创建远程线程

BOOL EnablePrivilege(char *PrivilegeName,BOOL IsEnable)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;

if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY | TOKEN_READ,&hToken))
{
return FALSE;
}

if(!LookupPrivilegeValue(NULL, PrivilegeName, &luid))
{
return TRUE;
}

tp.PrivilegeCount           = 1;
tp.Privileges[0].Luid       = luid;
tp.Privileges[0].Attributes = (IsEnable) ? SE_PRIVILEGE_ENABLED : 0;

AdjustTokenPrivileges(hToken,FALSE,&tp,NULL,NULL,NULL);

CloseHandle(hToken);

return (GetLastError() == ERROR_SUCCESS);
}


DWORD GetProcessIdByName(LPCTSTR lpStrName)
{
HANDLE hSnapShot;
PROCESSENTRY32 pe={sizeof(pe)};
hSnapShot=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
for(BOOL fok=::Process32First(hSnapShot,&pe); fok ;fok=::Process32Next(hSnapShot,&pe))
{
if(lstrcmpi(pe.szExeFile , lpStrName) == 0)
{
return pe.th32ProcessID;
}
}
return -1;
}




//inject dll to process,szDllPath is full path!
void InjectDllToRemoteProcess(DWORD dwProcessId,LPCSTR szDllPath)
{
HANDLE hRemoteProcess=NULL; //remote process will be injected
HANDLE hRemoteThread=NULL; //injected thread!
DWORD dwThreadSize=0;

PVOID pRemoteThread=NULL; //remote thread start pointer
PVOID pRemoteParam=NULL; //remote thread thread param!
DWORD dwWriten=0;
BOOL bRet=FALSE;

CHAR szDllPathCopy[1024]="";
lstrcpy(szDllPathCopy,szDllPath);


EnablePrivilege(SE_DEBUG_NAME,true);//up Privilege

hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,false,dwProcessId);
if(hRemoteProcess == NULL)
{
OutputDebugString("open process error!");
return;
}
//alloc remote param memory,1024 byte for store the dll path!
pRemoteParam = VirtualAllocEx(hRemoteProcess,NULL,1024,MEM_COMMIT,PAGE_READWRITE);
if(pRemoteParam == NULL)
{
OutputDebugString("faild to alloc memory");
return;
}
//write the dll path to remote memory
bRet = WriteProcessMemory(hRemoteProcess,pRemoteParam,(LPVOID)szDllPathCopy,1024,&dwWriten); //write param to remote alloced space!
if(!bRet)
{
OutputDebugString("faild to write memory");
return;           
}
//get the loadlibraryA's pointer!
pRemoteThread = GetProcAddress(LoadLibrary("kernel32.dll"),"LoadLibraryA"); //here must be "LoadLibraryA"!!
if(pRemoteThread == NULL) 
{
OutputDebugString("faild to get loadlibraryA address!");
return;
}
//start the thread!
hRemoteThread = CreateRemoteThread(hRemoteProcess,0,0,(DWORD(__stdcall *)(VOID*))pRemoteThread,pRemoteParam,0,&dwWriten);

EnablePrivilege(SE_DEBUG_NAME,false); //down Privilege
}

你可能感兴趣的:(thread,null,dll,Access,Path,token)