把DLL插进去 T T , 传说中的硬编码。 我真懒得写全了 意思一下就好了。
1 #include "stdafx.h"
2 #include <windows.h>
3
4
5 BOOL InjectProcess(DWORD dwProcessId, char* szLibName)
6 {
7 BOOL bOK = FALSE;
8 HANDLE hProcess = NULL;
9 HANDLE hThread = NULL;
10 char* pszRemoteLibName = NULL;
11
12 __try
13 {
14 hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwProcessId);
15 if(hProcess == NULL) __leave;
16
17 int cch = 1 + lstrlen(szLibName);
18 int cb = cch * sizeof(char);
19
20 pszRemoteLibName = (char *)VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);
21 if(pszRemoteLibName == NULL) __leave;
22
23 if(!WriteProcessMemory(hProcess, pszRemoteLibName, (PVOID)szLibName, cb, NULL)) __leave;
24
25 LPTHREAD_START_ROUTINE pfnLoadLibraryA = (LPTHREAD_START_ROUTINE)
26 GetProcAddress(GetModuleHandleA("kernel32.dll"),"LoadLibraryA");
27 if(pfnLoadLibraryA == NULL) __leave;
28
29 hThread = CreateRemoteThread(hProcess, NULL, 0, pfnLoadLibraryA, pszRemoteLibName, 0, NULL);
30 if(hThread == NULL) __leave;
31
32 WaitForSingleObject(hThread, INFINITE);
33
34 bOK = TRUE;
35
36 }
37
38 __finally
39 {
40 if(pszRemoteLibName != NULL)
41 VirtualFreeEx(hProcess, pszRemoteLibName, 0, MEM_RELEASE);
42
43 if(hThread != NULL)
44 CloseHandle(hThread);
45
46 if(hProcess != NULL)
47 CloseHandle(hProcess);
48 }
49
50 return bOK;
51 }
52
53 /************************************************************************/
54 /* 函数说明:提升进程权限;
55 /* 参 数:进程句柄、权限名称;
56 /* 返 回 值:成功返回TRUE,否则返回FALSE;
57 /************************************************************************/
58 BOOL EnableDebugPrivilege(IN HANDLE hProcess, IN LPCTSTR lpPrivilegeName)
59 {
60 HANDLE hToken;
61 LUID sedebugnameValue;
62 TOKEN_PRIVILEGES tkp;
63
64 if (!OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
65 {
66 return FALSE;
67 }
68
69 if (!LookupPrivilegeValue(NULL, lpPrivilegeName, &sedebugnameValue))
70 {
71 CloseHandle(hToken);
72 return FALSE;
73 }
74
75 tkp.PrivilegeCount = 1;
76 tkp.Privileges[0].Luid = sedebugnameValue;
77 tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
78
79 if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
80 {
81 CloseHandle(hToken);
82 return FALSE;
83 }
84
85 return TRUE;
86 }
87
88
89
90 int main(int argc, char* argv[])
91 {
92 EnableDebugPrivilege(GetCurrentProcess(), SE_DEBUG_NAME);
93 InjectProcess(6916, "d:\\work\\MyProjects\\apihook\\Debug\\apihook.dll");
94 return 0;
95 }