函数名称: CreateRemoteDll() 返加类型:BOOL 接受参数: DLL路径,注入进程ID 其完整代码如下: BOOL CreateRemoteDll(const char *DllFullPath, const DWORD dwRemoteProcessId)...{ HANDLE hToken; ...
函数名称: CreateRemoteDll()
返加类型:BOOL
接受参数: DLL路径,注入进程ID
其完整代码如下:
BOOL CreateRemoteDll(const char *DllFullPath, const DWORD dwRemoteProcessId)
{
HANDLE hToken; if ( OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )
{ TOKEN_PRIVILEGES tkp; LookupPrivilegeValue( NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid );//修改进程权限 tkp.PrivilegeCount=1; tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges( hToken,FALSE,&tkp,sizeof tkp,NULL,NULL );//通知系统修改进程权限 
} HANDLE hRemoteProcess; //打开远程线程 if( (hRemoteProcess = OpenProcess( PROCESS_CREATE_THREAD | //允许远程创建线程 PROCESS_VM_OPERATION | //允许远程VM操作 PROCESS_VM_WRITE, //允许远程VM写 FALSE, dwRemoteProcessId ) )== NULL ) { AfxMessageBox("OpenProcess Error!"); return FALSE; } char *pszLibFileRemote; //在远程进程的内存地址空间分配DLL文件名缓冲区 pszLibFileRemote = (char *) VirtualAllocEx( hRemoteProcess, NULL, lstrlen(DllFullPath)+1, MEM_COMMIT, PAGE_READWRITE); if(pszLibFileRemote == NULL) { AfxMessageBox("VirtualAllocEx error! "); return FALSE; } //将DLL的路径名复制到远程进程的内存空间 if( WriteProcessMemory(hRemoteProcess, pszLibFileRemote, (void *) DllFullPath, lstrlen(DllFullPath)+1, NULL) == 0) { AfxMessageBox("WriteProcessMemory Error"); return FALSE; } //计算LoadLibraryA的入口地址 PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA"); if(pfnStartAddr == NULL) { AfxMessageBox("GetProcAddress Error"); return FALSE; } HANDLE hRemoteThread; if( (hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0, pfnStartAddr, pszLibFileRemote, 0, NULL) ) == NULL) { AfxMessageBox("CreateRemoteThread Error"); return FALSE; } return TRUE;
}