用exe控制另一個exe并調(diào)用函數(shù)

MyDll.h

#ifndef __MYDLL_H__
#define __MYDLL_H__
#include<CLIB_H\CLIB2_global.h>//包含CLIB0_print.h
//#include<transform\CLIB_transform.cpp>
#include <iostream>
using namespace std;
   
#include <stdio.h>
#include <Windows.h>
#include <TlHelp32.h>
#ifndef EXC
#define EXC  extern"C"   __declspec(dllexport)  //
#define EX   __declspec(dllexport) //extern"C"
#endif
/**/
//----共享節(jié)--------------------------
#pragma data_seg("MY_share")  
int i共享G=-1;
//float *ΨLfG={0.0,0.0}; //Χ
float ΨLfG[]={0.0,0.0};//√
DWORD LiG[2]={0,0};//√
#pragma data_seg()  
#pragma comment(linker,"/section:MY_share,rws")  
volatile DWORD iG;
EXC  void SetData(int temp)  
   {  
   i共享G=temp;  ΨLfG[0]=0.56;PRINT1(+f,ΨLfG[0],f);
   //ViG.push_back(temp);PTvector??(ViG);
   //ViG[0]=temp;
   LiG[0]=temp;
   PRINT1(+push_back,temp,d);
   }  
EXC DWORD iGetData()  
   {  
   //PTvector??(ViG);
   PRINT3(,i共享G,LiG[0],ΨLfG[0],d,d,f);
   return i共享G;  
   
   }
////////////////////////////////////////////
typedef DWORD (WINAPI *♂Δ函數(shù)指針nt)
   (
   PHANDLE                 ThreadHandle,    
   ACCESS_MASK             DesiredAccess,    
   LPVOID                  ObjectAttributes,    
   HANDLE                  ProcessHandle,    
   LPTHREAD_START_ROUTINE  lpStartAddress,    
   LPVOID               lpParameter,    
   BOOL                    CreateSuspended,    //●●這個BOOL是int
   DWORD                   dwStackSize,    
   DWORD                   dw1,
   DWORD                   dw2,
   LPVOID                 Unknown
   );
   
typedef DWORD64(WINAPI *♂Δ函數(shù)指針nt64)
   (
   PHANDLE                 ThreadHandle,
   ACCESS_MASK             DesiredAccess,
   LPVOID               ObjectAttributes,
   HANDLE                  ProcessHandle,
   LPTHREAD_START_ROUTINE  lpStartAddress,
   LPVOID                lpParameter,
   BOOL                    CreateSuspended,
   DWORD64                    dwStackSize,
   DWORD64                    Unknown1,
   DWORD64                    Unknown2,
   LPVOID                 Unknown3
   );
   
//==============================
HANDLE hΔ打開進(jìn)程(LPCTSTR lp尋找進(jìn)程)//根據(jù)進(jìn)程名查找進(jìn)程PID
   {
   DWORD dw打開進(jìn)程 = 0; HANDLE h打開進(jìn)程 =0;
   HANDLE h快照 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); //可以通過獲取進(jìn)程信息為指定的進(jìn)程、進(jìn)程使用的堆[HEAP]、模塊[MODULE]、線程建立一個快照。
   if(h快照 == INVALID_HANDLE_VALUE)
       {
       PRINT1(★獲得進(jìn)程快照失敗:,GetLastError(),d);
       return h打開進(jìn)程;
       }

   PROCESSENTRY32 pe入口;//聲明進(jìn)程入口對象
   pe入口.dwSize = sizeof(PROCESSENTRY32);//填充進(jìn)程入口對象大小
   Process32First(h快照,&pe入口);//遍歷進(jìn)程列表 //process32First是一個進(jìn)程獲取函數(shù)，當(dāng)我們利用函數(shù)CreateToolhelp32Snapshot()獲得當(dāng)前運(yùn)行進(jìn)程的快照后，我們可以利用process32First函數(shù)來獲得第一個進(jìn)程的句柄。
   printf("lp尋找進(jìn)程= %s\n",lp尋找進(jìn)程);
   do  
       { //printf("pe入口.szExeFile= %s\n",pe入口.szExeFile);
       if(!lstrcmp(pe入口.szExeFile,lp尋找進(jìn)程))//查找指定進(jìn)程名的PID
           {
           dw打開進(jìn)程 = pe入口.th42ProcessID;
           break;
           }
       }while (Process32Next(h快照,&pe入口));
       
