起因 趁还有印象赶紧动笔 程序行为分析器采用DLL注入的方式实现，类似于 hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPID)); pRemoteBuf=VirtualAllocEx(hProcess,NULL,dwBufSize,MEM_COMMIT,PAGE_READWRITE); WriteProcessMemory(hProcess,pRemoteBuf,szDLLName,dwBufSize,NULL); hMod=GetModuleHandle("ke…