C# 实现过程：过程一：找到当前鼠标位置的句柄您的使用2个WinAPI（俺喜欢自己封装下来用）：View Code[DllImport("", EntryPoint = "GetCursorPos")]public static extern bool GetCursorPos(out Point pt);[DllImport("", EntryPoint = "WindowFromPoint")] public static extern IntPtr WindowFromPoint(Point pt);ndexOf;}public override string ToString(){StringBuilder result = new StringBuilder();for (WinHWND winHandle = this; winHandle != null; winHandle = {("{0}:{1};", Escape,if == -1) break;}return ().TrimEnd(';');}private static string GetBaseMark(string sMark){string[] sMarks = (';');return sMarks[ - 1].Split(':')[0];}private static string[] GetChildMarks(string sMark) {string[] sMarks = (';');string[] sChildMarks = new string[ - 1];for (int i = 0; i < ; i ++ ){sChildMarks[i] = sMarks[i ];}return sChildMarks;}.是不是都匹配foreach (IntPtr baseHwnd in baseHwnds){IntPtr handle = baseHwnd;for (int i = - 1; i >= 0; i--){string[] sChildMark = sChildMarks[i].Split(':');try{handle = (handle, UnEscape(sChildMark[0]))[(sChildMark[1])]; }catch{break;}if (i == 0) return new WinHWND(handle); }continue;}return null;}#region转义private static string Escape(string arg){return (":", "\\:").Replace(";","\\;"); }private static string UnEscape(string arg) {return ("\\:", ":").Replace("\\;", ";"); }#endregionpublic static WinHWND GetWinHWND(){return new WinHWND()));}}上全部代码，里面加了窗口的部分属性，扩展其他的属性，自己发挥吧，就是搞WinAPI View Codeusing System;usingusing ;using ;usingusing ;using ;namespace InformationCollectionDataFill{public class WinAPI{#region WinodwsAPI[DllImport("", EntryPoint = "FindWindow")]private static extern IntPtr FindWindow(string IpClassName, string IpWindowName);[DllImport("", EntryPoint = "FindWindowEx")]private static extern IntPtr FindWindowEx(IntPtr hwndParent, IntPtr hwndChildAfter, string lpszClass, string lp szWindow);[DllImport("", EntryPoint = "SendMessage")]private static extern int SendMessage(IntPtr hWnd, int Msg, IntPtr wParam, string lParam);[DllImport("", EntryPoint = "GetParent")]public static extern IntPtr GetParent(IntPtr hWnd);[DllImport("", EntryPoint = "GetCursorPos")]public static extern bool GetCursorPos(out Point pt);[DllImport("", EntryPoint = "WindowFromPoint", CharSet = , ExactSpelling = true)] public static extern IntPtr WindowFromPoint(Point pt);[DllImport("", CharSet = ]public static extern int GetClassName(IntPtr hWnd, StringBuilder lpClassName, int nMaxCount);[DllImport("", CharSet = ]public static extern int GetWindowText(IntPtr hWnd, [Out, MarshalAs] StringBuilder lpString, int nMaxCount);[DllImport("", CharSet = ]public static extern int GetWindowRect(IntPtr hwnd, ref Rectangle rc);[DllImport("", CharSet = ]public static extern int GetClientRect(IntPtr hwnd, ref Rectangle rc);[DllImport("", CharSet = ]public static extern int MoveWindow(IntPtr hwnd, int x, int y, int nWidth, int nHeight, bool bRepaint);[DllImport("", CharSet = , SetLastError = true, ExactSpelling = true)] public static extern int ScreenToClient(IntPtr hWnd, ref Rectangle rect);#endregion#region封装API方法ndexOf;}private Rectangle GetRect(){if == null) return default(Rectangle);Rectangle clientSize = ;Rectangle clientPoint = );return new Rectangle, , , ;}public static WinHWND GetWinHWND() {return new WinHWND()));}public override string ToString() {StringBuilder result = new StringBuilder();for (WinHWND winHandle = this; winHandle != null; winHandle = {("{0}:{1};", Escape,if == -1) break;}return ().TrimEnd(';');}private static string GetBaseMark(string sMark){string[] sMarks = (';');return sMarks[ - 1].Split(':')[0];}private static string[] GetChildMarks(string sMark) {string[] sMarks = (';');string[] sChildMarks = new string[ - 1];for (int i = 0; i < ; i ++ ){sChildMarks[i] = sMarks[i];}return sChildMarks;}.