This article describes the C + + encapsulation of Remote Injection class Createremotethreadex method, share for everyone to reference. The specific methods are as follows:
First, pass in the DLL filename to inject when class is initialized
Use only two functions
Copy Code code as follows:
Injecting the DLL to the specified address space
BOOL Injectmoduleinto (DWORD dwprocessid);
To uninstall a DLL from a specified address space
BOOL Ejectmodulefrom (DWORD dwprocessid);
. h header documents are as follows:
Copy Code code as follows:
#pragma once
#include <windows.h>//included in header file
Class Cremthreadinject
{
Public
Cremthreadinject (LPSTR lpdllname);
~cremthreadinject (void);
Protected
Char M_szdllname[max_path];
static bool Enabledebugprivilege (bool benable);
Public
Injecting the DLL to the specified address space
BOOL Injectmoduleinto (DWORD dwprocessid);
To uninstall a DLL from a specified address space
BOOL Ejectmodulefrom (DWORD dwprocessid);
};
The. CPP source files are as follows:
Copy Code code as follows:
#include "RemThreadInject.h"
#include <tlhelp32.h>
Cremthreadinject::cremthreadinject (LPSTR lpdllname)
{
memcpy (M_szdllname, Lpdllname, MAX_PATH);
Enabledebugprivilege (TRUE);
}
Cremthreadinject::~cremthreadinject (void)
{
Enabledebugprivilege (FALSE);
}
BOOL Cremthreadinject::enabledebugprivilege (bool benable)
{
HANDLE htoken = Invalid_handle_value;
OpenProcessToken
if (0 =:: OpenProcessToken (:: GetCurrentProcess (), Token_adjust_privileges, &htoken))
{
return FALSE;
}
Luid Luid;
//
:: Lookupprivilegevalue (NULL, Se_debug_name, &luid);
Token_privileges TP;
Tp. Privilegecount = 1;
Tp. Privileges[0]. Luid = LUID;
if (benable)
Tp. Privileges[0]. Attributes = se_privilege_enabled;
Else
Tp. Privileges[0]. Attributes = 0;
if (! AdjustTokenPrivileges (
Htoken,
FALSE,
&TP,
sizeof (Token_privileges),
(ptoken_privileges) Null
(Pdword) NULL))
{
return FALSE;
}
if (GetLastError () = = error_not_all_assigned)
{
return FALSE;
}
:: CloseHandle (Htoken);
return TRUE;
}
Injecting the DLL to the specified address space
BOOL Cremthreadinject::injectmoduleinto (DWORD dwprocessid)
{
//
if (:: GetCurrentProcessId () = Dwprocessid)
{
return FALSE;
}
BOOL Bfound;
/************************************************************************/
/* Traversal Module * *
/************************************************************************/
HANDLE hmodulesnap = Invalid_handle_value;
MODULEENTRY32 me32;
Take a snapshot the all modules in the specified process.
Hmodulesnap = CreateToolhelp32Snapshot (Th32cs_snapmodule, Dwprocessid);
if (Hmodulesnap = = INVALID_HANDLE_VALUE)
{
return (FALSE);
}
me32.dwsize = sizeof (MODULEENTRY32);
if (! Module32first (Hmodulesnap, &me32))
{
CloseHandle (HMODULESNAP); Must clean up the snapshot object!
return (FALSE);
}
Todo
{
if (stricmp (me32.szmodule, m_szdllname) = = 0)
{
Bfound = TRUE;
Break
}
while (Module32next (Hmodulesnap, &me32));
Do is forget to the snapshot object.
CloseHandle (HMODULESNAP);
if (bfound)//If the module is already loaded, it is no longer loaded
{
return FALSE;
}
If not loaded, open process, remote injection
HANDLE hprocess =:: OpenProcess (Process_create_thread | process_vm_operation | Process_vm_write, FALSE, Dwprocessid);
if (hprocess = NULL)
{
return FALSE;
}
Hmodule hKernerl32 = GetModuleHandle ("kernel32.dll");
Lpthread_start_routine Pfnloadlibrarya = (lpthread_start_routine):: GetProcAddress (HKernerl32, "LoadLibraryA");
int cbsize = strlen (m_szdllname) +1;
LPVOID Lpremotedllname =:: VirtualAllocEx (hprocess, 0, cbsize, Mem_commit, page_readwrite);
:: WriteProcessMemory (hprocess, Lpremotedllname, M_szdllname, cbsize, NULL);
HANDLE Hremotethread =:: Createremotethreadex (hprocess, NULL, 0, Pfnloadlibrarya, lpremotedllname, 0, NULL, NULL);
if (NULL = = Hremotethread)
{
:: CloseHandle (hprocess);
return FALSE;
}
Waits for the target thread to run to the end, the LoadLibraryA function returns
:: WaitForSingleObject (Hremotethread, INFINITE);
:: CloseHandle (Hremotethread);
:: CloseHandle (hprocess);
return TRUE;
}
To uninstall a DLL from a specified address space
BOOL Cremthreadinject::ejectmodulefrom (DWORD dwprocessid)
{
//
if (:: GetCurrentProcessId () = Dwprocessid)
{
return FALSE;
}
BOOL Bfound;
/************************************************************************/
/* Traversal Module * *
/************************************************************************/
HANDLE hmodulesnap = Invalid_handle_value;
MODULEENTRY32 me32;
Take a snapshot the all modules in the specified process.
Hmodulesnap = CreateToolhelp32Snapshot (Th32cs_snapmodule, Dwprocessid);
if (Hmodulesnap = = INVALID_HANDLE_VALUE)
{
return (FALSE);
}
me32.dwsize = sizeof (MODULEENTRY32);
if (! Module32first (Hmodulesnap, &me32))
{
CloseHandle (HMODULESNAP); Must clean up the snapshot object!
return (FALSE);
}
Todo
{
if (stricmp (me32.szmodule, m_szdllname) = = 0)
{
Bfound = TRUE;
Break
}
while (Module32next (Hmodulesnap, &me32));
Do is forget to the snapshot object.
CloseHandle (HMODULESNAP);
if (!bfound)//If the module is not loaded, you cannot uninstall
{
return FALSE;
}
If loaded, open process, remote injection
HANDLE hprocess =:: OpenProcess (Process_create_thread | process_vm_operation | Process_vm_write, FALSE, Dwprocessid);
if (hprocess = NULL)
{
return FALSE;
}
Hmodule hKernerl32 = GetModuleHandle ("kernel32.dll");
Lpthread_start_routine pfnfreelibrary = (lpthread_start_routine):: GetProcAddress (HKernerl32, "FreeLibrary");
int cbsize = strlen (m_szdllname) +1;
LPVOID Lpremotedllname =:: VirtualAllocEx (hprocess, 0, cbsize, Mem_commit, page_readwrite);
:: WriteProcessMemory (hprocess, Lpremotedllname, M_szdllname, cbsize, NULL);
HANDLE Hremotethread =:: Createremotethreadex (hprocess, NULL, 0, pfnfreelibrary, lpremotedllname, 0, NULL, NULL);
if (NULL = = Hremotethread)
{
:: CloseHandle (hprocess);
return FALSE;
}
Waits for the target thread to run to the end, the LoadLibraryA function returns
:: WaitForSingleObject (Hremotethread, INFINITE);
:: CloseHandle (Hremotethread);
:: CloseHandle (hprocess);
return TRUE;
}
I hope this article will help you with the C + + program design.