// 获取进程ID
DWORD GetProcessIdByName(LPCTSTR szProcess)//注意要加exe后缀 { DWORD dwRet=0; HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); PROCESSENTRY32 pe32; pe32.dwSize=sizeof(PROCESSENTRY32); Process32First(hSnapshot,&pe32); do { if (_tcscmp(pe32.szExeFile,szProcess)==0) { dwRet=pe32.th32ProcessID; break; } } while (Process32Next(hSnapshot,&pe32)); CloseHandle(hSnapshot); return dwRet; }
// 注入DLL
BOOL Inject(LPCTSTR szModule, DWORD dwID) { HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwID); if ( !hProcess ) { return FALSE; } int cByte = (_tcslen(szModule)+1) * sizeof(TCHAR); LPVOID pAddr = VirtualAllocEx(hProcess, NULL, cByte, MEM_COMMIT, PAGE_READWRITE); if ( !pAddr || !WriteProcessMemory(hProcess, pAddr, szModule, cByte, NULL)) { return FALSE; } #ifdef _UNICODE PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryW"); #else PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryA"); #endif //Kernel32.dll总是被映射到相同的地址 if ( !pfnStartAddr ) { return FALSE; } DWORD dwThreadID = 0; HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, pfnStartAddr, pAddr, 0, &dwThreadID); if ( !hRemoteThread ) { return FALSE; } WaitForSingleObject(hRemoteThread,INFINITE); VirtualFreeEx(hProcess,pAddr,cByte,MEM_COMMIT); CloseHandle(hRemoteThread); CloseHandle(hProcess); return TRUE; }
// 提权
BOOL EnablePrivilege(LPCTSTR lpszPrivilegeName, BOOL bEnable) { HANDLE hToken = NULL; TOKEN_PRIVILEGES tp; LUID luid; if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_READ, &hToken)) return FALSE; if(!LookupPrivilegeValue(NULL, lpszPrivilegeName, &luid)) return TRUE; tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; tp.Privileges[0].Attributes = (bEnable) ? SE_PRIVILEGE_ENABLED : 0; AdjustTokenPrivileges(hToken, FALSE, &tp, NULL, NULL, NULL); CloseHandle(hToken); return (GetLastError() == ERROR_SUCCESS); }
// 卸载DLL
BOOL UnLoadDll(LPCTSTR szDllName, DWORD dwID)//要卸载的DLL名,进程PID { HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwID); if ( !hProcess ) { return FALSE; } int cByte = (_tcslen(szDllName)+1) * sizeof(TCHAR); LPVOID pAddr = VirtualAllocEx(hProcess, NULL, cByte, MEM_COMMIT, PAGE_READWRITE); if ( !pAddr || !WriteProcessMemory(hProcess, pAddr, szDllName, cByte, NULL)) { return FALSE; } #ifdef _UNICODE PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetModuleHandleW; #else PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetModuleHandleA; #endif //Kernel32.dll总是被映射到相同的地址 if ( !pfnStartAddr ) { return FALSE; } DWORD dwThreadID = 0,dwFreeId=0,dwHandle; HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, pfnStartAddr, pAddr, 0, &dwThreadID); if ( !hRemoteThread ) { return FALSE; } WaitForSingleObject(hRemoteThread,INFINITE); // 获得GetModuleHandle的返回值 GetExitCodeThread(hRemoteThread,&dwHandle); CloseHandle(hRemoteThread); // 使目标进程调用FreeLibrary,卸载DLL #ifdef _UNICODE PTHREAD_START_ROUTINE pfnFreeAddr = (PTHREAD_START_ROUTINE)FreeLibrary; #else PTHREAD_START_ROUTINE pfnFreeAddr = (PTHREAD_START_ROUTINE)FreeLibrary; #endif HANDLE hFreeThread = CreateRemoteThread(hProcess, NULL, 0, pfnFreeAddr,(LPVOID)dwHandle,0,&dwFreeId); if ( !hFreeThread ) { return FALSE; } WaitForSingleObject(hFreeThread,INFINITE); VirtualFreeEx(hProcess,pAddr,cByte,MEM_COMMIT); CloseHandle(hFreeThread); CloseHandle(hProcess); return TRUE; }
原文地址:http://blog.csdn.net/evi10r/article/details/6724874#comments