01 #include <stdio.h>
02 #include <tchar.h>
03 #include <windows.h>
04 #include <atlbase.h>
05
06 BOOL EnableDebugPriv(LPCTSTR name)
07 {
08 HANDLE h;
09 TOKEN_PRIVILEGES tp;
10 LUID id;
11
12 // 打开进程令牌环
13 if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &h))
14 return FALSE;
15
16 // 获得进程本地唯一ID
17 if (!LookupPrivilegeValue(NULL, name, &id))
18 return FALSE;
19
20 tp.PrivilegeCount = 1;
21 tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
22 tp.Privileges[0].Luid = id;
23
24 // 调整权限
25 if (!AdjustTokenPrivileges(h, 0, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
26 return FALSE;
27
28 return TRUE;
29 }
30
31 BOOL InjectDll(LPCTSTR dll_full_path, DWORD remote_process_id)
32 {
33 HANDLE h;
34
35 if (!EnableDebugPriv(SE_DEBUG_NAME))
36 return FALSE;
37
38 // 打开远程线程.
39 h = OpenProcess(PROCESS_ALL_ACCESS, FALSE, remote_process_id);
40 if (!h)
41 return FALSE;
42
43 DWORD size = _tcsclen(dll_full_path) + 1;
44
45 // 使用VirtualAllocEx函数在远程进程的内存地址空间分配DLL文件名空间
46 LPVOID r = VirtualAllocEx(h, NULL, size, MEM_COMMIT, PAGE_READWRITE);
47 if (!r)
48 return FALSE;
49
50 // 使用WriteProcessMemory函数将DLL的路径名写入到远程进程的内存空间
51 if (!WriteProcessMemory(h, r, (void *)dll_full_path, size, NULL))
52 return FALSE;
53
54 // 计算LoadLibraryA的入口地址
55 PTHREAD_START_ROUTINE start =
56 (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
57 if (!start)
58 return FALSE;
59
60 // (关于GetModuleHandle函数和GetProcAddress函数)
61 // 启动远程线程LoadLibraryA,通过远程线程调用创建新的线程.
62 DWORD tid;
63 HANDLE t = CreateRemoteThread(h, NULL, 0, start, r, 0, &tid);
64 if(!t)
65 return FALSE;
66
67 WaitForSingleObject(t, INFINITE);
68
69 // 释放资源和句柄
70 VirtualFreeEx(h, r, size, MEM_DECOMMIT);
71 CloseHandle(t);
72 CloseHandle(h);
73
74 return TRUE;
75 }
76
77 int main(int argc, char **argv)
78 {
79 if (argc < 3)
80 {
81 printf("usage: InjectDll.exe <dll_path> <process_id>\n");
82 return -1;
83 }
84
85 TCHAR dll[MAX_PATH];
86 int id = atoi(argv[2]);
87
88 USES_CONVERSION;
89 _tcscpy(dll, A2T(argv[1]));
90
91 if (!InjectDll(dll, id))
92 {
93 printf("inject dll failed!\n");
94 return -1;
95 }
96
97 return 0;
98 }
02 #include <tchar.h>
03 #include <windows.h>
04 #include <atlbase.h>
05
06 BOOL EnableDebugPriv(LPCTSTR name)
07 {
08 HANDLE h;
09 TOKEN_PRIVILEGES tp;
10 LUID id;
11
12 // 打开进程令牌环
13 if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &h))
14 return FALSE;
15
16 // 获得进程本地唯一ID
17 if (!LookupPrivilegeValue(NULL, name, &id))
18 return FALSE;
19
20 tp.PrivilegeCount = 1;
21 tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
22 tp.Privileges[0].Luid = id;
23
24 // 调整权限
25 if (!AdjustTokenPrivileges(h, 0, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
26 return FALSE;
27
28 return TRUE;
29 }
30
31 BOOL InjectDll(LPCTSTR dll_full_path, DWORD remote_process_id)
32 {
33 HANDLE h;
34
35 if (!EnableDebugPriv(SE_DEBUG_NAME))
36 return FALSE;
37
38 // 打开远程线程.
39 h = OpenProcess(PROCESS_ALL_ACCESS, FALSE, remote_process_id);
40 if (!h)
41 return FALSE;
42
43 DWORD size = _tcsclen(dll_full_path) + 1;
44
45 // 使用VirtualAllocEx函数在远程进程的内存地址空间分配DLL文件名空间
46 LPVOID r = VirtualAllocEx(h, NULL, size, MEM_COMMIT, PAGE_READWRITE);
47 if (!r)
48 return FALSE;
49
50 // 使用WriteProcessMemory函数将DLL的路径名写入到远程进程的内存空间
51 if (!WriteProcessMemory(h, r, (void *)dll_full_path, size, NULL))
52 return FALSE;
53
54 // 计算LoadLibraryA的入口地址
55 PTHREAD_START_ROUTINE start =
56 (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
57 if (!start)
58 return FALSE;
59
60 // (关于GetModuleHandle函数和GetProcAddress函数)
61 // 启动远程线程LoadLibraryA,通过远程线程调用创建新的线程.
62 DWORD tid;
63 HANDLE t = CreateRemoteThread(h, NULL, 0, start, r, 0, &tid);
64 if(!t)
65 return FALSE;
66
67 WaitForSingleObject(t, INFINITE);
68
69 // 释放资源和句柄
70 VirtualFreeEx(h, r, size, MEM_DECOMMIT);
71 CloseHandle(t);
72 CloseHandle(h);
73
74 return TRUE;
75 }
76
77 int main(int argc, char **argv)
78 {
79 if (argc < 3)
80 {
81 printf("usage: InjectDll.exe <dll_path> <process_id>\n");
82 return -1;
83 }
84
85 TCHAR dll[MAX_PATH];
86 int id = atoi(argv[2]);
87
88 USES_CONVERSION;
89 _tcscpy(dll, A2T(argv[1]));
90
91 if (!InjectDll(dll, id))
92 {
93 printf("inject dll failed!\n");
94 return -1;
95 }
96
97 return 0;
98 }