函数名称: CreateRemoteDll()
返加类型:BOOL
接受参数:DLL路径,注入进程ID
其完整代码如下:
BOOLCreateRemoteDll(constchar*DllFullPath,constDWORDdwRemoteProcessId)
...{
HANDLEhToken;if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken))
...{TOKEN_PRIVILEGEStkp;LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid);//修改进程权限tkp.PrivilegeCount=1;tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;AdjustTokenPrivileges(hToken,FALSE,&tkp,sizeoftkp,NULL,NULL);//通知系统修改进程权限
}HANDLEhRemoteProcess;//打开远程线程if((hRemoteProcess=OpenProcess(PROCESS_CREATE_THREAD|//允许远程创建线程PROCESS_VM_OPERATION|//允许远程VM操作PROCESS_VM_WRITE,//允许远程VM写FALSE,dwRemoteProcessId))==NULL)...{AfxMessageBox("OpenProcessError!");returnFALSE;}char*pszLibFileRemote;//在远程进程的内存地址空间分配DLL文件名缓冲区pszLibFileRemote=(char*)VirtualAllocEx(hRemoteProcess,NULL,lstrlen(DllFullPath)+1,MEM_COMMIT,PAGE_READWRITE);if(pszLibFileRemote==NULL)...{AfxMessageBox("VirtualAllocExerror! ");returnFALSE;}//将DLL的路径名复制到远程进程的内存空间if(WriteProcessMemory(hRemoteProcess,pszLibFileRemote,(void*)DllFullPath,lstrlen(DllFullPath)+1,NULL)==0)...{AfxMessageBox("WriteProcessMemoryError");returnFALSE;}//计算LoadLibraryA的入口地址PTHREAD_START_ROUTINEpfnStartAddr=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"LoadLibraryA");if(pfnStartAddr==NULL)...{AfxMessageBox("GetProcAddressError");returnFALSE;}HANDLEhRemoteThread;if((hRemoteThread=CreateRemoteThread(hRemoteProcess,NULL,0,pfnStartAddr,pszLibFileRemote,0,NULL))==NULL)...{AfxMessageBox("CreateRemoteThreadError");returnFALSE;}returnTRUE;
}
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
