以CE教程为例，通过VB.NET实现代码注入。

laodan

所有代码在下面，重要语句有说明，虽然这个是VB.NET源码，但C#与VB.NET同属.NET平台，也能为C#开发提供重要参考。

[Visual Basic .NET] 纯文本查看 复制代码

Imports System.Runtime.InteropServices
Public Class Form1
    <DllImport("kernel32.dll", SetLastError:=True)>
    Private Shared Function OpenProcess(ByVal dwDesiredAccess As UInteger, ByVal bInheritHandle As Boolean, ByVal dwProcessId As Integer) As IntPtr
    End Function

    <DllImport("kernel32.dll", SetLastError:=True)>
    Private Shared Function WriteProcessMemory(ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal lpBuffer As Byte(), ByVal nSize As Integer, ByRef lpNumberOfBytesWritten As Integer) As Boolean
    End Function

    <DllImport("kernel32.dll")>
    Private Shared Function VirtualAllocEx(ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As UInteger, ByVal flAllocationType As UInteger, ByVal flProtect As UInteger) As IntPtr
    End Function
    <DllImport("kernel32.dll", SetLastError:=True)>
    Public Shared Function ReadProcessMemory(ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, <Out()> ByVal lpBuffer As Byte(), ByVal nSize As Integer, ByRef lpNumberOfBytesRead As Integer) As Boolean
    End Function

    Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
        Dim processName As String = "Tutorial-i386" '替换为目标进程的名称
        Dim process1 As Process() = Process.GetProcessesByName(processName)
        If (process1.Length > 0) Then
            Dim processHandle As IntPtr = OpenProcess(&H1F0FFF, False, process1(0).Id) '打开进程句柄
            Dim TranAddress As IntPtr = VirtualAllocEx(processHandle, IntPtr.Zero, 1024, &H1000, &H40) '申请内存
            Dim TranBytes As Byte() = {&HE9, &H0, &H0, &H0, &H0} '跳转指令，e9为JMP，余四个字节
            Dim offset As Integer = CInt(TranAddress.ToInt64() - (process1(0).MainModule.BaseAddress.ToInt64() + &H275E3)) '计算偏移
            BitConverter.GetBytes(offset - 5).CopyTo(TranBytes, 1) '将跳转偏移量写入JMP指令中
            Dim entryPoint As IntPtr = process1(0).MainModule.BaseAddress '寻找模块jz，CE中表示为“Tutorial-i386.exe”
            entryPoint += &H275E3 '模块jz+偏移=Tutorial-i386+275E3=需要汇编的jz

            Dim bytesWritten As Integer = 0
            Dim originalBytes As Byte() = New Byte(TranBytes.Length - 1) {} '保存被覆盖的指令
            ReadProcessMemory(processHandle, entryPoint, originalBytes, originalBytes.Length, bytesWritten) '读取jz指令
            WriteProcessMemory(processHandle, entryPoint, TranBytes, TranBytes.Length, bytesWritten) '将JMP指令插入到目标进程代码中
            MsgBox(CLng(entryPoint) & "/地址写入跳转指令成功！跳转至：" & CLng(TranAddress))

            '======继续修改跳转之后的指令，改过指令，再跳转回来

            Dim jmpBytes As Byte() = {&H83, &H83, &HA4, &H04, &H00, &H00, &H05, &HE9, &H0, &H0, &H0, &H0} 'JMP指令的机器码，点击“打我”数值加5
            Dim offset1 As Integer = CInt((TranAddress.ToInt64() - offset) - (TranAddress.ToInt64() + 5)) '计算偏移，(1670000-1248A1D)- 1670000 + 5

            BitConverter.GetBytes(offset1).CopyTo(jmpBytes, 8) '从第八个字节开始插入，将跳转偏移量写入JMP指令中

            WriteProcessMemory(processHandle, TranAddress, jmpBytes, jmpBytes.Length, bytesWritten) '再将指令写入到申请的内存空间。

        Else
            MsgBox("没有找到句柄")
        End If
    End Sub
End Class

软件修改的是CE教程示例中步骤七，他的原有示例是需要用CE来实现代码注入，但本例中是使用VB.NET来进行的一个代码注入。
原理就是在进程中申请一块有权限的内存空间，然后在jz处进行跳转至内存空间，在分配的内存空间处将汇编指令给写进去，然后再跳回去，实现调用自己的汇编指令。
CE 7.1下载：https://www.123pan.com/s/AHC0Vv-XUJc.html

茶白

已get到新技能,感谢