一个完整的DLL远程注入函数

函数名称: CreateRemoteDll()

返加类型:BOOL

接受参数:DLL路径,注入进程ID

其完整代码如下:

BOOLCreateRemoteDll( const char * DllFullPath, const DWORDdwRemoteProcessId)
... {


HANDLEhToken;
if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken))
...{
TOKEN_PRIVILEGEStkp;

LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid);//修改进程权限
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken,FALSE,&tkp,sizeoftkp,NULL,NULL);//通知系统修改进程权限

}


HANDLEhRemoteProcess;

//打开远程线程
if((hRemoteProcess=OpenProcess(PROCESS_CREATE_THREAD|//允许远程创建线程
PROCESS_VM_OPERATION|//允许远程VM操作
PROCESS_VM_WRITE,//允许远程VM写
FALSE,dwRemoteProcessId))==NULL)
...{
AfxMessageBox("OpenProcessError!");
returnFALSE;
}

char*pszLibFileRemote;
//在远程进程的内存地址空间分配DLL文件名缓冲区
pszLibFileRemote=(char*)VirtualAllocEx(hRemoteProcess,NULL,lstrlen(DllFullPath)+1,
MEM_COMMIT,PAGE_READWRITE);
if(pszLibFileRemote==NULL)
...{
AfxMessageBox("VirtualAllocExerror! ");
returnFALSE;
}

//将DLL的路径名复制到远程进程的内存空间
if(WriteProcessMemory(hRemoteProcess,
pszLibFileRemote,(void*)DllFullPath,lstrlen(DllFullPath)+1,NULL)==0)
...{
AfxMessageBox("WriteProcessMemoryError");
returnFALSE;
}

//计算LoadLibraryA的入口地址
PTHREAD_START_ROUTINEpfnStartAddr=(PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"LoadLibraryA");

if(pfnStartAddr==NULL)
...{
AfxMessageBox("GetProcAddressError");
returnFALSE;
}

HANDLEhRemoteThread;
if((hRemoteThread=CreateRemoteThread(hRemoteProcess,NULL,0,
pfnStartAddr,pszLibFileRemote,0,NULL))==NULL)
...{
AfxMessageBox("CreateRemoteThreadError");
returnFALSE;
}

returnTRUE;
}