CreateRemoteThread注入DLL

DLL注入的常用方式之一远程线程注入,实现代码如下

// CreateRemoteThread.cpp : Defines the entry point for the application.

//

#include "stdafx.h"

#include <stdio.h>

#include <tlhelp32.h>

#pragma comment(lib,"th32.lib")

DWORD GetProcessId()

{

    char* targetFile = "notepad.exe";

    DWORD Pid=-1;

    HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);

    PROCESSENTRY32 lPrs;

    ZeroMemory(&lPrs,sizeof(lPrs));

    lPrs.dwSize=sizeof(lPrs);

    Process32First(hSnap,&lPrs);//取得系统快照里第一个进程信息

    if(strstr(targetFile,lPrs.szExeFile))

    {

    Pid=lPrs.th32ProcessID;

    return Pid;

    }

while(1)

    lPrs.dwSize=(&lPrs,sizeof(lPrs));

if(!Process32Next(hSnap,&lPrs))

Pid=-1;

break;

}

if(strstr(targetFile,lPrs.szExeFile))

return Pid;

BOOL EnabledDebugPrivilege()

    HANDLE hToken;

    TOKEN_PRIVILEGES tkp;

    if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) 

        return false;

    LookupPrivilegeValue(NULL,SE_SHUTDOWN_NAME,&tkp.Privileges[0].Luid);

    tkp.PrivilegeCount = 1;

    tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

    AdjustTokenPrivileges(hToken,false,&tkp,0,(PTOKEN_PRIVILEGES)NULL,0);

    if (GetLastError() != ERROR_SUCCESS)

    return true;

int APIENTRY WinMain(HINSTANCE hInstance,

                     HINSTANCE hPrevInstance,

                     LPSTR     lpCmdLine,

                     int       nCmdShow)

     // TODO: Place code here.

    EnabledDebugPrivilege();

    char* dllName = "c:\\hook.dll";

    //HMODULE hDll = LoadLibrary(dllName);    

    FARPROC farLoadLibrary = GetProcAddress(GetModuleHandle("Kernel32.dll"),"LoadLibraryA");

    DWORD dwProcessID = GetProcessId();

    if(dwProcessID == -1)

        MessageBox(NULL,"dw not found","",0);

        return 0;

    //HWND hwNotePad  =  FindWindow(NULL,"QQ用户登录"); 

    //if(hwNotePad == NULL)

        //return 0;

    //GetWindowThreadProcessId(hwNotePad,   &dwProcessID); 

    char* pid = new char[10];

    sprintf(pid,"0x%x",dwProcessID);

    HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwProcessID);

    if(hProcess == INVALID_HANDLE_VALUE)

        MessageBox(NULL,"open error","",0);

        CloseHandle(hProcess);

    LPVOID   lpDllAddr   =   VirtualAllocEx(hProcess,   NULL, strlen(dllName),   MEM_COMMIT,   PAGE_READWRITE); 

    if(lpDllAddr == NULL)

        MessageBox(NULL,"alloc error","",0);

    if(!WriteProcessMemory(hProcess,   lpDllAddr,   dllName,   strlen(dllName) ,NULL))

        MessageBox(NULL,"Write error","",0);

    HANDLE   hT   =   CreateRemoteThread(hProcess,   NULL,   0,   (LPTHREAD_START_ROUTINE)farLoadLibrary,   lpDllAddr,   0,   NULL);   

    CloseHandle(hT);

    CloseHandle(hProcess);

    MessageBox(NULL,"finish","",0);

    return 0;