DLL injection for C ++ learning, learning dll Injection
1 # include <stdio. h> 2 # include <Windows. h> 3 # include <TlHelp32.h> 4 5 6 // typedef unsigned long DWORD; 7 // typedef _ nullterminated const char * LPCSTR, * PCSTR; 8 // typedef void * HANDLE; 9 10 DWORD getProcessHandle (LPCTSTR lpProcessName) // find the process PID 11 {12 DWORD dwRet = 0; 13 HANDLE hSnapShot = createconlhelp32snapshot (TH32CS_SNAPPROCESS, Process, 0);/* The createconlhelp32snapshot function is used by the specified process, the HEAP [HEAP] and the MODULE [MODULE ], 15 threads [THREAD]) create a snapshot [snapshot]. */16 if (hSnapShot = INVALID_HANDLE_VALUE) 17 {18 // handle invalid 19 printf ("\ n obtaining process snapshot of PID = % s failed % d", lpProcessName, getLastError (); 20 return dwRet; 21} 22 23 // the snapshot is captured successfully 24 PROCESSENTRY32 pe32; // declare the process entry object 25 pe32.dwSize = sizeof (PROCESSENTRY32 ); // fill in the process entry size 26 Process32First (hSnapShot, & pe32); // traverse the process list 27 do 28 {29 if (! Lstrcmp (pe32.szExeFile, lpProcessName) 30 {31 dwRet = pe32.th32ProcessID; 32 break; 33} 34} 35 while (Process32Next (hSnapShot, & pe32); 36 CloseHandle (hSnapShot ); 37 return dwRet; 38 39} 40 41 42 void EnableDebugPriv () 43 {44 HANDLE hToken; // process access token HANDLE 45 LUID luid; // stores the local unique identifier 46 TOKEN_PRIVILEGES tkp corresponding to the debugging permission; // The permission 47 OpenProcessToken (GetCurrentProcess (), TOKEN_ADJUST_PRIVI LEGES | TOKEN_QUERY, & hToken); 48 // obtain the access token 49 LookupPrivilegeValue (NULL, SE_DEBUG_NAME, & luid); // obtain the luid 50 tkp of the debugging permission. privilegeCount = 1; // set the debugging permission to 51 tkp. privileges [0]. luid = luid; 52 tkp. privileges [0]. attributes = SE_PRIVILEGE_ENABLED; 53 AdjustTokenPrivileges (hToken, FALSE, & tkp, sizeof tkp, NULL, NULL); // make the process have the debugging permission 54 CloseHandle (hToken ); 55} 56 57 int main (int argc, char * argv []) 58 {59 DWORD Dwpid = getProcessHandle ("calc.exe"); 60 LPCSTR lpDllName = "D: \ WorkProject \ C ++ \ 20160314 \ DLLImport \ Debug \ dllDemo. dll "; 61 EnableDebugPriv (); // permission improvement 62 HANDLE hProcess = OpenProcess (PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwpid ); // get the handle 63 64 if (hProcess = NULL) 65 {66 printf ("\ n get Process Handle error % d", GetLastError ()); 67 return-1; 68} 69 70 DWORD dwSize = strlen (lpDllName) + 1; 71 DWORD dwHasWrite; 72 LPVOID Limit = VirtualAllocEx (hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE); // assign the address 73 if (WriteProcessMemory (hProcess, latency, lpDllName, dwSize, & dwHasWrite) in remote space )) // return non-zero 74 {75 if (dwHasWrite! = DwSize) 76 {77 // The written memory is incomplete. The released memory is 78 VirtualFreeEx (hProcess, lpRemoteBuf, dwSize, MEM_COMMIT); 79 CloseHandle (hProcess); 80 return-1; 81} 82} 83 else 84 {85 printf ("\ n Write Remote process memory space error % d", GetLastError (); 86 CloseHandle (hProcess); 87 return-1; 88} 89 // write success 90 DWORD dwNewThreadId; 91 LPVOID lpLoadDll = LoadLibraryA; 92 // use LoadLIbraryA as the thread function and the parameter is Dll, create a new thread 93 HANDLE hNewRemoteThread = CreateRemoteThread (hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) lpLoadDll, lpRemoteBuf, 0, & dwNewThreadId ); 94 // HANDLE hNewRemoteThread = 95 if (hNewRemoteThread = NULL) 96 {97 printf ("\ n failed to establish a remote thread % d", GetLastError ()); 98 CloseHandle (hProcess); 99 return-1; 100} 101 // wait for the object handle to return 102 WaitForSingleObject (hNewRemoteThread, INFINITE); 103 104 CloseHandle (hNewRemoteThread ); 105 106 107 // prepare to uninstall the injected Dll 108 DWORD dwHandle, dwID; 109 LPVOID pFunc = GetModuleHandleA; // obtain the HANDLE of the Dll injected in the remote thread 110 HANDLE hThread = CreateRemoteThread (hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) pFunc, lpRemoteBuf, 0, & dwID ); 111 WaitForSingleObject (hThread, INFINITE); 112 GetExitCodeThread (hThread, & dwHandle); // The end code of the thread is 113 CloseHandle (hThread) of the Dll module ); 114 pFunc = FreeLibrary; 115 hThread = CreateRemoteThread (hThread, NULL, 0, (LPTHREAD_START_ROUTINE) pFunc, (LPVOID) dwHandle, 0, & dwID ); // inject FreeLibraryA into a remote thread to uninstall Dll 116 WaitForSingleObject (hThread, INFINITE); 117 CloseHandle (hThread); 118 CloseHandle (hProcess); 119 return 0; 120}