是不是都匹配foreach (IntPtr baseHwnd in baseHwnds){IntPtr handle = baseHwnd;for (int i = - 1; i >= 0; i--){string[] sChildMark = sChildMarks[i].Split(':');try{handle = (handle, UnEscape(sChildMark[0]))[(sChildMark[1])]; }catch{break;}if (i == 0) return new WinHWND(handle);}continue;}return null;}#region转义private static string Escape(string arg){return (":", "\\:").Replace(";","\\;"); }private static string UnEscape(string arg) {return ("\\:", ":").Replace("\\;", ";"); }#endregion}}效果:Post subject: Dll InjectionThis is my old tutorial on dll injection...people have been asking about this topic a bit recently, so...here it is: Dll Injection Tutorialby DarawkIntroductionThe CreateRemoteThread methodThe SetWindowsHookEx methodThe code cave methodAppendix A - Methods of obtaining a process IDAppendix B - Methods of obtaining a thread IDAppendix C - Complete CreateRemoteThread example source codeAppendix D - Complete SetWindowsHookEx example source codeAppendix E - Complete code cave example source codeIntroductionIn this tutorial i'll try to cover all of the known methods(or at least, those that I know =p) of injecting dll's into a process.Dll injection is incredibly useful for TONS of stuff(game hacking, function hooking, code patching, keygenning, unpacking, etc..).Though there are scattered tutorials on these techniques available throughout the web, I have yet to see any complete tutorials detailingall of them(there may even be more out there than I have here, of course), and comparing their respective strength's and weakness's.This is precisely what i'll attempt to do for you in this paper. You are free to reproduce or copy this paper, so long aspropercredit is given and you don't modify it without speaking to me first.The CreateRemoteThread methodI've used this in tons of stuff, and I only recently realized that a lot of people have never seen it, or know how to do it.I can't take credit for thinking it up...I got it from an article on codeproject, but it's a neat trick that I think more people should know how to use.The trick is simple, and elegant. The windows API provides us with a function called CreateRemoteThread(). This allows you to start a thread in another process. For our purposes, i'll assume you know how threading works, and how to use functions likeCreateThread(if not, you can go here ). The main disadvantage of this method is that it will work only on windows NT and above.To prevent it from crashing, you should use this function to check to make sure you're on an NT-based system(thanks to CatID forpointing this out):bool IsWindowsNT(){Now, normally we would want to start the thread executing on some internal function of the process that we are interacting with.However, to inject a dll, we have to do something a little bit different.BOOL InjectDLL(DWORD ProcessID){HANDLE Proc;char buf[50]={0};LPVOID RemoteString, LoadLibAddy;if(!ProcessID)return false;Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID);if(!Proc){sprintf(buf, "OpenProcess() failed: %d", GetLastError());MessageBox(NULL, buf, "Loader", NULL);return false;}LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle(""), "LoadLibraryA");RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(Proc, (LPVOID)RemoteString, DLL_NAME,strlen(DLL_NAME), NULL);CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL); ？？CloseHandle(Proc);return true;}HHOOK SetWindowsHookEx( ？int idHook,HOOKPROC lpfn,HINSTANCE hMod,DWORD dwThreadId);LRESULT CALLBACK CBTProc(int nCode, WPARAM wParam, LPARAM lParam) {return CallNextHookEx(0, nCode, wParam, lParam);};HMODULE hDll;unsigned long cbtProcAddr;hDll = LoadLibrary("");cbtProcAddr = GetProcAddress(hDll, "CBTProc");BOOL InjectDll(char *dllName){HMODULE hDll;unsigned long cbtProcAddr;hDll = LoadLibrary(dllName);cbtProcAddr = GetProcAddress(hDll, "CBTProc");？SetWindowsHookEx(WH_CBT, cbtProcAddr, hDll, GetTargetThreadIdFromWindow("targetApp")); ？return TRUE;}__declspec(naked) loadDll(void){_asm{We needVirtualProtect(loadDll, stubLen, PAGE_EXECUTE_READWRITE, &oldprot); ？#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ)？