函数名称: CreateRemoteDll() 返加类型:BOOL 接受参数: DLL路径,注入进程ID 其完整代码如下: BOOL CreateRemoteDll(const char *DllFullPath, const DWORD dwRemoteProcessId)...{ HANDLE hToken; ...
函数名称: CreateRemoteDll()
返加类型:BOOL
接受参数: DLL路径,注入进程ID
其完整代码如下:
BOOL CreateRemoteDll(const char *DllFullPath, const DWORD dwRemoteProcessId)
{
HANDLE hToken;
if ( OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )
{
TOKEN_PRIVILEGES tkp;
LookupPrivilegeValue( NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid );//修改进程权限
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges( hToken,FALSE,&tkp,sizeof tkp,NULL,NULL );//通知系统修改进程权限
}
HANDLE hRemoteProcess;
//打开远程线程
if( (hRemoteProcess = OpenProcess( PROCESS_CREATE_THREAD | //允许远程创建线程
PROCESS_VM_OPERATION | //允许远程VM操作
PROCESS_VM_WRITE, //允许远程VM写
FALSE, dwRemoteProcessId ) )== NULL )
{
AfxMessageBox("OpenProcess Error!");
return FALSE;
}
char *pszLibFileRemote;
//在远程进程的内存地址空间分配DLL文件名缓冲区
pszLibFileRemote = (char *) VirtualAllocEx( hRemoteProcess, NULL, lstrlen(DllFullPath)+1,
MEM_COMMIT, PAGE_READWRITE);
if(pszLibFileRemote == NULL)
{
AfxMessageBox("VirtualAllocEx error! ");
return FALSE;
}
//将DLL的路径名复制到远程进程的内存空间
if( WriteProcessMemory(hRemoteProcess,
pszLibFileRemote, (void *) DllFullPath, lstrlen(DllFullPath)+1, NULL) == 0)
{
AfxMessageBox("WriteProcessMemory Error");
return FALSE;
}
//计算LoadLibraryA的入口地址
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
if(pfnStartAddr == NULL)
{
AfxMessageBox("GetProcAddress Error");
return FALSE;
}
HANDLE hRemoteThread;
if( (hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0,
pfnStartAddr, pszLibFileRemote, 0, NULL) ) == NULL)
{
AfxMessageBox("CreateRemoteThread Error");
return FALSE;
}
return TRUE;
}
{
HANDLE hToken;
if ( OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )
{
TOKEN_PRIVILEGES tkp;
LookupPrivilegeValue( NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid );//修改进程权限
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges( hToken,FALSE,&tkp,sizeof tkp,NULL,NULL );//通知系统修改进程权限
}
HANDLE hRemoteProcess;
//打开远程线程
if( (hRemoteProcess = OpenProcess( PROCESS_CREATE_THREAD | //允许远程创建线程
PROCESS_VM_OPERATION | //允许远程VM操作
PROCESS_VM_WRITE, //允许远程VM写
FALSE, dwRemoteProcessId ) )== NULL )
{
AfxMessageBox("OpenProcess Error!");
return FALSE;
}
char *pszLibFileRemote;
//在远程进程的内存地址空间分配DLL文件名缓冲区
pszLibFileRemote = (char *) VirtualAllocEx( hRemoteProcess, NULL, lstrlen(DllFullPath)+1,
MEM_COMMIT, PAGE_READWRITE);
if(pszLibFileRemote == NULL)
{
AfxMessageBox("VirtualAllocEx error! ");
return FALSE;
}
//将DLL的路径名复制到远程进程的内存空间
if( WriteProcessMemory(hRemoteProcess,
pszLibFileRemote, (void *) DllFullPath, lstrlen(DllFullPath)+1, NULL) == 0)
{
AfxMessageBox("WriteProcessMemory Error");
return FALSE;
}
//计算LoadLibraryA的入口地址
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
if(pfnStartAddr == NULL)
{
AfxMessageBox("GetProcAddress Error");
return FALSE;
}
HANDLE hRemoteThread;
if( (hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0,
pfnStartAddr, pszLibFileRemote, 0, NULL) ) == NULL)
{
AfxMessageBox("CreateRemoteThread Error");
return FALSE;
}
return TRUE;
}