程参数结构体定义
typedef struct sd参数
{
char c[100]; //MessageBox函数中显示的字符提示
♂ΔFUNC ΨΔ;
♂cΔFUNC ΨcΔ;
LPVOID ΨFunc;//MessageBox函数的入口地址
DWORD iFunc;//MessageBox函数的入口地址
DWORD i;
}卍参数;
//定义MessageBox类型的函数指针
//EXC DWORD __stdcall FuncTest2(卍参数 *&参数)//LPVOID LPVOID
void __stdcall FuncTest2(LPVOID 参数)
{
//参数->ΨΔ();//参数->c
/**/
卍参数* Ψ参数 = (卍参数*)参数;
//Ψ参数->ΨΔ();//ΧΧ出错return ;
//Ψ参数->ΨcΔ(Ψ参数->c);
♂cΔFUNC ΨΔfunc = (♂cΔFUNC)Ψ参数->ΨFunc;ΨΔfunc(Ψ参数->c);
//ΨΔfunc = (♂cΔFUNC)Ψ参数->iFunc;ΨΔfunc(Ψ参数->c);
//Ψ参数->ΨcΔ(Ψ参数->c);
//♂iΔFUNC ΨΔfunc = (♂iΔFUNC)Ψ参数->ΨFunc;//ΨΔfunc(Ψ参数->i);
//printf(Ψ参数->c);
return ;
}
void __stdcall FuncTest1(LPVOID 参数)
{
卍参数* Ψ参数 = (卍参数*)参数;
♂ΔFUNC ΨΔfunc = (♂ΔFUNC)Ψ参数->ΨFunc;ΨΔfunc();
}
void __stdcall FuncTest()
//EXC DWORD __stdcall FuncTest(LPVOID 参数)
{
//PRINT1(~~,FuncTest,d);
return ;
}
EXC void __stdcall MyPrint(char*ch)
{
printf("▼ ch= %s\n",ch);
}
//------------------------------
inline void c_c(const char*c,char *c2__)
{
DWORD i长=strlen(c);uint i=0;
for( i=0;i {
c2__[i]=c[i];
}
c2__[i]='\0';
}
//========================================
bool bΔvista之后()
{
OSVERSIONINFO osvi;
ZeroMemory(&osvi, sizeof(OSVERSIONINFO));
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&osvi);
if( osvi.dwMajorVersion >= 6 )
return TRUE;
return FALSE;
}
//提升程序权限
BOOL bΔEnableDebugPrivilege()
{
HANDLE hToken;
BOOL fOk=false;
if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken))
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount=1;
if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid)) ;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(hToken,false,&tp,sizeof(tp),NULL,NULL)) ;
else
fOk = true;
CloseHandle(hToken);
}
return fOk;
}
//====提升进程访问权限====================================
bool bΔ访问权限()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
return false;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
{
CloseHandle(hToken);
return false;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
{
CloseHandle(hToken);
return false;
}
CloseHandle(hToken);
return true;
}
//========================================================
HANDLE hΔMyCreateRemoteThread1(HANDLE h打开进程, LPTHREAD_START_ROUTINE ΨΔ函数, LPVOID Ψ参数)
{
HANDLE hRemoteThread = NULL;
PRINT1(,bΔvista之后(),d);
FARPROC ΨΔNtCreateThreadEx = GetProcAddress(GetModuleHandle("ntdll.dll"), "NtCreateThreadEx");
//if(ΨΔNtCreateThreadEx==NULL){PRINT2(★,ΨΔNtCreateThreadEx,GetLastError(),d,d);return NULL;}
((♂Δ函数指针nt64)ΨΔNtCreateThreadEx)(&hRemoteThread,0x1FFFFF,NULL,h打开进程,ΨΔ函数,Ψ参数,FALSE,NULL,NULL,NULL,NULL);
if(WAIT_FAILED==WaitForSingleObject(hRemoteThread,INFINITE)){return NULL;}
return hRemoteThread;
}
HANDLE hΔMyCreateRemoteThread(HANDLE&h打开进程, LPTHREAD_START_ROUTINE ΨΔ函数, LPVOID Ψ参数)
{
HANDLE hRemoteThread = NULL;
//---- Vista, 7, Server2008--------------------------
if(bΔvista之后())
{
//typedef DWORD (FAR WINAPI *FARPROC)()
FARPROC ΨΔNtCreateThreadEx = GetProcAddress(GetModuleHandle("ntdll.dll"), "NtCreateThreadEx");
