BOOL inject_dll( const char *dll_path, const DWORD remote_pro_id )
{
HANDLE h_token;
( OpenProcessToken( GetCurrentProcess
, TOKEN_ADJUST_PRIVILEGES, &h_token ) ) {
TOKEN_PRIVILEGES tkp;
//修改进程权限
LookupPrivilegeValue( NULL,SE_DEBUG_NAME, &tkp.Privileges[0].Luid );
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
//通知系统修改进程权限
AdjustTokenPrivileges( h_token, FALSE, &tkp,
( tkp ), NULL, NULL ); }
HANDLE h_remote_process;
//打开远程线程
( ( h_remote_process = OpenProcess( PROCESS_CREATE_THREAD | //允许远程创建线程 PROCESS_VM_OPERATION | //允许远程VM操作
PROCESS_VM_WRITE, //允许远程VM写
FALSE, remote_pro_id ) )
NULL ) {
//AfxMessageBox("OpenProcess Error!");
FALSE; }
char *lib_func_buf;
//在远程进程
内存地址空间分配DLL文件名缓冲区 lib_func_buf = (char *) VirtualAllocEx( h_remote_process, NULL, lstrlen(dll_path) + 1,
MEM_COMMIT, PAGE_READWRITE);
( lib_func_buf NULL ) {
//AfxMessageBox("VirtualAllocEx error! ");
FALSE; }
//将DLL
路径名复制到远程进程内存空间 ( WriteProcessMemory( h_remote_process, lib_func_buf, ( void * )dll_path, lstrlen( dll_path ) + 1, NULL )
0 ) {
//AfxMessageBox("WriteProcessMemory Error");
FALSE; }
//计算LoadLibraryA
入口地址 PTHREAD_START_ROUTINE load_start_addr = ( PTHREAD_START_ROUTINE )
GetProcAddress( GetModuleHandle( TEXT("Kernel32") ), "LoadLibraryA");
( load_start_addr NULL ) {
//AfxMessageBox("GetProcAddress Error");
FALSE; }
HANDLE h_remote_thread;
( (h_remote_thread = CreateRemoteThread( h_remote_process, NULL, 0, load_start_addr, lib_func_buf, 0, NULL ) )
NULL) {
//AfxMessageBox("CreateRemoteThread Error");
FALSE; }
TRUE; }
最新评论