Reverse
/
wechat


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109
							#include "StdAfx.h"
#include "Injection.h"

CInjection::CInjection(DWORD dwPid, LPCTSTR lpDynamicLibraryPath)
:m_dwInjectPID(dwPid),
m_hInjectProcess(NULL),
m_lpInjectData(NULL),
m_lpEjectData(NULL),
m_hInjectThread(NULL),
m_hEjectThread(NULL),
m_dwPathLen(0)
{
	ASSERT(dwPid!=0);
	ASSERT(lpDynamicLibraryPath!=NULL);

	memset(m_szDllPath, 0, sizeof(m_szDllPath));
	_tcscpy_s(m_szDllPath,lpDynamicLibraryPath);
	
	m_hInjectProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, m_dwInjectPID);
	//m_hInjectProcess = OpenProcess(PROCESS_CREATE_THREAD	| PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, m_dwInjectPID);
}

CInjection::~CInjection(void)
{
	// 卸载dll;
	EjectDynamicLibrary();

	// 释放所有资源;
	if (m_hInjectThread)
		CloseHandle(m_hInjectThread);
	m_hInjectThread = NULL;

	if (m_hEjectThread)
		CloseHandle(m_hEjectThread);
	m_hEjectThread = NULL;

	if (m_lpInjectData)
		VirtualFreeEx(m_hInjectProcess, m_lpInjectData, m_dwPathLen, MEM_RELEASE);
	m_lpInjectData = NULL;

	if (m_lpEjectData)
		VirtualFreeEx(m_hInjectProcess, m_lpEjectData, m_dwPathLen, MEM_RELEASE);
	m_lpEjectData = NULL;

	if (m_hInjectProcess)
		CloseHandle(m_hInjectProcess);
	m_hInjectProcess = NULL;
}

BOOL CInjection::InjectDynamicLibrary()
{
	ASSERT(m_hInjectProcess!=NULL);

	m_dwPathLen = _tcslen(m_szDllPath)*sizeof(TCHAR)+1;
	m_lpInjectData = VirtualAllocEx(m_hInjectProcess,NULL, m_dwPathLen, MEM_COMMIT, PAGE_READWRITE);
	if (NULL == m_lpInjectData)
		return FALSE;

	if (WriteProcessMemory(m_hInjectProcess, m_lpInjectData, m_szDllPath, m_dwPathLen, NULL) == 0)
	{
		VirtualFreeEx(m_hInjectProcess, m_lpInjectData, 0, MEM_RELEASE);
		return FALSE;
	}

	HMODULE hk32 = GetModuleHandle(_T("kernel32.dll"));
	// 注意：微信使用的是W版本;
	LPVOID lpAddr = GetProcAddress(hk32,"LoadLibraryW");

	m_hInjectThread = CreateRemoteThread(m_hInjectProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpAddr, m_lpInjectData, 0, NULL);
	if (NULL == m_hInjectThread)
	{
		VirtualFreeEx(m_hInjectProcess, m_lpInjectData, 0, MEM_RELEASE);
		return FALSE;
	}

	if (m_hInjectThread)
		CloseHandle(m_hInjectThread);
	m_hInjectThread = NULL;
	
	/* 注入成功后，不能释放内存否则微信会挂;
	if (m_lpInjectData != NULL)
		VirtualFreeEx(m_hInjectProcess, m_lpInjectData, 0, MEM_RELEASE);
	*/

	return TRUE;
}

BOOL CInjection::EjectDynamicLibrary()
{
	if(m_hInjectProcess==NULL)
		return -1;

	// 获取模块句柄;
	HANDLE hModule = FindModuleEx(m_szDllPath, m_dwInjectPID);
	if (hModule == NULL )
		return FALSE;

	LPVOID lpAddr = GetProcAddress(GetModuleHandle(_T("kernel32.dll")), "FreeLibraryAndExitThread");//FreeLibraryAndExitThread//FreeLibrary
	m_hEjectThread = CreateRemoteThread(m_hInjectProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpAddr, hModule, 0, NULL);
	WaitForSingleObject(m_hEjectThread, INFINITE);

	return TRUE;
}

void CInjection::InjectionExistProcess()
{
	// 查找现在的进程;
	vector<DWORD> vtPID = FindAllProcess(WECHAT);
}