{"id":83,"date":"2025-07-03T16:04:56","date_gmt":"2025-07-03T08:04:56","guid":{"rendered":"https:\/\/www.taotao01.fun\/?p=83"},"modified":"2025-07-03T16:04:56","modified_gmt":"2025-07-03T08:04:56","slug":"dll-injection-for-notepad","status":"publish","type":"post","link":"https:\/\/www.taotao01.fun\/wordpress\/index.php\/2025\/07\/03\/dll-injection-for-notepad\/","title":{"rendered":"DLL Injection for Notepad"},"content":{"rendered":"\n

\u5148\u505a\u4e2a\u6ce8\u5165\u5668<\/p>\n\n\n\n

\/\/ Injector.cpp\n#include <windows.h>\n#include <tlhelp32.h>\n#include <tchar.h>\n#include <iostream>\n\nBOOL InjectDLL(DWORD dwPID, const wchar_t* dllPath)\n{\n    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);\n    if (!hProcess) {\n        std::wcout << L\"\u6253\u5f00\u8fdb\u7a0b\u5931\u8d25\" << std::endl;\n        return FALSE;\n    }\n\n    LPVOID pRemoteBuf = VirtualAllocEx(hProcess, NULL, (wcslen(dllPath) + 1) * sizeof(wchar_t),\n        MEM_COMMIT, PAGE_READWRITE);\n    if (!pRemoteBuf) {\n        CloseHandle(hProcess);\n        return FALSE;\n    }\n\n    WriteProcessMemory(hProcess, pRemoteBuf, dllPath,\n        (wcslen(dllPath) + 1) * sizeof(wchar_t), NULL);\n\n    HMODULE hKernel32 = GetModuleHandle(L\"kernel32.dll\");\n    LPTHREAD_START_ROUTINE pLoadLibraryW =\n        (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32, \"LoadLibraryW\");\n\n    HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,\n        pLoadLibraryW, pRemoteBuf, 0, NULL);\n\n    WaitForSingleObject(hThread, INFINITE);\n\n    VirtualFreeEx(hProcess, pRemoteBuf, 0, MEM_RELEASE);\n    CloseHandle(hThread);\n    CloseHandle(hProcess);\n\n    return TRUE;\n}\n\nint wmain(int argc, wchar_t* argv[])\n{\n    if (argc < 3) {\n        std::wcout << L\"\u7528\u6cd5: Injector.exe <PID> <DLL\u8def\u5f84>\" << std::endl;\n        return -1;\n    }\n\n    DWORD pid = _wtoi(argv[1]);\n    const wchar_t* dllPath = argv[2];\n\n    if (InjectDLL(pid, dllPath)) {\n        std::wcout << L\"\u6ce8\u5165\u6210\u529f\uff01\" << std::endl;\n    }\n    else {\n        std::wcout << L\"\u6ce8\u5165\u5931\u8d25\u3002\" << std::endl;\n    }\n\n    return 0;\n}\n<\/code><\/pre>\n\n\n\n
\u518d\u6765\u4e2a\u6d4b\u8bd5\u7684DLL<\/p>\n\n\n\n
#include <windows.h>\n#include <tchar.h>\n\nDWORD WINAPI InjectThread(LPVOID)\n{\n    Sleep(1000); \/\/ \u7b49\u5f85\u7a97\u53e3\u521d\u59cb\u5316\n\n    DWORD myPID = GetCurrentProcessId();\n\n    HWND hwnd = GetTopWindow(NULL);\n    while (hwnd)\n    {\n        DWORD pid = 0;\n        GetWindowThreadProcessId(hwnd, &pid);\n        if (pid == myPID)\n        {\n            \/\/ \u627e\u5b50\u7a97\u53e3\uff1aEdit \u63a7\u4ef6\n            HWND hEdit = FindWindowEx(hwnd, NULL, L\"Edit\", NULL);\n            if (hEdit)\n            {\n                const wchar_t* text = L\"Hello from Injected DLL!\\r\\n\";\n                SendMessage(hEdit, WM_SETTEXT, 0, (LPARAM)text);\n                return 0;\n            }\n        }\n        hwnd = GetNextWindow(hwnd, GW_HWNDNEXT);\n    }\n\n    MessageBox(NULL, L\"\u274c \u627e\u4e0d\u5230 Notepad \u7f16\u8f91\u6846\", L\"DLL \u6ce8\u5165\u5931\u8d25\", MB_OK);\n    return 0;\n}\n\nBOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)\n{\n    if (ul_reason_for_call == DLL_PROCESS_ATTACH)\n    {\n        DisableThreadLibraryCalls(hModule); \/\/ \u907f\u514d\u989d\u5916 DLL_THREAD_ATTACH \u56de\u8c03\n        CreateThread(NULL, 0, InjectThread, NULL, 0, NULL); \/\/ \u2705 \u5728\u65b0\u7ebf\u7a0b\u4e2d\u6267\u884c\u903b\u8f91\n    }\n    return TRUE;\n}\n<\/code><\/pre>\n\n\n\n
\u627e\u5b50\u7a97\u53e3 \u67e5\u770b\u63a7\u4ef6\u7c7b \u7528Visual Studio 2022\u7684Tool => spy++  show window \u62d6\u52a8 \u72d9\u51fb\u955c \u5230notepad window <\/p>\n\n\n\n
\"\"<\/figure >\n