//if(ΨΔNtCreateThreadEx==NULL){PRINT2(★,ΨΔNtCreateThreadEx,GetLastError(),d,d);return NULL;}
((♂Δ函数指针nt64)ΨΔNtCreateThreadEx)(&hRemoteThread,0x1FFFFF,NULL,h打开进程,ΨΔ函数,Ψ参数,FALSE,NULL,NULL,NULL,NULL);
//if(hRemoteThread==NULL){PRINT2(★,hRemoteThread,GetLastError(),d,d);return NULL;}
PRINT1(√√,hRemoteThread,d);
}
//----2000, XP, Server2003--------------------------
else
{
hRemoteThread=CreateRemoteThread(h打开进程,NULL,0,ΨΔ函数,Ψ参数,0,NULL);
if( hRemoteThread == NULL )
{PRINT2(★2·,hRemoteThread,GetLastError(),d,d);
return NULL;
}
}
if(WAIT_FAILED==WaitForSingleObject(hRemoteThread,INFINITE)){return NULL;}//●●这个很重要,如果没有可能会崩溃
return hRemoteThread;
}
////////////////////////////////////////////
template
LPVOID ΨΔ写地址到进程(HANDLE h打开进程,T*Ψ参数,DWORD iSize,BOOL b是函数=true)//●必须是指针引用,void*&Ψ参数__
{
SIZE_T dwHasWrite;LPVOID Ψ参数__ =NULL;
/**/
if(b是函数)
{Ψ参数__ = VirtualAllocEx(h打开进程,0,iSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);}
else
{Ψ参数__ = VirtualAllocEx(h打开进程,0,iSize,MEM_COMMIT,PAGE_READWRITE);}
//----将线程参数拷贝到宿主进程地址空间中--------------------------
if(WriteProcessMemory(h打开进程,Ψ参数__,Ψ参数,iSize,&dwHasWrite)) //把dll路径写入主进程
{//PRINT2(,dwHasWrite,iSize,d,d);
if(dwHasWrite != iSize)
{
VirtualFreeEx(h打开进程,Ψ参数__,iSize,MEM_COMMIT); //即为目标进程的句柄,可在其它进程中释放申请的虚拟内存空间。MEM_RELEASE
CloseHandle(h打开进程);
PRINT1(★!!!VirtualFreeEx失败:,GetLastError(),d);
return Ψ参数__;
}
}
else
{
PRINT1(★!!!写入远程进程内存空间出错:,GetLastError(),d);
CloseHandle(h打开进程);
return Ψ参数__;
}
return Ψ参数__;
}
////////////////////////////////////////////
DWORD WINAPI ΔMyThreadProc1( LPVOID pParam )
{
MessageBox( NULL, "DLL已进入线程1。", "信息", MB_ICONINFORMATION );
return 0;
}
DWORD WINAPI ΔMyThreadProc2( LPVOID pParam )
{
MessageBox( NULL, "DLL已进入线程2。", "信息", MB_ICONINFORMATION );
return 0;
}
//========================================================
bool APIENTRY DllMain( HANDLE hModule,DWORD ul_reason_for_call,LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
//MessageBox( NULL, "√√DLL已进入目标进程。", "信息", MB_ICONINFORMATION );
PRINT0(▼▼ DLL已进入目标进程。);//SetData(28);
DWORD dwThreadId;
//HANDLE myThread1 = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ΔMyThreadProc1, NULL, 0, &dwThreadId);
//HANDLE myThread2 = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ΔMyThreadProc2, NULL, 0, &dwThreadId);
//PRINT1(,iG,d);//Χ
break;
}
case DLL_PROCESS_DETACH:
{
PRINT0(▼▼ ~~DLL已从目标进程卸载。);
//MessageBox( NULL, "√√DLL已从目标进程卸载。", "信息", MB_ICONINFORMATION );
break;
}
}
return TRUE;
}
#endif
-----------------------------------------------------------------------------------
main.cpp
//#include
#include "MyDll.h"
void __stdcall myprint2()
{
//putchar('M');//Χ
int i=9+7;
return ;
}
////////////////////////////////////////////
int main()
{
//bΔEnableDebugPrivilege() ;
bΔ访问权限();const DWORD dwThreadSize = 4096;
SIZE_T dwHasWrite;DWORD dwWriteBytes;
const char *c参数= "B:/MyDll64在.dll";
//const char c参数= 'B';
HANDLE h打开进程 = hΔ打开进程("main_w64.exe");//●最好用英文不容易出错.
