远程线程注入dll

// CommonInject.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include <windows.h>
#include <WinUser.h>
#include <WinDef.h>
#include <iostream>
#include <Tlhelp32.h>
using namespace std;

#include <Psapi.h>
#pragma  comment(lib,"Psapi.lib")
//通用dll 注入器

HANDLE GetProcessWithName(const std::wstring &proc_name){
	HANDLE hd = NULL;
	HANDLE hpross = NULL;
	int retls = 0;
	PROCESSENTRY32 pinfo = {0};
	wchar_t szFileName[MAX_PATH] = {0};

	hpross = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
	if(INVALID_HANDLE_VALUE == hpross)
	{
		return hd;
	}

	HANDLE hToken;  
	if(OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))  
	{  
		LUID luid;  
		if(LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))  
		{  
			TOKEN_PRIVILEGES TokenPrivileges;  
			TokenPrivileges.PrivilegeCount = 1;  
			TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;  
			TokenPrivileges.Privileges[0].Luid = luid;  
			AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, 0, NULL, NULL);  
		}  
		CloseHandle(hToken);  
	}  

	pinfo.dwSize = sizeof(PROCESSENTRY32);
	retls = Process32First(hpross,&pinfo);
	while(retls)
	{  
		swprintf_s(szFileName,_countof(szFileName)-1,L"%s",pinfo.szExeFile);
		if (0 == _wcsicmp(szFileName,proc_name.c_str()))
		{
			hd = OpenProcess(PROCESS_ALL_ACCESS ,TRUE,pinfo.th32ProcessID);
		}
		if(!Process32Next(hpross, &pinfo))
		{
			break;
		}
	}
	CloseHandle(hpross);
	hpross = NULL;
	return hd;
}

//提权操作
BOOL EnablePrivilege(LPWSTR name)  
{  
	HANDLE hToken;  
	BOOL rv;  
	TOKEN_PRIVILEGES priv = {1, {0, 0, SE_PRIVILEGE_ENABLED}};  
	LookupPrivilegeValue(0, name, &priv.Privileges[0].Luid);  
	OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken);  
	AdjustTokenPrivileges(hToken, FALSE, &priv, sizeof priv, 0, 0);  
	rv = GetLastError() == ERROR_SUCCESS;  
	CloseHandle(hToken);  
	return rv;  
}  

int inject(){

	if (0 == EnablePrivilege(SE_DEBUG_NAME))  
		return 0;  

	 DWORD dwPID;  
	PWSTR libFileRemote=NULL;
	HANDLE hThread=NULL;
	HANDLE handle=NULL;

	__try{
		int processid;
		cout<<"输入要注入的进程id："<<endl;
		cin>>processid;

		handle=GetProcessWithName(L"FileMD5.exe");
	//	handle=OpenProcess(PROCESS_ALL_ACCESS,TRUE, processid);
		if(NULL==handle){
			cout<<"进程打开失败"<<endl;
			return -1;
		}

		std::string dllname="E:\\C++Code\\windows\\Dll\\myDll\\Debug\\myDll.dll";
		libFileRemote=(PWSTR)VirtualAllocEx(handle,NULL,dllname.size(),MEM_COMMIT,PAGE_READWRITE);
		if(libFileRemote==NULL){
			cout<<"申请远程进程空间失败"<<::GetLastError()<<endl;
			return -1;
		}

		BOOL RET=WriteProcessMemory(handle,libFileRemote,dllname.c_str(),dllname.size(),NULL);
		if(RET ==FALSE){
			cout<<"远程进程数据写入失败"<<endl;
		}
		PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
			GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");

		hThread = CreateRemoteThread(handle, NULL, 0,
			pfnThreadRtn, libFileRemote, 0, NULL);

		if(hThread==NULL){
			cout<<"远程线程创建失败";
		}
		WaitForSingleObject(hThread, INFINITE);

		cout<<"注入完成";
	}
	__finally{
		if (libFileRemote != NULL) 
			VirtualFreeEx(handle, libFileRemote, 0, MEM_RELEASE);

		if (hThread  != NULL) 
			CloseHandle(hThread);

		if (handle != NULL) 
			CloseHandle(handle);

		cout<<"完成释放";

	}
}

int _tmain(int argc, _TCHAR* argv[])
{
	inject();
	system("pause");
	return 0;
}

vs2010 编译通过，unicode编码

通过输入进程id或者，通过修改进程名，来选择目标进程

更多关于远程线程注入介绍