   h打開進(jìn)程 = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dw打開進(jìn)程);//|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE
   CloseHandle(h快照);
   return h打開進(jìn)程;//返回
   }
//========================================================
typedef DWORD (__stdcall* ♂ΔPrint)(LPCTSTR,...);//__stdcall
typedef DWORD (__stdcall* ♂cΔFUNC)(LPCTSTR);
typedef DWORD (__stdcall* ♂iΔFUNC)(DWORD);
typedef DWORD (__stdcall* ♂ΔFUNC)();
//線程參數(shù)結(jié)構(gòu)體定義
typedef struct sd參數(shù)    
   {
   char c[100];     //MessageBox函數(shù)中顯示的字符提示
   ♂ΔFUNC ΨΔ;
   ♂cΔFUNC ΨcΔ;
   LPVOID ΨFunc;//MessageBox函數(shù)的入口地址
   DWORD iFunc;//MessageBox函數(shù)的入口地址
   DWORD i;
   }卍參數(shù);
//定義MessageBox類型的函數(shù)指針
//EXC DWORD  __stdcall FuncTest2(卍參數(shù) *&參數(shù))//LPVOID LPVOID
void __stdcall FuncTest2(LPVOID 參數(shù))
   {
   //參數(shù)->ΨΔ();//參數(shù)->c
   
   /**/
   卍參數(shù)* Ψ參數(shù) = (卍參數(shù)*)參數(shù);
   //Ψ參數(shù)->ΨΔ();//ΧΧ出錯return ;
   //Ψ參數(shù)->ΨcΔ(Ψ參數(shù)->c);
   ♂cΔFUNC ΨΔfunc = (♂cΔFUNC)Ψ參數(shù)->ΨFunc;ΨΔfunc(Ψ參數(shù)->c);
   //ΨΔfunc = (♂cΔFUNC)Ψ參數(shù)->iFunc;ΨΔfunc(Ψ參數(shù)->c);
   
   //Ψ參數(shù)->ΨcΔ(Ψ參數(shù)->c);
   //♂iΔFUNC  ΨΔfunc = (♂iΔFUNC)Ψ參數(shù)->ΨFunc;//ΨΔfunc(Ψ參數(shù)->i);
   //printf(Ψ參數(shù)->c);
   return ;
   }
void __stdcall FuncTest1(LPVOID 參數(shù))
   {
   卍參數(shù)* Ψ參數(shù) = (卍參數(shù)*)參數(shù);
   ♂ΔFUNC  ΨΔfunc = (♂ΔFUNC)Ψ參數(shù)->ΨFunc;ΨΔfunc();
   }
   
void  __stdcall   FuncTest()
//EXC DWORD __stdcall FuncTest(LPVOID 參數(shù))
   {
   //PRINT1(~~,FuncTest,d);
return ;
   }
EXC void __stdcall MyPrint(char*ch)
   {
   printf("▼ ch= %s\n",ch);    
   }
//------------------------------
inline void c_c(const char*c,char *c2__)
   {
   DWORD i長=strlen(c);uint i=0;
   for( i=0;i<i長;i++)
       {
       c2__[i]=c[i];
       }
    c2__[i]='\0';
   }
//========================================
bool bΔvista之后()
   {
   OSVERSIONINFO osvi;
   ZeroMemory(&osvi, sizeof(OSVERSIONINFO));
   osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
   GetVersionEx(&osvi);
   if( osvi.dwMajorVersion >= 6 )
       return TRUE;
   return FALSE;
   }
   
//提升程序權(quán)限
BOOL bΔEnableDebugPrivilege()
   {
   HANDLE   hToken;
   BOOL   fOk=false;
   if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken))
       {
       TOKEN_PRIVILEGES   tp;
       tp.PrivilegeCount=1;
       if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid)) ;
       tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
       if(!AdjustTokenPrivileges(hToken,false,&tp,sizeof(tp),NULL,NULL)) ;
       else
       fOk = true;
       CloseHandle(hToken);
       }
   return   fOk;
   }
//====提升進(jìn)程訪問權(quán)限====================================
bool bΔ訪問權(quán)限()
  {
   HANDLE hToken;
   LUID sedebugnameValue;
   TOKEN_PRIVILEGES tkp;

   if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))  
       {
       return false;
       }
   if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))    
       {
       CloseHandle(hToken);
       return false;
       }
   tkp.PrivilegeCount = 1;
   tkp.Privileges[0].Luid = sedebugnameValue;
   tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
   if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))    
       {
       CloseHandle(hToken);
       return false;
       }
   CloseHandle(hToken);
   return true;
  }
//========================================================
HANDLE hΔMyCreateRemoteThread1(HANDLE h打開進(jìn)程, LPTHREAD_START_ROUTINE ΨΔ函數(shù), LPVOID Ψ參數(shù))
   {
   HANDLE hRemoteThread = NULL;
   PRINT1(,bΔvista之后(),d);
   FARPROC   ΨΔNtCreateThreadEx = GetProcAddress(GetModuleHandle("ntdll.dll"), "NtCreateThreadEx");
   //if(ΨΔNtCreateThreadEx==NULL){PRINT2(★,ΨΔNtCreateThreadEx,GetLastError(),d,d);return NULL;}
   ((♂Δ函數(shù)指針nt64)ΨΔNtCreateThreadEx)(&hRemoteThread,0x1FFFFF,NULL,h打開進(jìn)程,ΨΔ函數(shù),Ψ參數(shù),FALSE,NULL,NULL,NULL,NULL);    
   if(WAIT_FAILED==WaitForSingleObject(hRemoteThread,INFINITE)){return NULL;}
   return hRemoteThread;
   }
   
