BOOL EnablePrivilege(char *PrivilegeName,BOOL IsEnable)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY | TOKEN_READ,&hToken))
{
return FALSE;
}
if(!LookupPrivilegeValue(NULL, PrivilegeName, &luid))
{
return TRUE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = (IsEnable) ? SE_PRIVILEGE_ENABLED : 0;
AdjustTokenPrivileges(hToken,FALSE,&tp,NULL,NULL,NULL);
CloseHandle(hToken);
return (GetLastError() == ERROR_SUCCESS);
}
DWORD GetProcessIdByName(LPCTSTR lpStrName)
{
HANDLE hSnapShot;
PROCESSENTRY32 pe={sizeof(pe)};
hSnapShot=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
for(BOOL fok=::Process32First(hSnapShot,&pe); fok ;fok=::Process32Next(hSnapShot,&pe))
{
if(lstrcmpi(pe.szExeFile , lpStrName) == 0)
{
return pe.th32ProcessID;
}
}
return -1;
}
//inject dll to process,szDllPath is full path!
void InjectDllToRemoteProcess(DWORD dwProcessId,LPCSTR szDllPath)
{
HANDLE hRemoteProcess=NULL; //remote process will be injected
HANDLE hRemoteThread=NULL; //injected thread!
DWORD dwThreadSize=0;
PVOID pRemoteThread=NULL; //remote thread start pointer
PVOID pRemoteParam=NULL; //remote thread thread param!
DWORD dwWriten=0;
BOOL bRet=FALSE;
CHAR szDllPathCopy[1024]="";
lstrcpy(szDllPathCopy,szDllPath);
EnablePrivilege(SE_DEBUG_NAME,true);//up Privilege
hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,false,dwProcessId);
if(hRemoteProcess == NULL)
{
OutputDebugString("open process error!");
return;
}
//alloc remote param memory,1024 byte for store the dll path!
pRemoteParam = VirtualAllocEx(hRemoteProcess,NULL,1024,MEM_COMMIT,PAGE_READWRITE);
if(pRemoteParam == NULL)
{
OutputDebugString("faild to alloc memory");
return;
}
//write the dll path to remote memory
bRet = WriteProcessMemory(hRemoteProcess,pRemoteParam,(LPVOID)szDllPathCopy,1024,&dwWriten); //write param to remote alloced space!
if(!bRet)
{
OutputDebugString("faild to write memory");
return;
}
//get the loadlibraryA's pointer!
pRemoteThread = GetProcAddress(LoadLibrary("kernel32.dll"),"LoadLibraryA"); //here must be "LoadLibraryA"!!
if(pRemoteThread == NULL)
{
OutputDebugString("faild to get loadlibraryA address!");
return;
}
//start the thread!
hRemoteThread = CreateRemoteThread(hRemoteProcess,0,0,(DWORD(__stdcall *)(VOID*))pRemoteThread,pRemoteParam,0,&dwWriten);
EnablePrivilege(SE_DEBUG_NAME,false); //down Privilege
}
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY | TOKEN_READ,&hToken))
{
return FALSE;
}
if(!LookupPrivilegeValue(NULL, PrivilegeName, &luid))
{
return TRUE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = (IsEnable) ? SE_PRIVILEGE_ENABLED : 0;
AdjustTokenPrivileges(hToken,FALSE,&tp,NULL,NULL,NULL);
CloseHandle(hToken);
return (GetLastError() == ERROR_SUCCESS);
}
DWORD GetProcessIdByName(LPCTSTR lpStrName)
{
HANDLE hSnapShot;
PROCESSENTRY32 pe={sizeof(pe)};
hSnapShot=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
for(BOOL fok=::Process32First(hSnapShot,&pe); fok ;fok=::Process32Next(hSnapShot,&pe))
{
if(lstrcmpi(pe.szExeFile , lpStrName) == 0)
{
return pe.th32ProcessID;
}
}
return -1;
}
//inject dll to process,szDllPath is full path!
void InjectDllToRemoteProcess(DWORD dwProcessId,LPCSTR szDllPath)
{
HANDLE hRemoteProcess=NULL; //remote process will be injected
HANDLE hRemoteThread=NULL; //injected thread!
DWORD dwThreadSize=0;
PVOID pRemoteThread=NULL; //remote thread start pointer
PVOID pRemoteParam=NULL; //remote thread thread param!
DWORD dwWriten=0;
BOOL bRet=FALSE;
CHAR szDllPathCopy[1024]="";
lstrcpy(szDllPathCopy,szDllPath);
EnablePrivilege(SE_DEBUG_NAME,true);//up Privilege
hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,false,dwProcessId);
if(hRemoteProcess == NULL)
{
OutputDebugString("open process error!");
return;
}
//alloc remote param memory,1024 byte for store the dll path!
pRemoteParam = VirtualAllocEx(hRemoteProcess,NULL,1024,MEM_COMMIT,PAGE_READWRITE);
if(pRemoteParam == NULL)
{
OutputDebugString("faild to alloc memory");
return;
}
//write the dll path to remote memory
bRet = WriteProcessMemory(hRemoteProcess,pRemoteParam,(LPVOID)szDllPathCopy,1024,&dwWriten); //write param to remote alloced space!
if(!bRet)
{
OutputDebugString("faild to write memory");
return;
}
//get the loadlibraryA's pointer!
pRemoteThread = GetProcAddress(LoadLibrary("kernel32.dll"),"LoadLibraryA"); //here must be "LoadLibraryA"!!
if(pRemoteThread == NULL)
{
OutputDebugString("faild to get loadlibraryA address!");
return;
}
//start the thread!
hRemoteThread = CreateRemoteThread(hRemoteProcess,0,0,(DWORD(__stdcall *)(VOID*))pRemoteThread,pRemoteParam,0,&dwWriten);
EnablePrivilege(SE_DEBUG_NAME,false); //down Privilege
}
6250
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
