The code is somewhere else.
The first function is successful, the second function runs the discovery will hang the target program dead, perhaps the target program has the protection mechanism
Unicode encoding is supported.
//-----------------------------------------------------------------------------------------------------------
Function: Injectdll
Function: Injects a specified Dll module file into the target process.
Parameters: [in] const tchar* ptszdllfile-dll file name and path
[In] DWORD Dwprocessid-target process ID
Return: BOOL-injection succeeded returns true, and False if injection failed.
Description: Using remote thread injection technology to realize
//-----------------------------------------------------------------------------------------------------------
BOOL Injectdll (const tchar* ptszdllfile, DWORD dwprocessid)
{
Invalid parameter
if (NULL = = Ptszdllfile | | 0 = =:: _tcslen (Ptszdllfile))
{
return false;
}
The specified Dll file does not exist
if ( -1 = = _taccess (ptszdllfile, 0))
{
return false;
}
HANDLE hprocess = NULL;
HANDLE hthread = NULL;
DWORD dwsize = 0;
tchar* ptszremotebuf = NULL;
Lpthread_start_routine lpthreadfun = NULL;
Get target Process Handle
hprocess =:: OpenProcess (Process_create_thread | process_vm_operation | Process_vm_write, FALSE, Dwprocessid);
if (NULL = = hprocess)
{
return false;
}
Allocating memory space in the target process
dwsize = (DWORD):: _tcslen (Ptszdllfile) + 1;
Ptszremotebuf = (tchar*):: VirtualAllocEx (hprocess, NULL, dwsize * sizeof (TCHAR), Mem_commit, page_readwrite);
if (NULL = = ptszremotebuf)
{
:: CloseHandle (hprocess);
return false;
}
Write the required parameters (module name) in the memory space of the target process
if (FALSE = =:: WriteProcessMemory (hprocess, Ptszremotebuf, (LPVOID) ptszdllfile, dwsize * sizeof (TCHAR), NULL))
{
:: VirtualFreeEx (hprocess, Ptszremotebuf, dwsize, Mem_decommit);
:: CloseHandle (hprocess);
return false;
}
Get the LoadLibrary function address from Kernel32.dll
#ifdef _UNICODE
Lpthreadfun = (pthread_start_routine):: GetProcAddress (:: GetModuleHandle (_t ("Kernel32")), "Loadlibraryw");
#else
Lpthreadfun = (pthread_start_routine):: GetProcAddress (:: GetModuleHandle (_t ("Kernel32")), "LoadLibraryA");
#endif
if (NULL = = Lpthreadfun)
{
:: VirtualFreeEx (hprocess, Ptszremotebuf, dwsize, Mem_decommit);
:: CloseHandle (hprocess);
return false;
}
Create a remote thread call LoadLibrary
Hthread =:: CreateRemoteThread (hprocess, NULL, 0, Lpthreadfun, ptszremotebuf, 0, NULL);
if (NULL = = hthread)
{
:: VirtualFreeEx (hprocess, Ptszremotebuf, dwsize, Mem_decommit);
:: CloseHandle (hprocess);
return false;
}
Wait for the remote thread to end
:: WaitForSingleObject (Hthread, INFINITE);
Clean
:: VirtualFreeEx (hprocess, Ptszremotebuf, dwsize, Mem_decommit);
:: CloseHandle (Hthread);
:: CloseHandle (hprocess);
return true;
}
//-----------------------------------------------------------------------------------------------------------
Function: Uninjectdll
Function: Unloads a specified DLL module file from the target process.
Parameters: [in] const tchar* ptszdllfile-dll file name and path
[In] DWORD Dwprocessid-target process ID
Return: BOOL-unload succeeded returns true, unload failed to return false.
Description: Using remote thread injection technology to realize
//-----------------------------------------------------------------------------------------------------------
BOOL Uninjectdll (const tchar* ptszdllfile, DWORD dwprocessid)
{
Invalid parameter
if (NULL = = Ptszdllfile | | 0 = =:: _tcslen (Ptszdllfile))
{
return false;
}
HANDLE hmodulesnap = Invalid_handle_value;
HANDLE hprocess = NULL;
HANDLE hthread = NULL;
Get module Snapshot
Hmodulesnap =:: CreateToolhelp32Snapshot (Th32cs_snapmodule, Dwprocessid);
if (Invalid_handle_value = = Hmodulesnap)
{
return false;
}
MODULEENTRY32 me32;
memset (&me32, 0, sizeof (MODULEENTRY32));
me32.dwsize = sizeof (MODULEENTRY32);
Start traversal
if (FALSE = =:: Module32first (Hmodulesnap, &me32))
{
:: CloseHandle (HMODULESNAP);
return false;
}
Traverse find specified module
BOOL Isfound = false;
Do
{
Isfound = (0 = =:: _tcsicmp (Me32.szmodule, ptszdllfile) | | 0 = =:: _tcsicmp (Me32.szexepath, ptszdllfile));
if (isfound)//Find the specified module
{
Break
}
} while (TRUE = =:: Module32next (Hmodulesnap, &me32));
:: CloseHandle (HMODULESNAP);
if (false = = Isfound)
{
return false;
}
Get target Process Handle
hprocess =:: OpenProcess (Process_create_thread | Process_vm_operation, FALSE, Dwprocessid);
if (NULL = = hprocess)
{
return false;
}
Get the FreeLibrary function address from Kernel32.dll
Lpthread_start_routine Lpthreadfun = (pthread_start_routine):: GetProcAddress (:: GetModuleHandle (_t ("Kernel32")), " FreeLibrary ");
if (NULL = = Lpthreadfun)
{
:: CloseHandle (hprocess);
return false;
}
Create a remote thread call FreeLibrary
Hthread =:: CreateRemoteThread (hprocess, NULL, 0, Lpthreadfun, me32.modbaseaddr/* Module address */, 0, NULL);
if (NULL = = hthread)
{
:: CloseHandle (hprocess);
return false;
}
Wait for the remote thread to end
:: WaitForSingleObject (Hthread, INFINITE);
Clean
:: CloseHandle (Hthread);
:: CloseHandle (hprocess);
return true;
}
Go C + + DLL remote injection and unload functions