I have discussed the basic usage of DLL and createremotethread functions. However, if you want to do something practical, you must pay attention to many details. This is a small synthesis.
Our goal is to insert a new thread in the qq.exe process. This thread will call loadlibrary () to load the DLL we have written.
Thoughts
1: dllmain function in DLL
The first thing to note is that a DLL file is not only used as a storage library, but can also run programs like an EXE file, the DLL we mentioned earlier simply uses it to export functions and classes, which may mislead some beginners like me, but it doesn't matter. It is also very easy to run like exe, you only need to add a dllmain function. This function is the DLL entry function, which has the same meaning as winmain and main, but it looks better than main, if you are interested, you can look into the specific situation of the switch. I will not write it here.
Someone may ask where the dllmain function is stored. What I want to say is that the learning program cannot be learned, just as you ask where the main function is stored.
The Code is as follows:
Bool apientry dllmain (hmodule,
DWORD ul_reason_for_call,
Lpvoid lpreserved
)
{
Switch (ul_reason_for_call)
{
Case dll_process_attach:
Messageboxa (0, "proc attach", "MSG", mb_ OK );
Case dll_thread_attach:
Messageboxa (0, "thread attach", "MSG", mb_ OK );
Case dll_thread_detach:
Messageboxa (0, "thread dettach", "MSG", mb_ OK );
Case dll_process_detach:
Messageboxa (0, "proc dettach", "MSG", mb_ OK );
Break;
}
Return true;
}
2: knowing that the DLL can run better than the EXE, we only need loadlibrary () and then the DLL can work.
Okay. Let's take a look at what is written in our remote thread? We only need to call loadlibrary () for this step. It's easy ~
However, this is not the case. Small details may make it possible for elephants to follow suit.
3: struct: the code is as follows:
Typedef struct _ remoteparam {
DWORD func [10];
Char MSG [10] [50];
} Remoteparam, * premoteparam;
One is the function name array and the other is the parameter array. For the convenience of research, I only use the array, so that this structure will not be overwritten every time I add a function.
Function Syntax: typedef hinstance (_ stdcall * loadlib) (lpctstr );
I hope you can clearly understand what this means ~
Load dll:
Remoteparam remotedata;
Zeromemory (& remotedata, sizeof (remotedata ));
Hinstance hken = loadlibrary ("kernel32.dll ");
Remotedata. func [0] = (DWORD) getprocaddress (hken, "loadlibrarya ");
Freelibrary (hken );
Strcpy_s (remotedata. MSG [0], "dll_02.dll/0 ");
You have to mention the following question: getprocaddress (hken, "loadlibrarya"); you can write it as getprocaddress (hken, "loadlibraryw") or getprocaddress (hken, "loadlibrary, if you know unicode encoding, You should know why the latter two do not work. You can also take a look at the source declaration to understand it a little.
Now let's look at the thread function:
DWORD _ stdcall threadproc (lpvoid lparam)
{
Remoteparam * Gp = (remoteparam *) lparam;
Loadlib lB = (loadlib) PLT-> func [0];
Lb (PLT-> MSG [0]);
Return 0;
}
Easy to use ~
4: Don't think this is all done. There is another point!
Folder. Of course, you can also put the DLL in the system folder, which is the DLL center.
5: I just wrote the general framework and deleted all the details here to make it clearer. The source code is not the same as above.
The other thing I want to talk about is that the Code in the thread generated by the createremotethread function is almost impossible to execute any function, and every function added is painful, we recommend that you put all the implementations in the DLL's dllmain.