远程注入进程

#include <Windows.h>
#include <tchar.h>
#include <TlHelp32.h>

BOOL LoadRemoteDll(DWORD dwProcessId,LPTSTR lpszLibName);
DWORD EnablePrivilege (PCSTR name);
BOOL GetProcessIdByName(LPSTR szProcessName, LPDWORD lpPID);

DWORD EnablePrivilege (PCSTR name)
{
    HANDLE hToken;
    BOOL rv;
    TOKEN_PRIVILEGES priv = { 1, {0, 0, SE_PRIVILEGE_ENABLED} };
    LookupPrivilegeValue (
        0,
        name,
        &priv.Privileges[0].Luid
        );
    OpenProcessToken(
        GetCurrentProcess (),
        TOKEN_ADJUST_PRIVILEGES,
        &hToken
        );
    AdjustTokenPrivileges (
        hToken,
        FALSE,
        &priv,
        sizeof priv,
        0,
        0
        );
    rv = GetLastError();
    CloseHandle (hToken);
    return rv;
}

BOOL GetProcessIdByName(LPSTR szProcessName, LPDWORD lpPID)
{
    STARTUPINFO st;
    PROCESS_INFORMATION pi;
    PROCESSENTRY32 ps;
    HANDLE hSnapshot;
    ZeroMemory(&st, sizeof(STARTUPINFO));
    ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
    st.cb = sizeof(STARTUPINFO);
    ZeroMemory(&ps,sizeof(PROCESSENTRY32));
    ps.dwSize = sizeof(PROCESSENTRY32);

    hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0);
    if(hSnapshot == INVALID_HANDLE_VALUE)
    {
        return FALSE;
    }

    if(!Process32First(hSnapshot,&ps))
    {
        return FALSE;
    }
    do
    {

        if(lstrcmpi(ps.szExeFile,"explorer.exe")==0)
        {

            *lpPID = ps.th32ProcessID;
            CloseHandle(hSnapshot);
            return TRUE;
        }
    }
    while(Process32Next(hSnapshot,&ps));

    CloseHandle(hSnapshot);
    return FALSE;
}

BOOL LoadRemoteDll(DWORD dwProcessId,LPTSTR lpszLibName){
    BOOL bResult = FALSE;
    HANDLE hProcess = NULL;
    HANDLE hThread = NULL;
    PSTR pszLibFileRemote = NULL;
    DWORD cch;
    PTHREAD_START_ROUTINE pfnThreadRtn;

    __try{
        hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessId);
        if(hProcess == NULL){
            __leave;
        }
        cch = 1 + lstrlen(lpszLibName);
        pszLibFileRemote = (PSTR)VirtualAllocEx(hProcess,NULL,cch,MEM_COMMIT,PAGE_READWRITE);
        if(pszLibFileRemote == NULL){
            __leave;
        }
        if(!WriteProcessMemory(hProcess,(LPVOID)pszLibFileRemote,(LPVOID)lpszLibName,cch,NULL)){
            __leave;
        }
        pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),TEXT("LoadLibraryA"));
        if(pfnThreadRtn == NULL){
            __leave;
        }
        hThread = CreateRemoteThread(hProcess,NULL,0,pfnThreadRtn,(PVOID)pszLibFileRemote,0,NULL);
        if(hThread == NULL){
            __leave;
        }
        WaitForSingleObject(hThread,INFINITE);
        bResult = TRUE;
    }__finally{
        if(pszLibFileRemote != NULL){
            VirtualFreeEx(hProcess,(PVOID)pszLibFileRemote,0,MEM_RELEASE);
        }
        if(hThread != NULL){
            CloseHandle(hThread);
        }
        if(hProcess != NULL){
            CloseHandle(hProcess);
        }
    }
    return bResult;
}

int WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPTSTR lpCmdLine,int nCmdShow){
    DWORD dwPID;
    if(0!=EnablePrivilege(SE_DEBUG_NAME));
    return 0;
    if(!GetProcessIdByName("explorer.exe",&dwPID))
        return 0;
    if(!LoadRemoteDll(dwPID,"msg.dll"))
        return 0;
}