#define ArrLen(arr) (sizeof(arr)/sizeof(arr[0])) int main(int argc, char *argv[]) { // Open process with HANDLE processHandle = OpenProcess(PROCESS_QUERY_INFORMATION // | PROCESS_CREATE_THREAD // Required by 'CreateRemoteThread()'. | PROCESS_VM_OPERATION // Required by 'VirtualAllocEx()'. | PROCESS_VM_WRITE, // Required by 'WriteProcessMemory()'. FALSE, 1234); // Allocate memory at remote processs. char *remoteMem = static_cast<char *>(VirtualAllocEx(processHandle, nullptr, 64, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE)); // All processes use "kernel32.dll" in the same location, we get the offset of 'LoadLibraryA()' and use it in remote process. // (There is no function named 'LoadLibrary'!) PTHREAD_START_ROUTINE funcLoadLibrary = reinterpret_cast<PTHREAD_START_ROUTINE>(GetProcAddress(GetModuleHandle("kernel32"), "LoadLibraryA")); // Write argument to remote process for 'LoadLibraryA()'. const char buf[64] = "youDll.dll"; WriteProcessMemory(processHandle, remoteMem, buf, ArrLen(buf), nullptr); // Create remote thread, and run the 'LoadLibraryA()'. // You can write your code at the 'case DLL_PROCESS_ATTACH' in dll. HANDLE hThread = CreateRemoteThread(processHandle, nullptr, 0, funcLoadLibrary, remoteMem, 0, nullptr); // Wait for completion of the remote task. WaitForSingleObject(hThread, INFINITE); return 0; }
相关文章: