http://hi.baidu.com/hbtsfrtslk/blog/item/256a8fb21a9de3afd9335a9a.html

据说dll是属于进程的，所以同一进程里，不管LoadLibary几次，都获得同一句柄，共享同一数据与函数。

两篇关键性且极详尽的文章：

http://wmdevelopers.blogspot.com/2008/05/inject-dlls.html

http://dev.yesky.com/78/2591078.shtml

最后加上一篇后来的文章：http://bbs.pediy.com/showthread.php?p=602213

关键性函数：PerformCallBack4 。（These functions are documented in Platform Builder but not in SDK ）

第一篇：Inject Dlls

Hi,
today i'll explain how inject dlls into another process.

To inject external dlls into the processes we need to use some functions exported from coredll.dll. These functions are documented in Platform Builder but not in SDK so we need to declare them as extern:

extern "C"
{
BOOL __stdcall SetKMode(BOOL fMode);
DWORD __stdcall SetProcPermissions(DWORD);
LPVOID __stdcall MapPtrToProcess (LPVOID lpv, HANDLE hProc);
struct CALLBACKINFO
{
HANDLE m_hDestProcess;
FARPROC m_pFunction;
PVOID m_pFirstArgument;
};
DWORD __stdcall PerformCallBack4(CALLBACKINFO *pcbi, DWORD dw1, DWORD dw2, DWORD dw3);
}

After declared the undocumented functions we need to write code to use them to inject dlls, so:

//change the kernelmode and the permission for our code
BOOL bMode = SetKMode(TRUE);
DWORD dwPerm = SetProcPermissions(0xFFFFFFFF);

CALLBACKINFO cbi;
cbi.m_hDestProcess = hProcess;
cbi.m_pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(GetModuleHandle(L"COREDLL"), L"LoadLibraryW"), hProcess);
cbi.m_pFirstArgument = (LPVOID)MapPtrToProcess(lpszFullPathDll, GetCurrentProcess());
HINSTANCE hInst = (HINSTANCE)PerformCallBack4(&cbi, 0,0,0); //returns the HINSTANCE from LoadLibraryW

//restore kernelmode and permission
SetKMode(bMode);
SetProcPermissions(dwPerm);

Some details:
hProcess: is the handle of the process where the dll will be injected;
lpszFullPathDll: is the full path to the dll which must be injected;

After a dll is injected into the hProcess we can call every exported function with the same method:

//get the proc address
FARPROC pHook = GetProcAddress(hInst, (LPCTSTR)L"ExportedFunction");
cbi.m_hDestProcess = hProcess;
cbi.m_pFunction = (FARPROC)MapPtrToProcess(pHook, hProcess);
cbi.m_pFirstArgument = NULL; //here we can pass any argument for our 'ExportedFunction'
DWORD dw = PerformCallBack4(&cbi, 0, 0, 0);//returns the same value of 'ExportedFunction'

And finally, as we loaded the dll, we can unload it calling 'FreeLibrary':

cbi.m_hDestProcess = hProcess;
cbi.m_pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(GetModuleHandle(L"COREDLL"), L"FreeLibrary"), hProcess);
cbi.m_pFirstArgument = hInst; //HINSTANCE returned by LoadLibrary
DWORD dw = PerformCallBack4(&cbi, 0,0,0); //returns 1 if correctly unloaded

Enjoy!
:)

第二篇：Windows CE跨进程内存注入之实践

在文章《浅析Windows CE跨进程内存注入实现窗体消息挂接（上）》中，我们已经得到了这个七巧板游戏所需要的所有小板块，剩下的事就是等待我们按一定顺序将合适的板块放到合适的位置，本章我们开始进行真刀真枪的实战演练。

程序目标：捕获explore窗体（也就是程序窗体的消息并输出到WinProcInfo.txt中）

程序的执行步骤设计如下：

1、编写一个窗体消息挂接DLL，这个DLL提供一个，函数中利用setwindowlong函数将窗体的默认消息处理过程改为这个挂接DLL中定义的一个窗体过程。

2、在C#程序中利用findwindow等API函数获得exlore类窗体的句柄及窗体所属的进程，并使用performcallback4在目标进程空间中执行coredll.dll的loadLibrary函数将我们写的挂接dll放到目标进程中。

3、在C#程序中使用performcallback4在目标进程空间中执行挂接DLL提供的导出接口函数实现跨进程窗体消息截获.

一、程序的实现如下：

在VS2005中建立一个智能设备的MFC DLL，命名为HookWindowsProcMFCDLL。

在HookWindowsProcMFCDLL.cpp中进行挂接DLL的核心编码：

LRESULT CALLBACK fnHookWindowProc(HWND hwnd,UINT msg,WPARAM wparam, LPARAM lparam); int __declspec(dllexport) WINAPI fnAttachWinProc(HWND ni_hAttatchWin,PVOID ,PVOID,PVOID); int __declspec(dllexport) WINAPI fnDetachWinMsgProc(HWND ni_hDetachWin); WNDPROC tpOldWindowProc; FILE *m_pDebugOutputFile; //将一个窗体消息处理挂接到net精简版MessageWindow对象上的代码 typedef struct { WNDPROC OldWinProc;//保留窗体原始消息处理过程的函数指针 HWND WindowHandle;//保存net精简版中对应的窗口挂接的MessageWindow对象的句柄 } DEFUDT_AttachWinInfo; //end struct CMap<HWND,HWND,DEFUDT_AttachWinInfo,DEFUDT_AttachWinInfo> m_aAttachWinInfoMap; //对指定的窗口进程进行挂接 int __declspec(dllexport) WINAPI fnAttachWinProc(HWND ni_hAttatchWin, PVOID ni_0, PVOID ni_1, PVOID ni_2 ) { DEFUDT_AttachWinInfo tudtAttachWinInfo; m_pDebugOutputFile = fopen("\\Storage Card\\WinProcInfo.txt", "w"); WNDPROC tpOldWindowProc=(WNDPROC)::SetWindowLong(ni_hAttatchWin, GWL_WNDPROC,(LONG) fnHookWindowProc ); fprintf(m_pDebugOutputFile,"Attatch successfully! OldWindowProc: %08X\n",tpOldWindowProc); tudtAttachWinInfo.OldWinProc=tpOldWindowProc ; tudtAttachWinInfo.WindowHandle=ni_hAttatchWin; m_aAttachWinInfoMap.SetAt(ni_hAttatchWin,tudtAttachWinInfo); fclose(m_pDebugOutputFile); return 77;// (int)tpOldWindowProc ; }//end function int __declspec(dllexport) WINAPI fnDetachWinMsgProc(HWND ni_hDetachWin) { DEFUDT_AttachWinInfo tudtAttachWinInfo; WNDPROC tpOldWindowProc; //取得在ncf中消息接收窗口对应的原始消息处理函数的函数指针 m_aAttachWinInfoMap.Lookup(ni_hDetachWin,tudtAttachWinInfo) ; //将窗体的消息处理函数设为默认的处理过程 tpOldWindowProc =(WNDPROC) SetWindowLong(ni_hDetachWin,GWL_WNDPROC , (LONG)tudtAttachWinInfo.OldWinProc); //将挂接信息消息处理映谢类中删除 m_aAttachWinInfoMap.RemoveKey(ni_hDetachWin); return (int)tpOldWindowProc ; }//end function LRESULT CALLBACK fnHookWindowProc(HWND hwnd,UINT msg,WPARAM wparam, LPARAM lparam) { DEFUDT_AttachWinInfo tudtAttachWinInfo; m_aAttachWinInfoMap.Lookup(hwnd,tudtAttachWinInfo) ; m_pDebugOutputFile = fopen("\\Storage Card\\WinProcInfo.txt", "a"); if (m_pDebugOutputFile!=NULL) { fprintf(m_pDebugOutputFile,"HWND: %08X Msg: %08X Wparam %08X Lparam %08X \n", hwnd,msg,wparam,lparam); }//EHD IF fclose(m_pDebugOutputFile); //tudtAttachWin=maatt LRESULT tobjResult= ::CallWindowProc(tudtAttachWinInfo.OldWinProc ,hwnd,msg,wparam,lparam); return tobjResult; }//end function