HANDLE hΔMyCreateRemoteThread(HANDLE&h打開進(jìn)程, LPTHREAD_START_ROUTINE ΨΔ函數(shù), LPVOID Ψ參數(shù))
   {
   HANDLE hRemoteThread = NULL;
   //---- Vista, 7, Server2008--------------------------
   if(bΔvista之后())  
       {
       //typedef DWORD (FAR WINAPI *FARPROC)()
       FARPROC    ΨΔNtCreateThreadEx = GetProcAddress(GetModuleHandle("ntdll.dll"), "NtCreateThreadEx");
       //if(ΨΔNtCreateThreadEx==NULL){PRINT2(★,ΨΔNtCreateThreadEx,GetLastError(),d,d);return NULL;}
       ((♂Δ函數(shù)指針nt64)ΨΔNtCreateThreadEx)(&hRemoteThread,0x1FFFFF,NULL,h打開進(jìn)程,ΨΔ函數(shù),Ψ參數(shù),FALSE,NULL,NULL,NULL,NULL);
       //if(hRemoteThread==NULL){PRINT2(★,hRemoteThread,GetLastError(),d,d);return NULL;}
       PRINT1(√√,hRemoteThread,d);
       }
   //----2000, XP, Server2003--------------------------
   else                    
       {
       hRemoteThread=CreateRemoteThread(h打開進(jìn)程,NULL,0,ΨΔ函數(shù),Ψ參數(shù),0,NULL);
       if( hRemoteThread == NULL )
           {PRINT2(★2·,hRemoteThread,GetLastError(),d,d);
           return NULL;
           }
       }
   
   if(WAIT_FAILED==WaitForSingleObject(hRemoteThread,INFINITE)){return NULL;}//●●這個很重要,如果沒有可能會崩潰
   return hRemoteThread;
   }
////////////////////////////////////////////
template<typename T>
LPVOID ΨΔ寫地址到進(jìn)程(HANDLE h打開進(jìn)程,T*Ψ參數(shù),DWORD iSize,BOOL b是函數(shù)=true)//●必須是指針引用,void*&Ψ參數(shù)__
   {
   SIZE_T dwHasWrite;LPVOID Ψ參數(shù)__ =NULL;
   /**/
   if(b是函數(shù))
       {Ψ參數(shù)__ = VirtualAllocEx(h打開進(jìn)程,0,iSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);}
   else
       {Ψ參數(shù)__ = VirtualAllocEx(h打開進(jìn)程,0,iSize,MEM_COMMIT,PAGE_READWRITE);}
   //----將線程參數(shù)拷貝到宿主進(jìn)程地址空間中--------------------------
   if(WriteProcessMemory(h打開進(jìn)程,Ψ參數(shù)__,Ψ參數(shù),iSize,&dwHasWrite)) //把dll路徑寫入主進(jìn)程
       {//PRINT2(,dwHasWrite,iSize,d,d);
       if(dwHasWrite != iSize)
           {
           VirtualFreeEx(h打開進(jìn)程,Ψ參數(shù)__,iSize,MEM_COMMIT); //即為目標(biāo)進(jìn)程的句柄，可在其它進(jìn)程中釋放申請的虛擬內(nèi)存空間。MEM_RELEASE  
           CloseHandle(h打開進(jìn)程);
           PRINT1(★!!!VirtualFreeEx失敗:,GetLastError(),d);
           return Ψ參數(shù)__;
           }
       }
   else
       {
       PRINT1(★!!!寫入遠(yuǎn)程進(jìn)程內(nèi)存空間出錯:,GetLastError(),d);
       CloseHandle(h打開進(jìn)程);
       return Ψ參數(shù)__;
       }
   return Ψ參數(shù)__;
   }
////////////////////////////////////////////
DWORD WINAPI ΔMyThreadProc1( LPVOID pParam )
   {
   MessageBox( NULL, "DLL已進(jìn)入線程1。", "信息", MB_ICONINFORMATION );
   return 0;
   }
DWORD WINAPI ΔMyThreadProc2( LPVOID pParam )
   {
   MessageBox( NULL, "DLL已進(jìn)入線程2。", "信息", MB_ICONINFORMATION );
   return 0;
   }
   