BOOL WriteProcessBYTES(HANDLE hProcess,LPVOID lpBaseAddress,LPCVOID lpBuffer,SIZE_T nSize);BOOL LoadDll(char *procName, char *dllName);BOOL InjectDLL(DWORD ProcessID, char *dllName);unsigned long GetTargetProcessIdFromProcname(char *procName);bool IsWindowsNT(){// check current version of WindowsDWORD version = GetVersion();// parse returnDWORD majorVersion = (DWORD)(LOBYTE(LOWORD(version)));DWORD minorVersion = (DWORD)(HIBYTE(LOWORD(version)));return (version < 0x);}int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow) {if(IsWindowsNT())LoadDll(PROCESS_NAME, DLL_NAME);elseMessageBox(0, "Your system does not support this method", "Error!", 0);return 0;}BOOL LoadDll(char *procName, char *dllName){DWORD ProcID = 0;ProcID = GetProcID(procName);if(!(InjectDLL(ProcID, dllName)))MessageBox(NULL, "Process located, but injection failed", "Loader", NULL); ？return true;}BOOL InjectDLL(DWORD ProcessID, char *dllName){HANDLE Proc;char buf[50]={0};LPVOID RemoteString, LoadLibAddy;if(!ProcessID)return false;Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID); if(!Proc){sprintf(buf, "OpenProcess() failed: %d", GetLastError());MessageBox(NULL, buf, "Loader", NULL);return false;}LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle(""), "LoadLibraryA");RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);WriteProcessMemory(Proc, (LPVOID)RemoteString, dllName, strlen(dllName), NULL);CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL); ？？CloseHandle(Proc);return true;}unsigned long GetTargetProcessIdFromProcname(char *procName) {PROCESSENTRY32 pe;HANDLE thSnapshot;BOOL retval, ProcFound = false;thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if(thSnapshot == INVALID_HANDLE_VALUE){MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL); return false;}= sizeof(PROCESSENTRY32);retval = Process32First(thSnapshot, &pe);while(retval){if(StrStrI, procName) ){ProcFound = true;break;}retval = Process32Next(thSnapshot,&pe);= sizeof(PROCESSENTRY32); }return ;}#include <>#include <>#define PROC_NAME ""#define DLL_NAME ""void LoadDll(char *procName, char *dllName);unsigned long GetTargetThreadIdFromProcname(char *procName);int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow) {LoadDll(PROC_NAME, DLL_NAME);return 0;}void LoadDll(char *procName, char *dllName){HMODULE hDll;unsigned long cbtProcAddr;hDll = LoadLibrary(dllName);cbtProcAddr = GetProcAddress(hDll, "CBTProc");？SetWindowsHookEx(WH_CBT, cbtProcAddr, hDll, GetTargetThreadIdFromProcName(procName)); ？return TRUE;}unsigned long GetTargetThreadIdFromProcname(char *procName) {PROCESSENTRY32 pe;HANDLE thSnapshot, hProcess;BOOL retval, ProcFound = false;unsigned long pTID, threadID;thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if(thSnapshot == INVALID_HANDLE_VALUE){MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL); return false;}= sizeof(PROCESSENTRY32);retval = Process32First(thSnapshot, &pe);while(retval){if(StrStrI, procName) ){ProcFound = true;break;}retval = Process32Next(thSnapshot,&pe); = sizeof(PROCESSENTRY32);}CloseHandle(thSnapshot);？_asm {mov eax, fs:[0x18]add eax, 36mov [pTID], eax}hProcess = OpenProcess(PROCESS_VM_READ, false, ;ReadProcessMemory(hProcess, (const void *)pTID, &threadID, 4, NULL); CloseHandle(hProcess);return threadID;}#include <>#include <>#include <>#define PROC_NAME "" #define DLL_NAME ""unsigned long GetTargetProcessIdFromProcname(char *procName); unsigned long GetTargetThreadIdFromProcname(char *procName);__declspec(naked) loadDll(void){_asm{// Placeholder for the return addresspush 0xDEADBEEF// Save the flags and registerspushfdpushad// Placeholder for the string address and LoadLibrary push 0xDEADBEEFmov eax, 0xDEADBEEF// Call LoadLibrary with the string parametercall eax// Restore the registers and flagspopadpopfd？// Return control to the hijacked thread ret}}__declspec(naked) loadDll_end(void){}。