wechat/source/hook/WeChats/Injection.cpp

#include "StdAfx.h"
#include "Injection.h"

CInjection::CInjection()
{
}

CInjection::CInjection(DWORD dwPid, LPCTSTR lpDynamicLibraryPath)
:m_dwInjectPID(dwPid),
m_hInjectProcess(NULL),
m_lpInjectData(NULL),
m_lpEjectData(NULL),
m_hInjectThread(NULL),
m_hEjectThread(NULL),
m_dwPathLen(0)
{
	ASSERT(dwPid!=0);
	ASSERT(lpDynamicLibraryPath!=NULL);

	memset(m_szDllPath, 0, sizeof(m_szDllPath));
	_tcscpy_s(m_szDllPath,lpDynamicLibraryPath);
	
	m_hInjectProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, m_dwInjectPID);
	if ( m_hInjectProcess == NULL)
	{
		WriteTextLog(_T("打开WeChat.exe进程失败"));
	}
	//m_hInjectProcess = OpenProcess(PROCESS_CREATE_THREAD	| PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, m_dwInjectPID);
}

CInjection::~CInjection(void)
{
	// 卸载dll;
	EjectDynamicLibrary();

	// 释放所有资源;
	if (m_hInjectThread)
		CloseHandle(m_hInjectThread);
	m_hInjectThread = NULL;

	if (m_hEjectThread)
		CloseHandle(m_hEjectThread);
	m_hEjectThread = NULL;

	if (m_lpInjectData)
		VirtualFreeEx(m_hInjectProcess, m_lpInjectData, m_dwPathLen, MEM_RELEASE);
	m_lpInjectData = NULL;

	if (m_lpEjectData)
		VirtualFreeEx(m_hInjectProcess, m_lpEjectData, m_dwPathLen, MEM_RELEASE);
	m_lpEjectData = NULL;

	if (m_hInjectProcess)
		CloseHandle(m_hInjectProcess);
	m_hInjectProcess = NULL;
}

void CInjection::setInjectionObj(DWORD dwPid, LPCTSTR lpDynamicLibraryPath)
{
	ASSERT(dwPid != 0);
	ASSERT(lpDynamicLibraryPath != NULL);

	m_dwInjectPID = dwPid;
	memset(m_szDllPath, 0, sizeof(m_szDllPath));
	_tcscpy_s(m_szDllPath, lpDynamicLibraryPath);

	m_hInjectProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, m_dwInjectPID);
	if (m_hInjectProcess == NULL)
	{
		WriteTextLog(_T("打开WeChat.exe进程失败"));
	}
	//m_hInjectProcess = OpenProcess(PROCESS_CREATE_THREAD	| PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, m_dwInjectPID);
}

BOOL CInjection::InjectDynamicLibrary()
{
	ASSERT(m_hInjectProcess!=NULL);

	m_dwPathLen = _tcslen(m_szDllPath)*sizeof(TCHAR)+1;
	m_lpInjectData = VirtualAllocEx(m_hInjectProcess,NULL, m_dwPathLen, MEM_COMMIT, PAGE_READWRITE);
	if (NULL == m_lpInjectData)
	{
		WriteTextLog(_T("创建WeChat.exe进程虚拟内存失败"));
		return FALSE;
	}

	if (WriteProcessMemory(m_hInjectProcess, m_lpInjectData, m_szDllPath, m_dwPathLen, NULL) == 0)
	{
		// 注意：MEM_RELEASE释放时第三参数一定要为0，请查看MSDN;
		VirtualFreeEx(m_hInjectProcess, m_lpInjectData, 0, MEM_RELEASE);
		return FALSE;
	}

	HMODULE hk32 = GetModuleHandle(_T("kernel32.dll"));
	// 注意：微信使用的是W版本;
	LPVOID lpAddr = GetProcAddress(hk32,"LoadLibraryW");

	m_hInjectThread = CreateRemoteThread(m_hInjectProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpAddr, m_lpInjectData, 0, NULL);
	if (NULL == m_hInjectThread)
	{
		// 注意：MEM_RELEASE释放时第三参数一定要为0，请查看MSDN;
		VirtualFreeEx(m_hInjectProcess, m_lpInjectData, 0, MEM_RELEASE);
		return FALSE;
	}

	WaitForSingleObject(m_hInjectThread, INFINITE);
	if (m_hInjectThread)
		CloseHandle(m_hInjectThread);
	m_hInjectThread = NULL;
	
	/* 注入成功后，不能释放内存否则微信会挂;
	if (m_lpInjectData != NULL)
		VirtualFreeEx(m_hInjectProcess, m_lpInjectData, 0, MEM_RELEASE);
	*/

	return TRUE;
}

BOOL CInjection::EjectDynamicLibrary()
{
	if(m_hInjectProcess==NULL)
		return TRUE;

	// 获取模块句柄;
	HANDLE hModule = FindModuleEx(m_szDllPath, m_dwInjectPID);
	if (hModule == NULL )
	{
		WriteTextLog(_T("获取WeChat.exe进程模块hook.dll失败"));
		return FALSE;
	}

	LPVOID lpAddr = GetProcAddress(GetModuleHandle(_T("kernel32.dll")), "FreeLibraryAndExitThread");//FreeLibraryAndExitThread//FreeLibrary
	if (lpAddr == NULL )
	{
		WriteTextLog(_T("获取kernel32.dll中的FreeLibraryAndExitThread失败"));
		return FALSE;
	}

	m_hEjectThread = CreateRemoteThread(m_hInjectProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpAddr, hModule, 0, NULL);
	if ( m_hEjectThread == NULL )
	{
		WriteTextLog(_T("创建WeChat.exe远程线程（FreeLibraryAndExitThread）失败"));
		return FALSE;
	}

	WaitForSingleObject(m_hEjectThread, INFINITE);
	if (m_hEjectThread)
		CloseHandle(m_hEjectThread);
	m_hEjectThread = NULL;

	return TRUE;
}