BOOL inject_dll( const char *dll_path, const DWORD remote_pro_id )
{
HANDLE h_token;
( OpenProcessToken( GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES, &h_token ) )
{
TOKEN_PRIVILEGES tkp;
//修改进程权限
LookupPrivilegeValue( NULL,SE_DEBUG_NAME, &tkp.Privileges[0].Luid );
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
//通知系统修改进程权限
AdjustTokenPrivileges( h_token, FALSE, &tkp, ( tkp ), NULL, NULL );
}
HANDLE h_remote_process;
//打开远程线程
( ( h_remote_process = OpenProcess( PROCESS_CREATE_THREAD | //允许远程创建线程
PROCESS_VM_OPERATION | //允许远程VM操作
PROCESS_VM_WRITE, //允许远程VM写
FALSE, remote_pro_id ) ) NULL )
{
//AfxMessageBox("OpenProcess Error!");
FALSE;
}
char *lib_func_buf;
//在远程进程内存地址空间分配DLL文件名缓冲区
lib_func_buf = (char *) VirtualAllocEx( h_remote_process, NULL, lstrlen(dll_path) + 1,
MEM_COMMIT, PAGE_READWRITE);
( lib_func_buf NULL )
{
//AfxMessageBox("VirtualAllocEx error! ");
FALSE;
}
//将DLL路径名复制到远程进程内存空间
( WriteProcessMemory( h_remote_process,
lib_func_buf, ( void * )dll_path, lstrlen( dll_path ) + 1, NULL ) 0 )
{
//AfxMessageBox("WriteProcessMemory Error");
FALSE;
}
//计算LoadLibraryA入口地址
PTHREAD_START_ROUTINE load_start_addr = ( PTHREAD_START_ROUTINE )
GetProcAddress( GetModuleHandle( TEXT("Kernel32") ), "LoadLibraryA");
( load_start_addr NULL )
{
//AfxMessageBox("GetProcAddress Error");
FALSE;
}
HANDLE h_remote_thread;
( (h_remote_thread = CreateRemoteThread( h_remote_process, NULL, 0,
load_start_addr, lib_func_buf, 0, NULL ) ) NULL)
{
//AfxMessageBox("CreateRemoteThread Error");
FALSE;
}
TRUE;
}
最新评论