一个完整的DLL远程注入函数

来源：互联网发布：淘宝紫米商学院怎么样编辑：程序博客网时间：2024/04/25 13:33

函数名称: CreateRemoteDll()

返加类型:BOOL

接受参数: DLL路径,注入进程ID

其完整代码如下:

BOOL CreateRemoteDll(const char *DllFullPath, const DWORD dwRemoteProcessId)

{

HANDLE hToken;

if ( OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )

{

TOKEN_PRIVILEGES tkp;

LookupPrivilegeValue( NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid );//修改进程权限

tkp.PrivilegeCount=1;

tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;

AdjustTokenPrivileges( hToken,FALSE,&tkp,sizeof tkp,NULL,NULL );//通知系统修改进程权限

}

HANDLE hRemoteProcess;

//打开远程线程

if( (hRemoteProcess = OpenProcess( PROCESS_CREATE_THREAD | //允许远程创建线程

PROCESS_VM_OPERATION | //允许远程VM操作

PROCESS_VM_WRITE, //允许远程VM写

FALSE, dwRemoteProcessId ) )== NULL )

{

AfxMessageBox("OpenProcess Error!");

return FALSE;

}

char *pszLibFileRemote;

//在远程进程的内存地址空间分配DLL文件名缓冲区

pszLibFileRemote = (char *) VirtualAllocEx( hRemoteProcess, NULL, lstrlen(DllFullPath)+1,

MEM_COMMIT, PAGE_READWRITE);

if(pszLibFileRemote == NULL)

{

AfxMessageBox("VirtualAllocEx error! ");

return FALSE;

}

//将DLL的路径名复制到远程进程的内存空间

if( WriteProcessMemory(hRemoteProcess,

pszLibFileRemote, (void *) DllFullPath, lstrlen(DllFullPath)+1, NULL) == 0)

{

AfxMessageBox("WriteProcessMemory Error");

return FALSE;

}

//计算LoadLibraryA的入口地址

PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)

GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");

if(pfnStartAddr == NULL)

{

AfxMessageBox("GetProcAddress Error");

return FALSE;

}

HANDLE hRemoteThread;

if( (hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0,

pfnStartAddr, pszLibFileRemote, 0, NULL) ) == NULL)

{

AfxMessageBox("CreateRemoteThread Error");

return FALSE;

}

return TRUE;

}