if(h打开进程 == NULL)
{
PRINT1(★ 打开进程 失败!:,GetLastError(),d);
return -1;
}
else
{
PRINT1(▼ 找到·,h打开进程,d);
}
LPVOID ΨΔ函数= NULL;
卍参数 参数;//DWORD 代表 unsigned long
ZeroMemory(&参数, sizeof(卍参数));//PRINT2(,sizeof(卍参数),sizeof(参数),d,d);//√
int iSize = strlen(c参数)+1;strcat(参数.c, "Hello_IMDJS \0");//c_c(c参数,参数.c);
//----FuncTest1--------------------------
ΨΔ函数=VirtualAllocEx(h打开进程,0,dwThreadSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);if(!ΨΔ函数){PRINT1(★新建ΨΔ函数失败!,h打开进程,d);return 0;} if(!WriteProcessMemory(h打开进程,ΨΔ函数,&FuncTest1,dwThreadSize,0)){PRINT1(★写Δ函数失败!,h打开进程,d);return 0;}
参数.ΨFunc=GetProcAddress(GetModuleHandle("msvcrt.dll"),"printf");
PRINT1(,参数.ΨFunc,d);
LPVOID Ψ参数 =ΨΔ写地址到进程(h打开进程,&参数,sizeof(卍参数),true);
//====NtCreateThreadEx====================================
HANDLE hRemoteThread=NULL;
hRemoteThread=CreateRemoteThread(h打开进程,NULL,0, (LPTHREAD_START_ROUTINE) ΨΔ函数,Ψ参数,0,&dwWriteBytes);
PRINT1(,hRemoteThread,d);
//------------------------------------------------------------
//VirtualFreeEx(h打开进程, Ψ参数, 0, MEM_RELEASE);
CloseHandle(h打开进程);
//if(WAIT_FAILED==WaitForSingleObject(hRemoteThread,INFINITE)){return NULL;}
//system("pause");
return 1;
}
main_w.cpp(宿主)
#include
void FuncPuls()
{
DWORD c=5;
PRINT1(a+b=, c,d);//PRINT1(main·, iG,d);
}
//------------------------------
void main()
{
//char* ch="MYPRINT";putchar('M');
FuncPuls();
system("pause");
}
成都创新互联公司,为您提供重庆网站建设公司、重庆网站制作、网站营销推广、网站开发设计,对服务岗亭等多个行业拥有丰富的网站建设及推广经验。成都创新互联公司网站建设公司成立于2013年,提供专业网站制作报价服务,我们深知市场的竞争激烈,认真对待每位客户,为客户提供赏心悦目的作品。 与客户共同发展进步,是我们永远的责任!
当前名称:用exe控制另一个exe并调用函数
文章出自:http://azwzsj.com/article/pcpged.html