远程DLL

//远程注入
BOOL CHookTestDlg::InsertDll(DWORD dwProcessID, LPCSTR lpcDllName)
{
/// DWORD  dwProcessID = FindTargetThreadId("explorer.exe"); //查找目标进程ID
 if(0 == dwProcessID)
  return FALSE;

  // 打开目标进程
    HANDLE hProcess = OpenProcess( PROCESS_CREATE_THREAD |
           PROCESS_VM_OPERATION |
           PROCESS_VM_WRITE,
           FALSE,
           dwProcessID );

    // 向目标进程地址空间写入DLL名称
 if(NULL == hProcess)
  return FALSE;
    DWORD dwSize, dwWritten;
 char const *lpszDll = lpcDllName; //  g_chDllFileName;
    dwSize = lstrlenA( lpszDll ) + 1;
    LPVOID lpBuf = VirtualAllocEx( hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE );
    if ( NULL == lpBuf ){
        CloseHandle( hProcess );
        return FALSE;
    }
    if ( WriteProcessMemory( hProcess, lpBuf, (LPVOID)lpszDll, dwSize, &dwWritten ) ){
        // 要写入字节数与实际写入字节数不相等，仍属失败
        if ( dwWritten != dwSize ){
            VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );
            CloseHandle( hProcess );
            return FALSE;
        }
    }else{
        CloseHandle( hProcess );
        return FALSE;
    }

    // 使目标进程调用LoadLibrary，加载DLL
    DWORD dwID;
    LPVOID pFunc = LoadLibraryA;
    HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0,
          (LPTHREAD_START_ROUTINE)pFunc,
          lpBuf, 0, &dwID );

    // 等待LoadLibrary加载完毕
    WaitForSingleObject( hThread, INFINITE );

    // 释放目标进程中申请的空间
    VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );

    CloseHandle( hThread );
    CloseHandle( hProcess );

    return TRUE;
}

 

//远程卸载

BOOL CHookTestDlg::RemoteFreeLibrary(DWORD dwProcessID, LPCSTR lpszDll )
{
    // 打开目标进程
    HANDLE hProcess = OpenProcess( PROCESS_CREATE_THREAD |
           PROCESS_VM_OPERATION |
           PROCESS_VM_WRITE,
           FALSE,
           dwProcessID);

    // 向目标进程地址空间写入DLL名称
    DWORD dwSize, dwWritten;
    dwSize = lstrlenA( lpszDll ) + 1;
    LPVOID lpBuf = VirtualAllocEx( hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE );
    if ( NULL == lpBuf )
    {
        CloseHandle( hProcess );
        return FALSE;
    }
    if ( WriteProcessMemory( hProcess, lpBuf, (LPVOID)lpszDll, dwSize, &dwWritten ) )
    {
        // 要写入字节数与实际写入字节数不相等，仍属失败
        if ( dwWritten != dwSize )
        {
            VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );
            CloseHandle( hProcess );
            return FALSE;
        }
    }
    else
    {
        CloseHandle( hProcess );
        return FALSE;
    }

    // 使目标进程调用GetModuleHandle，获得DLL在目标进程中的句柄
    DWORD dwHandle, dwID;
    LPVOID pFunc = GetModuleHandleA;  //当线程函数用
    HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0,
           (LPTHREAD_START_ROUTINE)pFunc,
           lpBuf, 0, &dwID );

    // 等待GetModuleHandle运行完毕
    WaitForSingleObject( hThread, INFINITE );

    // 获得GetModuleHandle的返回值
 /*
 HMODULE GetModuleHandle(
  LPCTSTR lpModuleName   // address of module name to return handle
                    // for
 );
 */
    GetExitCodeThread(hThread, &dwHandle);

    // 释放目标进程中申请的空间
    VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );
    CloseHandle( hThread );

    // 使目标进程调用FreeLibrary，卸载DLL
    pFunc = FreeLibrary;
    hThread = CreateRemoteThread( hProcess, NULL, 0,
          (LPTHREAD_START_ROUTINE)pFunc,
          (LPVOID)dwHandle, 0, &dwID );
    // 等待FreeLibrary卸载完毕
    WaitForSingleObject( hThread, INFINITE );

    CloseHandle( hThread );
    CloseHandle( hProcess );

    return TRUE;
}