#include <stdio.h>02 |
#include <tchar.h> |
03 |
#include <windows.h> |
04 |
#include <atlbase.h> |
05 |
06 |
BOOL EnableDebugPriv(LPCTSTR name)
|
07 |
{ |
08 |
HANDLE h;
|
09 |
TOKEN_PRIVILEGES tp;
|
10 |
LUID id;
|
11 |
12 |
// 打开进程令牌环
|
13 |
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &h))
|
14 |
return FALSE;
|
15 |
16 |
// 获得进程本地唯一ID
|
17 |
if (!LookupPrivilegeValue(NULL, name, &id))
|
18 |
return FALSE;
|
19 |
20 |
tp.PrivilegeCount = 1;
|
21 |
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
|
22 |
tp.Privileges[0].Luid = id;
|
23 |
24 |
// 调整权限
|
25 |
if (!AdjustTokenPrivileges(h, 0, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
|
26 |
return FALSE;
|
27 |
28 |
return TRUE;
|
29 |
} |
30 |
31 |
BOOL InjectDll(LPCTSTR dll_full_path, DWORD remote_process_id)
|
32 |
{ |
33 |
HANDLE h;
|
34 |
35 |
if (!EnableDebugPriv(SE_DEBUG_NAME))
|
36 |
return FALSE;
|
37 |
38 |
// 打开远程线程.
|
39 |
h = OpenProcess(PROCESS_ALL_ACCESS, FALSE, remote_process_id);
|
40 |
if (!h)
|
41 |
return FALSE;
|
42 |
43 |
DWORD size = _tcsclen(dll_full_path) + 1;
|
44 |
45 |
// 使用VirtualAllocEx函数在远程进程的内存地址空间分配DLL文件名空间
|
46 |
LPVOID r = VirtualAllocEx(h, NULL, size, MEM_COMMIT, PAGE_READWRITE);
|
47 |
if (!r)
|
48 |
return FALSE;
|
49 |
50 |
// 使用WriteProcessMemory函数将DLL的路径名写入到远程进程的内存空间
|
51 |
if (!WriteProcessMemory(h, r, (void *)dll_full_path, size, NULL))
|
52 |
return FALSE;
|
53 |
54 |
// 计算LoadLibraryA的入口地址
|
55 |
PTHREAD_START_ROUTINE start =
|
56 |
(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
|
57 |
if (!start)
|
58 |
return FALSE;
|
59 |
60 |
// (关于GetModuleHandle函数和GetProcAddress函数)
|
61 |
// 启动远程线程LoadLibraryA,通过远程线程调用创建新的线程.
|
62 |
DWORD tid;
|
63 |
HANDLE t = CreateRemoteThread(h, NULL, 0, start, r, 0, &tid);
|
64 |
if(!t)
|
65 |
return FALSE;
|
66 |
67 |
WaitForSingleObject(t, INFINITE);
|
68 |
69 |
// 释放资源和句柄
|
70 |
VirtualFreeEx(h, r, size, MEM_DECOMMIT);
|
71 |
CloseHandle(t);
|
72 |
CloseHandle(h);
|
73 |
74 |
return TRUE;
|
75 |
} |
76 |
77 |
int main(int argc, char **argv)
|
78 |
{ |
79 |
if (argc < 3)
|
80 |
{
|
81 |
printf("usage: InjectDll.exe <dll_path> <process_id>\n");
|
82 |
return -1;
|
83 |
}
|
84 |
85 |
TCHAR dll[MAX_PATH];
|
86 |
int id = atoi(argv[2]);
|
87 |
88 |
USES_CONVERSION;
|
89 |
_tcscpy(dll, A2T(argv[1]));
|
90 |
91 |
if (!InjectDll(dll, id))
|
92 |
{
|
93 |
printf("inject dll failed!\n");
|
94 |
return -1;
|
95 |
}
|
96 |
97 |
return 0;
|
98 |
} |