C ++ DLL Remote injection and uninstallation Functions

Code is elsewhere

The first function is successful. The second function runs and finds that it will kill the target program. Maybe the target program has a protection mechanism.

Supports Unicode encoding.

// Inject // function: injectdll // function: inject a specified DLL module file into the target process. // parameter: [in] const tchar * ptszdllfile-DLL file name and path // [in] DWORD dwprocessid-target process ID // return: bool-success returned true, if the injection fails, false is returned. // Description: using the remote thread injection technology // javasbool injectdll (const tchar * ptszdllfile, DWORD dwprocessid) {// The parameter is invalid if (null = ptszdllfile | 0 =: _ tcslen (ptszdllfile) {return false ;} // The specified DLL file does not exist if (-1 = _ taccess (ptszdllfile, 0) {return false;} Handle hprocess = NULL; handle hthread = NULL; DWORD dwsize = 0; tchar * ptszremotebuf = NULL; lpthread_start_routine lpthreadfun = NULL; // obtain the target Process Handle hprocess =: OpenProcess (process_create_thread | process_vm_operation | process_vm_write, false, dwprocessid ); if (null = hprocess) {return false;} // allocate memory space in the target process dwsize = (DWORD): _ tcslen (ptszdllfile) + 1; ptszremotebuf = (tchar *): virtualallocex (hprocess, null, dwsize * sizeof (tchar), mem_commit, page_readwrite); If (null = ptszremotebuf ){:: closehandle (hprocess); Return false;} // write the required parameters (Module name) in the memory space of the target process if (false ==:: writeprocessmemory (hprocess, ptszremotebuf, (lpvoid) ptszdllfile, dwsize * sizeof (tchar), null) {: virtualfreeex (hprocess, ptszremotebuf, dwsize, mem_decommit);: closehandle (hprocess); Return false ;} // obtain the loadlibrary function address from kernel32.dll # ifdef _ Unicode lpthreadfun = (pthread_start_routine): getprocaddress (: getmodulehandle (_ T ("Kernel32"), "loadlibraryw "); # else lpthreadfun = (pthread_start_routine): getprocaddress (: getmodulehandle (_ T ("Kernel32"), "loadlibrarya"); # endif if (null = lpthreadfun ){:: virtualfreeex (hprocess, ptszremotebuf, dwsize, mem_decommit);: closehandle (hprocess); Return false;} // create a remote thread to call loadlibrary hthread =: createremotethread (hprocess, null, 0, lpthreadfun, ptszremotebuf, 0, null); If (null = hthread) {: virtualfreeex (hprocess, ptszremotebuf, dwsize, mem_decommit);: closehandle (hprocess ); return false;} // wait until the remote thread ends: waitforsingleobject (hthread, infinite); // clear: virtualfreeex (hprocess, ptszremotebuf, dwsize, mem_decommit );:: closehandle (hthread);: closehandle (hprocess); Return true;} // functions: uninjectdll // function: detaches a specified DLL module file from the target process. // parameter: [in] const tchar * ptszdllfile-DLL file name and path // [in] DWORD dwprocessid-target process ID // return: bool-uninstall successful return true, if uninstall fails, false is returned. // Description: using remote thread injection technology // javasbool uninjectdll (const tchar * ptszdllfile, DWORD dwprocessid) {// The parameter is invalid if (null = ptszdllfile | 0 =: _ tcslen (ptszdllfile) {return false;} Handle hmodulesnap = invalid_handle_value; handle hprocess = NULL; handle hthread = NULL; // obtain the module snapshot hmodulesnap =: createconlhelp32snapshot (th32cs_snapmodule, dwprocessid); If (invalid_handle_value = hmodulesnap) {return false;} moduleentry32 me32; memset (& me32, 0, sizeof (moduleentry32); me32.dwsize = sizeof (moduleentry32); // start traversing if (false ==:: module32first (hmodulesnap, & me32 )) {: closehandle (hmodulesnap); Return false;} // retrieve the specified module bool isfound = false; do {isfound = (0 =: _ tcsicmp (me32.szmodule, ptszdllfile) | 0 =: _ tcsicmp (me32.szexepath, ptszdllfile); If (isfound) // find the specified module {break;} while (true = :: module32next (hmodulesnap, & me32);: closehandle (hmodulesnap); If (false = isfound) {return false;} // obtain the target Process Handle hprocess = :: openProcess (process_create_thread | process_vm_operation, false, dwprocessid); If (null = hprocess) {return false;} // obtain freelibrary function address from kernel32.dll extends lpthreadfun = (optional ):: getprocaddress (: getmodulehandle (_ T ("Kernel32"), "freelibrary"); If (null = lpthreadfun) {: closehandle (hprocess); Return false ;} // create a remote thread and call freelibrary hthread =: createremotethread (hprocess, null, 0, lpthreadfun, me32.modbaseaddr/* module address */, 0, null ); if (null = hthread) {: closehandle (hprocess); Return false;} // wait until the remote thread ends: waitforsingleobject (hthread, infinite); // clear :: closehandle (hthread);: closehandle (hprocess); Return true ;}