//========================================================    
bool APIENTRY DllMain( HANDLE hModule,DWORD  ul_reason_for_call,LPVOID lpReserved)
   {
   switch (ul_reason_for_call)
       {
       case DLL_PROCESS_ATTACH:
           {
           //MessageBox( NULL, "√√DLL已進(jìn)入目標(biāo)進(jìn)程。", "信息", MB_ICONINFORMATION );
           PRINT0(▼▼ DLL已進(jìn)入目標(biāo)進(jìn)程。);//SetData(28);
           DWORD dwThreadId;
           //HANDLE myThread1 = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ΔMyThreadProc1, NULL, 0, &dwThreadId);
           //HANDLE myThread2 = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ΔMyThreadProc2, NULL, 0, &dwThreadId);
           //PRINT1(,iG,d);//Χ
           break;
           }
       case DLL_PROCESS_DETACH:
           {
           PRINT0(▼▼ ~~DLL已從目標(biāo)進(jìn)程卸載。);
           //MessageBox( NULL, "√√DLL已從目標(biāo)進(jìn)程卸載。", "信息", MB_ICONINFORMATION );
           break;
           }
       }
   return TRUE;
   }
   
   
#endif


-----------------------------------------------------------------------------------
main.cpp


//#include<E:/blender/blenderLib/CLIB.cpp>
#include "MyDll.h"
void __stdcall  myprint2()
    {
    //putchar('M');//Χ
    int i=9+7;
    return ;
    }
////////////////////////////////////////////
int main()
    {
    //bΔEnableDebugPrivilege() ;
    bΔ訪問權(quán)限();const DWORD dwThreadSize = 4096;
    SIZE_T dwHasWrite;DWORD dwWriteBytes;
    const char *c參數(shù)= "B:/MyDll64在.dll";
    //const char c參數(shù)= 'B';
    HANDLE h打開進(jìn)程 =  hΔ打開進(jìn)程("main_w64.exe");//●最好用英文不容易出錯.
    if(h打開進(jìn)程 == NULL)
        {
        PRINT1(★ 打開進(jìn)程 失敗!:,GetLastError(),d);
        return -1;
        }
    else
        {
        PRINT1(▼ 找到·,h打開進(jìn)程,d);
        }
    LPVOID ΨΔ函數(shù)= NULL;

   
    卍參數(shù) 參數(shù);//DWORD 代表 unsigned long
    ZeroMemory(&參數(shù), sizeof(卍參數(shù)));//PRINT2(,sizeof(卍參數(shù)),sizeof(參數(shù)),d,d);//√
    int iSize = strlen(c參數(shù))+1;strcat(參數(shù).c, "Hello_IMDJS \0");//c_c(c參數(shù),參數(shù).c);
    //----FuncTest1--------------------------

    ΨΔ函數(shù)=VirtualAllocEx(h打開進(jìn)程,0,dwThreadSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);if(!ΨΔ函數(shù)){PRINT1(★新建ΨΔ函數(shù)失敗!,h打開進(jìn)程,d);return 0;}    if(!WriteProcessMemory(h打開進(jìn)程,ΨΔ函數(shù),&FuncTest1,dwThreadSize,0)){PRINT1(★寫Δ函數(shù)失敗!,h打開進(jìn)程,d);return 0;}

    參數(shù).ΨFunc=GetProcAddress(GetModuleHandle("msvcrt.dll"),"printf");

    PRINT1(,參數(shù).ΨFunc,d);

   
    LPVOID Ψ參數(shù) =ΨΔ寫地址到進(jìn)程(h打開進(jìn)程,&參數(shù),sizeof(卍參數(shù)),true);

    //====NtCreateThreadEx====================================

    HANDLE hRemoteThread=NULL;

   
    hRemoteThread=CreateRemoteThread(h打開進(jìn)程,NULL,0, (LPTHREAD_START_ROUTINE) ΨΔ函數(shù),Ψ參數(shù),0,&dwWriteBytes);

    PRINT1(,hRemoteThread,d);
    //------------------------------------------------------------
    //VirtualFreeEx(h打開進(jìn)程, Ψ參數(shù), 0, MEM_RELEASE);
    CloseHandle(h打開進(jìn)程);
    //if(WAIT_FAILED==WaitForSingleObject(hRemoteThread,INFINITE)){return NULL;}
    //system("pause");
    return 1;    
    }
   

main_w.cpp(宿主)


#include<CLIB_H\CLIB2_global.h>//包含CLIB0_print.h
void FuncPuls()
    {
    DWORD c=5;
    PRINT1(a+b=, c,d);//PRINT1(main·, iG,d);
    }
//------------------------------
void main()
    {
    //char* ch="MYPRINT";putchar('M');
    FuncPuls();
   
    system("pause");
    }