CreateRemoteThread

/************************************************************************/
/* 通过CreateRemoteThread注入进程
/* 参数：进程ID，dll路径
/************************************************************************/
BOOL InjectModuleToProcessByRT(DWORD dwProcessId, LPWSTR lpDllPath) 
{
	BOOL bRet = FALSE;
	HANDLE hProcess = NULL, hThread = NULL;
	LPWSTR lpRemoteDllName = NULL;
	WCHAR szBuf[MAX_PATH] = {0};
	DWORD dwSmss = GetProcessIdByName(L"smss.exe");
	DWORD dwCsrss = GetProcessIdByName(L"csrss.exe");
	if( (dwProcessId == 0)||(dwProcessId == 4)||(dwProcessId == dwSmss)||(dwProcessId == dwCsrss))
	{
		return bRet;
	}
	__try
	{
		//获取目标进程句柄
		hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
		if (hProcess == NULL)
		{
			wsprintf(szBuf,L"[error]OpenProcess(%d)",GetLastError());
			OutputDebugString(szBuf);
			__leave;
		}

		// 计算dll路径所需要的字节数
		int cch = 1 + lstrlenW(lpDllPath);
		int cb  = cch * sizeof(wchar_t);

		// 为远程线程的路径分配空间
		lpRemoteDllName = (LPWSTR) VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);
		if (lpRemoteDllName == NULL)
		{
			wsprintf(szBuf,L"[error]VirtualAllocEx(%d)",GetLastError());
			OutputDebugString(szBuf);
			__leave;
		}

		//将dll路径写入远程线程空间
		if (!WriteProcessMemory(hProcess, lpRemoteDllName, (PVOID) lpDllPath, cb, NULL))
		{
			wsprintf(szBuf,L"[error]WriteProcessMemory(%d)",GetLastError());
			OutputDebugString(szBuf);
			__leave;
		}

		// 获取LoadLibraryW在Kernel32.dll中的地址
		PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
			GetProcAddress(GetModuleHandle(L"Kernel32"), "LoadLibraryW");
		if (pfnThreadRtn == NULL)
		{
			OutputDebugString(L"[error]Get LoadLibraryW Address Fail");
			__leave;
		}

		// 创建远程线程
		hThread = CreateRemoteThread(hProcess, NULL, 0, pfnThreadRtn, lpRemoteDllName, 0, NULL);
		//hThread = LibCreateRemoteThread(hProcess, pfnThreadRtn, lpRemoteDllName, 0, NULL);
		if (hThread == NULL)
		{
			wsprintf(szBuf,L"[error]CreateRemoteThread(%d)",GetLastError());
			OutputDebugString(szBuf);
			__leave;
		}

		// 等待远程线程结束
		WaitForSingleObject(hThread, INFINITE);

		bRet = TRUE;
	}
	__finally 
	{ 
		if (lpRemoteDllName != NULL) 
			VirtualFreeEx(hProcess, lpRemoteDllName, 0, MEM_RELEASE);

		if (hThread  != NULL) 
			CloseHandle(hThread);

		if (hProcess != NULL) 
			CloseHandle(hProcess);
	}

	return bRet;
}

转载于:https://www.cnblogs.com/15157737693zsp/p/4149136.html