VC获取线程入口函数检测是否为远程注入器

之前用到过的，比较鸡肋的检测方法：

DWORD_PTR				g_dwLoadLibraryA = 0;
DWORD_PTR				g_dwLoadLibraryW = 0;
DWORD_PTR				g_dwLoadLibraryExA = 0;
DWORD_PTR				g_dwLoadLibraryExW = 0;

DWORD_PTR WINAPI GetThreadStartAddress(HANDLE hThread)
{
	NTSTATUS	ntStatus;
	HANDLE		hDupHandle;
	DWORD_PTR	dwStartAddress;

	#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) 
	if(zNtQueryInformationThread == NULL) 
		return 0;

	HANDLE hCurrentProcess = GetCurrentProcess();
	if(!DuplicateHandle(hCurrentProcess, hThread, hCurrentProcess, &hDupHandle, THREAD_QUERY_INFORMATION, FALSE, 0)){
		SetLastError(ERROR_ACCESS_DENIED);
		return 0;
	}

	#define ThreadQuerySetWin32StartAddress		9
	ntStatus = zNtQueryInformationThread(hDupHandle, ThreadQuerySetWin32StartAddress, &dwStartAddress, sizeof(DWORD_PTR), NULL);
	CloseHandle(hDupHandle);

	if(ntStatus != STATUS_SUCCESS) return 0;
	return dwStartAddress;
}

// 检查新创建的线程是否为远程注入？
BOOL WINAPI CheckLoadLiB()
{
	DWORD_PTR 	dwLoadLibrary = 0;
	HANDLE	 	hThread;
	
	if(!g_dwLoadLibraryA)
		g_dwLoadLibraryA = (DWORD_PTR)GetProcAddress(GetModuleHandle(HAPPY_DLL_KERNEL32),API_LOADLIBRARYA);

	if(!g_dwLoadLibraryW)
		g_dwLoadLibraryW = (DWORD_PTR)GetProcAddress(GetModuleHandle(HAPPY_DLL_KERNEL32),API_LOADLIBRARYW);

	if(!g_dwLoadLibraryExA)
		g_dwLoadLibraryExA = (DWORD_PTR)GetProcAddress(GetModuleHandle(HAPPY_DLL_KERNEL32),API_LOADLIBRARYEXA);

	if(!g_dwLoadLibraryExW)
		g_dwLoadLibraryExW = (DWORD_PTR)GetProcAddress(GetModuleHandle(HAPPY_DLL_KERNEL32),API_LOADLIBRARYEXW);

	if(g_dwLoadLibraryA || g_dwLoadLibraryW || g_dwLoadLibraryExA || g_dwLoadLibraryExW)
	{
		hThread = GetCurrentThread();
		if(hThread)
			dwLoadLibrary = GetThreadStartAddress(hThread);

		if(g_dwLoadLibraryA && dwLoadLibrary == g_dwLoadLibraryA)
			return TRUE;

		if(g_dwLoadLibraryW && dwLoadLibrary == g_dwLoadLibraryW)
			return TRUE;

		if(g_dwLoadLibraryExA && dwLoadLibrary == g_dwLoadLibraryExA)
			return TRUE;

		if(g_dwLoadLibraryExW && dwLoadLibrary == g_dwLoadLibraryExW)
			return TRUE;
	}

	return FALSE;
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	// 如果使用 lpReserved，请将此移除
	UNREFERENCED_PARAMETER(lpReserved);

	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	case DLL_THREAD_ATTACH:
		{
			// 检查注入器
			if(CheckLoadLiB())
			{
				TerminateThread(GetCurrentThread(),0);
				return FALSE;
			}
		}
		break;
	
	default:
		break;
	}
	
	return TRUE;
}