封装远程注入类CreateRemoteThreadEx
类初始化时传入要注入的DLL文件名
只使用两个函数
// 注入DLL到指定的地址空间
BOOL InjectModuleInto(DWORD dwProcessId);
// 从指定的地址空间卸载DLL
BOOL EjectModuleFrom(DWORD dwProcessId);
.h
1. #pragma once
2. #include <windows.h> //在头文件中包含
3.
4. class CRemThreadInject
5. {
6. public:
7. CRemThreadInject(LPSTR lpDllName);
8. ~CRemThreadInject(void);
9.
10. protected:
11. char m_szDllName[MAX_PATH];
12. static BOOL EnableDebugPrivilege(BOOL bEnable);
13. public:
14. // 注入DLL到指定的地址空间
15. BOOL InjectModuleInto(DWORD dwProcessId);
16. // 从指定的地址空间卸载DLL
17. BOOL EjectModuleFrom(DWORD dwProcessId);
18. };
.cpp
1. #include "RemThreadInject.h"
2. #include <tlhelp32.h>
3.
4. www.zzzyk.com
5.
6. CRemThreadInject::CRemThreadInject(LPSTR lpDllName)
7. {
8. memcpy(m_szDllName, lpDllName, MAX_PATH);
9. EnableDebugPrivilege(TRUE);
10. }
11.
12.
13. CRemThreadInject::~CRemThreadInject(void)
14. {
15. EnableDebugPrivilege(FALSE);
16. }
17.
18. BOOL CRemThreadInject::EnableDebugPrivilege(BOOL bEnable)
19. {
20. HANDLE hToken = INVALID_HANDLE_VALUE;
21. //OpenProcessToken
22. if (0 == ::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
23. {
24. return FALSE;
25. }
26. LUID luid;
27.
28. //
29. ::LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
30. TOKEN_PRIVILEGES tp;
31. tp.PrivilegeCount = 1;
32. tp.Privileges[0].Luid = luid;
33. if (bEnable)
34. tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
35. else
36. tp.Privileges[0].Attributes = 0;
37. if ( !AdjustTokenPrivileges(
38. hToken,
39. FALSE,
40. &tp,
41. sizeof(TOKEN_PRIVILEGES),
42. (PTOKEN_PRIVILEGES) NULL,
43. (PDWORD) NULL) )
44. {
45. return FALSE;
46. }
47. if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
48. {
49. return FALSE;
50. }
51. ::CloseHandle(hToken);
52. return TRUE;
53. }
54.
55. // 注入DLL到指定的地址空间
56. BOOL CRemThreadInject::InjectModuleInto(DWORD dwProcessId)
57. {
58. //
59. if (::GetCurrentProcessId() == dwProcessId)
60. {
61. return FALSE;
62. }
63. BOOL bFound;
64. /************************************************************************/
65. /* 遍历模块 */
66. /************************************************************************/
67. HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
68. MODULEENTRY32 me32;
69.
70. // Take a snapshot of all modules in the specified process.
71. hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwProcessId );
72. if( hModuleSnap == INVALID_HANDLE_VALUE )
73. {
74. return( FALSE );
75. }
76. me32.dwSize = sizeof( MODULEENTRY32 );
77. if( !Module32First( hModuleSnap, &me32 ) )
78. {
79. CloseHandle( hModuleSnap ); // Must clean up the snapshot object!
80. return( FALSE );
81. }
82. do
83. {
84. if (stricmp(me32.szModule, m_szDllName) == 0)
85. {
86. bFound = TRUE;
87. break;
88. }
89. } while( Module32Next( hModuleSnap, &me32 ) );
90.
91. // Do not forget to clean up the snapshot object.
92. CloseHandle( hModuleSnap );
93.
94. if (bFound) //如果已经加载了模块,就不再加载
95. {
96. return FALSE;
97. }
98.
99. //如果没加载,打开进程,远程注入
100.
101. HANDLE hProcess = ::OpenProcess(PROCESS_CREATE_THREAD |PROC
补充:软件开发 , C++ ,