[C++] 纯文本查看 复制代码#include
#include
#include
#include
#include
#include
using namespace std;
//获取进程name的ID
DWORD getPid(LPTSTR name);
//提升进程权限
int EnableDebugPrivilege(const LPTSTR name);
int main() {
const TCHAR *pLocDll = _T("D:\\work\\fangan0\\Release\\aInject.dll");
//仅仅是验证此dll的DllMain可否触发
HMODULE hLib = LoadLibrary(pLocDll);
FreeLibrary(hLib);
DWORD pid = getPid(_T("aHost.exe"));
if (pid > 0) {
printf("pid=%d\n", pid);
EnableDebugPrivilege(SE_DEBUG_NAME);
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (hProc) {
printf("hProc=%d\n", hProc);
size_t lenLocDll = 2 * _tcslen(pLocDll);
printf("lenLocDll=%d\n", lenLocDll);
LPVOID strRmt = VirtualAllocEx(hProc, nullptr, MAX_PATH, MEM_COMMIT, PAGE_READWRITE);
if (strRmt) {
BOOL ret = WriteProcessMemory(hProc, strRmt, pLocDll, lenLocDll, nullptr);
if (ret != FALSE) {
printf("WriteProcessMemory ret %d\n", ret);
LPTHREAD_START_ROUTINE loadlib = LPTHREAD_START_ROUTINE(GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryW"));
HANDLE hThread = CreateRemoteThread(hProc, nullptr, 0, loadlib, LPVOID(pLocDll), 0, nullptr);
if (hThread) {
printf("hThread=%d\n", hThread);
}
}
}
}
}
return 0;
}
DWORD getPid(LPTSTR name) {
HANDLE hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);//获取进程快照句柄
assert(hProcSnap != INVALID_HANDLE_VALUE);
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
BOOL flag = Process32First(hProcSnap, &pe32);//获取列表的第一个进程
while (flag)
{
if (!_tcscmp(pe32.szExeFile, name))
{
CloseHandle(hProcSnap);
return pe32.th32ProcessID;//pid
}
flag = Process32Next(hProcSnap, &pe32);//获取下一个进程
}
CloseHandle(hProcSnap);
return 0;
}
int EnableDebugPrivilege(const LPTSTR name)
{
HANDLE token;
TOKEN_PRIVILEGES tp;
//打开进程令牌环
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token))
{
cerr << "open process token error!\n";
return 0;
}
//获得进程本地唯一ID
LUID luid;
if (!LookupPrivilegeValue(NULL, name, &luid))
{
cerr << "lookup privilege value error!\n";
return 0;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = luid;
//调整进程权限
if (!AdjustTokenPrivileges(token, 0, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
{
cerr << "adjust token privilege error!\n";
return 0;
}
return 1;
}