文件列表:

screenshot.jpg (22805, 2003-10-24)
Source (0, 2003-10-24)
Source\Compile-LCC-WIN32.bat (831, 2003-10-25)
Source\Compile-MSVC.bat (876, 2003-10-25)
Source\dll_cmdids.c (2764, 2003-10-24)
Source\dll_main.c (5510, 2003-10-24)
Source\dll_rsrc.h (807, 2003-10-24)
Source\dll_rsrc.rc (1391, 2003-10-24)
Source\dll_tbicons.bmp (758, 2003-10-22)
Source\dll_toolbar.c (7515, 2003-10-24)
Source\launch_icon.ico (9662, 2003-10-22)
Source\launch_main.c (6463, 2003-10-24)
Source\launch_rsrc.rc (1337, 2003-10-24)

cbNotepad Application: This application demonstrates how to inject a DLL into a remote process using CreateRemoteThread. The application adds a toolbar to notepad. To run cbNotepad simply extract cbNotepad.exe and cbNotepad.dll to the same directory and execute. There are several source files, but two are of primary interest: launch_main.c: This file contains the code to launch notepad and inject the modification dll into its process. Of most interest is the reuseable function LoadDllIntoRemoteProcess. dll_main.c: This file contains the DllMain/LibMain function that is executed when the dll is loaded. This code subclasses notepad's parent window and initialises the toolbar. The project can be compiled with the Compile batch files. ------------------------------------------------------------------------------- How it works: The dll is injected into notepad using the CreateRemoteThread function. This api, while present as a stub on Windows 9x is only useable on Windows NT. Performing the injection of the DLL is actually quite simple: 1. Get the address of the LoadLibrary function. This function, as it is exported from kernel32, has the same address in all processes. 2. Write the path of the dll into the memory of the remote process using VirtualAllocEx and WriteProcessMemory. We have to do this as our pointer to the path will not be valid in the remote process. 3. Call CreateRemoteThread. The ThreadProc will be the LoadLibrary function and the thread parameter will be a pointer to the dll path string that we wrote into the remote process in step two. 4. Windows creates a new thread in the remote process and starts its execution at LoadLibrary(). LoadLibrary() loads our DLL and runs its DllMain/LibMain entry point. When our DllMain returns, LoadLibrary completes and the thread exits. We are able to use LoadLibrary as our ThreadProc as they have the same arguments. Upon loading in the remote process our DllMain/LibMain function will be called. We can do initialisation and subclassing here. It should be noted that the functions we can call in DllMain are limited(see MSDN for details) and we should, if possible, do most of our initialisation in the subclassed window procedure. It also pays to remember that the DllMain is executing in a different thread to the rest of the target application. This means that creating a window in DllMain will likely fail as it will be destroyed when the DllMain returns and the thread exits. There are some downsides to using CreateRemoteThread: * Not available on Win9x. * The typical use will be to alter the behaviour of an application for which we do not have the source code as cbNotepad does. However, if the target application changes our program may no longer work. For example, cbNotepad is tailored to work with Windows NT, 2000 and XP, however, if notepad changes on Windows 2003 it may not work on that platform. Many other CreateRemoteThread samples are available on the web, including many that skip the DLL and write the code directly into the target process. Do a web search.

近期下载者：

相关文件：

评论：[我要评论] [举报此文件]

收藏者：