【转】DLL注入

http://hi.baidu.com/blessyou312/blog/item/10fb07faabd1d1809f514646.html

 

int EnableDebugPriv(const char * name)

{
try
{
   HANDLE hToken;
   LUID luid;
   TOKEN_PRIVILEGES tp;
   if(OpenProcessToken(GetCurrentProcess(),
    TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
   {
    if(LookupPrivilegeValue(NULL,name,&luid))
    {
     tp.PrivilegeCount=1;
     tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
     tp.Privileges[0].Luid=luid;
     AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL);
    }
   }
   return 1;
}
catch (...)
{
   return 1;
}

}
DWORD GetProcessID(char *ProcName)
{
PROCESSENTRY32 pe32;
pe32.dwSize=sizeof(pe32);
HANDLE hProcessSnmp=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hProcessSnmp!=INVALID_HANDLE_VALUE)
{
   BOOL bProcess=Process32First(hProcessSnmp,&pe32);
   int i=0;
   while(bProcess)
   {
    if(strcmp(strupr(pe32.szExeFile),strupr(ProcName))==0)
    {   
     return pe32.th32ProcessID;
    }
    bProcess=Process32Next(hProcessSnmp,&pe32);
   }
   CloseHandle(hProcessSnmp);
   return 0;
}
return 0;
}
BOOL DllInject(const char *DllFunPath,const DWORD dwRemoteProcessId)
{
HANDLE hRemoteProcess;
EnableDebugPriv(SE_DEBUG_NAME);
if((hRemoteProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwRemoteProcessId))!=NULL)
{
   char *pszLibFileRemote;
   pszLibFileRemote=(char *)VirtualAllocEx(hRemoteProcess,NULL,
    lstrlen(DllFunPath)+1,MEM_COMMIT,PAGE_READWRITE);
   if(pszLibFileRemote!=NULL)
   {
    if(WriteProcessMemory(hRemoteProcess,
     pszLibFileRemote,(void*)DllFunPath,lstrlen(DllFunPath)+1,NULL)!=0)
    {
     PTHREAD_START_ROUTINE pfnstraddr=(PTHREAD_START_ROUTINE)
      GetProcAddress(GetModuleHandle(TEXT("kernel32")),"LoadLibraryA");
     if(pfnstraddr!=NULL)
     {
      HANDLE hRemoteThread;
      if((hRemoteThread=CreateRemoteThread(hRemoteProcess,
       NULL,0,pfnstraddr,pszLibFileRemote,0,NULL))!=NULL)
      {
       return true;
      }
     }
    }
   }
}
return FALSE;
}