封装远程注入类CreateRemoteThreadEx

类初始化时传入要注入的DLL文件名

只使用两个函数
// 注入DLL到指定的地址空间
BOOL InjectModuleInto(DWORD dwProcessId);
// 从指定的地址空间卸载DLL
BOOL EjectModuleFrom(DWORD dwProcessId);

.h

1. #pragma once
2. #include <windows.h> //在头文件中包含
3.
4. class CRemThreadInject
5. {
6. public:
7.     CRemThreadInject(LPSTR lpDllName);
8.     ~CRemThreadInject(void);
9.
10. protected:
11.     char m_szDllName[MAX_PATH];
12.     static BOOL EnableDebugPrivilege(BOOL bEnable);
13. public:
14.     // 注入DLL到指定的地址空间
15.     BOOL InjectModuleInto(DWORD dwProcessId);
16.     // 从指定的地址空间卸载DLL
17.     BOOL EjectModuleFrom(DWORD dwProcessId);
18. };

.cpp
1. #include "RemThreadInject.h"
2. #include <tlhelp32.h>
3.
4.  www.zzzyk.com
5.
6. CRemThreadInject::CRemThreadInject(LPSTR lpDllName)
7. {
8.     memcpy(m_szDllName, lpDllName, MAX_PATH);
9.     EnableDebugPrivilege(TRUE);
10. }
11.
12.
13. CRemThreadInject::~CRemThreadInject(void)
14. {
15.     EnableDebugPrivilege(FALSE);
16. }
17.
18. BOOL CRemThreadInject::EnableDebugPrivilege(BOOL bEnable)
19. {
20.     HANDLE hToken = INVALID_HANDLE_VALUE;
21.     //OpenProcessToken
22.     if (0 == ::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
23.     {
24.         return FALSE;
25.     }
26.     LUID luid;
27.
28.     //
29.     ::LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
30.     TOKEN_PRIVILEGES tp;
31.     tp.PrivilegeCount = 1;
32.     tp.Privileges[0].Luid = luid;
33.     if (bEnable)
34.         tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
35.     else
36.         tp.Privileges[0].Attributes = 0;
37.     if ( !AdjustTokenPrivileges(
38.         hToken,
39.         FALSE,
40.         &tp,
41.         sizeof(TOKEN_PRIVILEGES),
42.         (PTOKEN_PRIVILEGES) NULL,
43.         (PDWORD) NULL) )
44.     {
45.         return FALSE;
46.     }
47.     if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
48.     {
49.         return FALSE;
50.     }
51.     ::CloseHandle(hToken);
52.     return TRUE;
53. }
54.
55. // 注入DLL到指定的地址空间
56. BOOL CRemThreadInject::InjectModuleInto(DWORD dwProcessId)
57. {
58.     //
59.     if (::GetCurrentProcessId() == dwProcessId)
60.     {
61.         return FALSE;
62.     }
63.     BOOL bFound;
64.     /************************************************************************/
65.     /* 遍历模块                                                              */
66.     /************************************************************************/
67.     HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
68.     MODULEENTRY32 me32;
69.
70.     // Take a snapshot of all modules in the specified process.
71.     hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwProcessId );
72.     if( hModuleSnap == INVALID_HANDLE_VALUE )
73.     {
74.         return( FALSE );
75.     }
76.     me32.dwSize = sizeof( MODULEENTRY32 );
77.     if( !Module32First( hModuleSnap, &me32 ) )
78.     {
79.         CloseHandle( hModuleSnap );     // Must clean up the snapshot object!
80.         return( FALSE );
81.     }
82.     do
83.     {
84.         if (stricmp(me32.szModule, m_szDllName) == 0)
85.         {
86.             bFound = TRUE;
87.             break;
88.         }
89.     } while( Module32Next( hModuleSnap, &me32 ) );
90.
91.     // Do not forget to clean up the snapshot object.
92.     CloseHandle( hModuleSnap );
93.
94.     if (bFound) //如果已经加载了模块，就不再加载
95.     {
96.         return FALSE;
97.     }
98.
99.     //如果没加载，打开进程，远程注入
100.
101.     HANDLE hProcess = ::OpenProcess(PROCESS_CREATE_THREAD |PROC

补充：软件开发 , C++ ,