Внедрение DLL в блокнот Windows 10 - PullRequest
0 голосов
/ 29 апреля 2020

Я пытаюсь вставить DLL в Windows 10 блокнот. И инжектор, и dll скомпилированы в x64.

Я использую LoadLibrary, чтобы ввести dll в процесс блокнота. Я почти уверен, что мой метод работает, потому что результаты говорят, что он работает. Но это не похоже на тихую работу.


#pragma once
#define DECLDIR __declspec(dllexport)
#define DECLDIR __declspec(dllimport)
extern "C"
    DECLDIR void Share();
    void Keep();

DllMain. cpp:

#include <Windows.h>

#define DLL_EXPORT
#include "mydll.h"

extern "C"
    DECLDIR void Share()
        MessageBox(NULL, "Share function", "Share", MB_OK);
    void Keep()
        MessageBox(NULL, "Keep function", "Keep", MB_OK);

    BOOLEAN bSuccess = TRUE;

    //  Perform global initialization.
    switch (nReason)
    case DLL_THREAD_ATTACH: break;
    case DLL_THREAD_DETACH: break;
    case DLL_PROCESS_DETACH: break;

    return bSuccess;



#pragma once
#include <Windows.h>
#include <TlHelp32.h>
#include <iostream>

class Injector
    static bool inject(const char* targetProcName, const char* dllName);

    static DWORD getTargetProcessID(const char* targetProcName);


Инжектор. cpp

#include "Injector.h"

Function to inject a dll into a running process.
    targetProcName - The exe file name of the running process.
    dllName - The path to the dll.
Output: TRUE if success, FALSE if failed.
bool Injector::inject(const char* targetProcName, const char* dllName)
        // Get the process id of the target process.
        DWORD targetProcID = getTargetProcessID(targetProcName);
        if (!targetProcID) {
            throw "Target process Was not found";

        // Get a static address of the LoadLibrary function as a thread-start-routine function.
        LPTHREAD_START_ROUTINE funcLoadLibrary = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("Kernel32.dll"), "LoadLibraryA");
        if (!funcLoadLibrary) {
            throw "Failed to retrieve a static function pointer to `LoadLbraryA`";

        // Open the target process.
        HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetProcID);
        if (hProcess == INVALID_HANDLE_VALUE) {
            throw "Failed to open target process";

        // Virtually allocate memory for the path of the dll in the target process.
        LPVOID pDllPathAddr = VirtualAllocEx(hProcess, 0, sizeof(dllName) + 1, MEM_COMMIT, PAGE_READWRITE);
        if (!pDllPathAddr) {
            throw "Failed to allocate memory in the target process";

        // Write the dll path to the target process using WPM.
        WriteProcessMemory(hProcess, pDllPathAddr, (LPVOID)dllName, sizeof(dllName) + 1, NULL);

        // Create a remote thread in the target process with LoadLibrary to load our dll into the target process.
        HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL, funcLoadLibrary, pDllPathAddr, NULL, NULL);
        if (!hRemoteThread || hRemoteThread == INVALID_HANDLE_VALUE) {
            throw "Failed to load dll into target process";

        // Wait until the remote thread is done loading the dll.
        WaitForSingleObject(hRemoteThread, INFINITE);
    catch (const char* err) {
        std::cout << "An erro occurred: " << err << std::endl;
        return false;

    return true;

Function to retrieve the ID of a running process.
    targetProcName - The exe file name of the target process.
Output: The process's ID.
DWORD Injector::getTargetProcessID(const char* targetProcName)
    // PROCESSENTRY32 is used to open and get information about a running process..
    PROCESSENTRY32 entry;
    entry.dwSize = sizeof(PROCESSENTRY32);

    // We use a th32snapprocess to iterate through all running processes.
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);

    // Success check oon the snapshot tool.
    if (!hSnap) {
        throw "Snapshot tool failed to open";

    // If a first process exist (there are running processes), iterate through
    // all running processes.
    DWORD ProcID = NULL;
    if (Process32First(hSnap, &entry)) {
            // If the current process entry is the target process, store its ID.
            if (!strcmp(entry.szExeFile, targetProcName))
                ProcID = entry.th32ProcessID;
        while (Process32Next(hSnap, &entry) && !ProcID);        // Move on to the next running process.
    else {
        // If there was no first process, notify the user.
        throw "No running processes found";

    return ProcID;

main. cpp

#include "Injector.h"

#define TARGET_PROC "notepad.exe"
#define DLL_NAME "../Debug/mydll.dll"

Program to inject a dll into the notepad.exe process.
int main()
    char fullname[MAX_PATH] = { 0 };
    GetFullPathName(DLL_NAME, MAX_PATH, fullname, NULL);
    bool success = Injector::inject(TARGET_PROC, fullname);

    std::cout << "Did the injecition succeded? " << success << std::endl;

    return 0;

Результаты говорят, что инъекция прошла успешно, но я не получаю окно сообщения, которое я должен получить из процесса блокнота.
