只需要拿到32位的kernel32!LoadLibraryA，然后使用普通手段（CreateRemoteThread）注入即可。

typedef struct _IAT_EAT_INFO
{
char ModuleName[256];
char FuncName[64];
ULONG64 Address;
ULONG64 RecordAddr;
ULONG64        ModBase;//just for export table
} IAT_EAT_INFO, *PIAT_EAT_INFO;

HMODULE GetRemoteModuleHandleByProcessHandleA(HANDLE hProcess, char *szModuleName)
{
HMODULE hMods[1024]= {0};
DWORD cbNeeded=0,i=0;
char szModName[MAX_PATH];
if(EnumProcessModulesEx(hProcess, hMods, sizeof(hMods), &cbNeeded, 3)) //http://msdn.microsoft.com/en-us/library/ms682633(v=vs.85).aspx
{
for ( i=0; i<=cbNeeded/sizeof(HMODULE); i++ )
{
if( GetModuleFileNameExA(hProcess, hMods[i], szModName,sizeof(szModName)) )
{
if(strstr(strlwr(szModName),szModuleName))
{
return hMods[i];
}
}
}
}
return NULL;
}
long GetProcessExportTable32(HANDLE hProcess, char ModuleName, IAT_EAT_INFO tbinfo[], int tb_info_max)
{
ULONG muBase=0,count=0;
PIMAGE_DOS_HEADER pDosHeader=(PIMAGE_DOS_HEADER)new BYTE[sizeof(IMAGE_DOS_HEADER)];
PIMAGE_NT_HEADERS32 pNtHeaders = (PIMAGE_NT_HEADERS32)new BYTE[sizeof(IMAGE_NT_HEADERS32)];
PIMAGE_EXPORT_DIRECTORY pExport = (PIMAGE_EXPORT_DIRECTORY)new BYTE[sizeof(IMAGE_EXPORT_DIRECTORY)];
DWORD dwStup=0,dwOffset=0;
char strName[130];
//拿到目标模块的BASE
muBase=(ULONG)GetRemoteModuleHandleByProcessHandleA(hProcess,ModuleName);
if(!muBase)
{
//DbgStr("GetRemoteModuleHandleByProcessHandleA failed!","GetProcessExportTable32");
return 0;
}
//获取IMAGE_DOS_HEADER
ReadProcessMemory(hProcess,(PVOID)muBase, pDosHeader, sizeof(IMAGE_DOS_HEADER), NULL);
//获取IMAGE_NT_HEADERS
ReadProcessMemory(hProcess,(PVOID)(muBase + pDosHeader->e_lfanew), pNtHeaders, sizeof(IMAGE_NT_HEADERS32), NULL);
if (pNtHeaders->OptionalHeader.DataDirectory[0].VirtualAddress==0)
{
return 0;
}
ReadProcessMemory(hProcess,(PVOID)(muBase + pNtHeaders->OptionalHeader.DataDirectory[0].VirtualAddress), pExport, sizeof(IMAGE_EXPORT_DIRECTORY), NULL);
ReadProcessMemory(hProcess,(PVOID)(muBase + pExport->Name), strName, sizeof(strName), NULL);
DWORD i=0;
if(pExport->NumberOfNames<0 || pExport->NumberOfNames>8192)
{
return 0;
}
for(i=0; iNumberOfNames; i++)
{
char bFuncName[100];
ULONG ulPointer;
USHORT usFuncI?
ULONG64 ulFuncAddr;
ReadProcessMemory(hProcess, (PVOID)(muBase + pExport->AddressOfNames+i4), &ulPointer, 4, 0);
RtlZeroMemory(bFuncName,100);
ReadProcessMemory(hProcess, (PVOID)(muBase + ulPointer), bFuncName, 100, 0);
ReadProcessMemory(hProcess, (PVOID)(muBase + pExport->AddressOfNameOrdinals + i2), &usFuncId, 2, 0);
ReadProcessMemory(hProcess, (PVOID)(muBase + pExport->AddressOfFunctions + 4usFuncId), &ulPointer, 4, 0);
ulFuncAddr = muBase + ulPointer;
//printf("\t%llx\t%s\n",ulFuncAddr,bFuncName);
strcpy(tbinfo[count].ModuleName,ModuleName);
strcpy(tbinfo[count].FuncName,bFuncName);
tbinfo[count].Address=ulFuncAddr;
tbinfo[count].RecordAddr=(ULONG64)(muBase + pExport->AddressOfFunctions + 4*usFuncId);
tbinfo[count].ModBase=muBase;
count++;
if(count>(ULONG)tb_info_max)
goto exit_sub;
}
exit_sub:
delete []pDosHeader;
delete []pExport;
delete []pNtHeaders;
return count;
}
//获得32位进程中某个DLL导出函数的地址
ULONG64 GetProcAddressIn32BitProcess(HANDLE hProcess, char ModuleName, char FuncName)
{
ULONG64 RetAddr=0;
PIAT_EAT_INFO pInfo = (PIAT_EAT_INFO)malloc(4096*sizeof(IAT_EAT_INFO));
long count = GetProcessExportTable32(hProcess,ModuleName,pInfo,2048);
if(!count)
return NULL;
for(long i=0; i<count; i++)
{
if(!stricmp(pInfo[i].FuncName,FuncName))
{
RetAddr=pInfo[i].Address;
break;
}
}
free(pInfo);
return RetAddr;
}