Implement DLL injection into the explorer process
# Include <windows. h>
# Include <tlhelp32.h> // declare the header file of the snapshot function
# Include "stdio. H"
# Include "tchar. H" // _ tcsrchr
// Insert the DLL target process
Lptstr target = "iexplore.exe ";
DWORD findprocess (lptstr lpszproname); // query the process
Bool remoteloadlibrary (DWORD dwpid, lpcstr lpszdll); // Insert Process
Int main (INT argc, char * argv [])
{
Dword pid;
Char dir [max_path];
Getmodulefilename (null, Dir, sizeof (DIR); // obtain the path of the current module.
(_ Tcsrchr (Dir, _ T ('\') [1] = 0; // delete the file name and only obtain the path string
Strcat (Dir, "injectdll. dll"); // dll path
PID = findprocess (target );
// Printf ("% u \ n", pid );
// Printf ("% s \ n", DIR );
If (remoteloadlibrary (PID, (lpcstr) DIR ))
{
Printf ("inject success! \ N ");
Return 1;
} Else
{
Printf ("inject failed! \ N ");
Return 0;
}
Return 1;
}
DWORD findprocess (lptstr lpszproname)
{
Bool bmore = false; // Return Value
Handle hsnap = NULL; // snapshot handle
DWORD dwpid = 0; // process ID
Processentry32 pe32; // Process Information Structure
Pe32.dwsize = sizeof (pe32); // initialize the process structure size
Hsnap = createconlhelp32snapshot (th32cs_snapprocess, 0 );
If (hsnap = invalid_handle_value) // failed
{
Return-1;
}
// Process snapshot Traversal
Bmore = process32first (hsnap, & pe32 );
While (bmore)
{
// Compare process names, case insensitive
If (lstrcmpi (pe32.szexefile, lpszproname) = 0)
{
Dwpid = pe32.th32processid;
Break;
}
Bmore = process32next (hsnap, & pe32 );
}
// Release the snapshot object
Closehandle (hsnap );
Return dwpid;
}
// Inject DLL to the specified process
// Entry parameter: dwpid-> process id value
// Lpszdll-> dll path to be injected
// Return value: True-> success false-> failed
Bool remoteloadlibrary (DWORD dwpid, lpcstr lpszdll)
{
DWORD dwsize, dwwritten;
DWORD dwid = 0;
Handle hthread = NULL;
Lpvoid pfun = NULL;
Handle HPrO = NULL;
Lpvoid lpbuf = NULL;
HPrO = OpenProcess (// open the process and return the Process Handle
Process_create_thread // prevents conflicts with createremotethread
| Process_vm_operation // allows the virtualprotectex function to use this handle to modify the virtual memory of a process.
| Process_vm_write, // allow function access and write permissions
False, // cancel the transfer
Dwpid // specify the process ID
);
// Calculate the write size
Dwsize = lstrlena (lpszdll) + 1;
// Allocate virtual space in the specified process space
Lpbuf = virtualallocex (
HPrO, // Process Handle where the applied memory is located
Null, // reserve the memory address of the page and set it to NULL for automatic allocation
Dwsize, // memory size to be allocated
Mem_commit, // allocate physical storage in memory or disk page files for a specific page Area
Page_readwrite // read/write the memory area
);
If (null = lpbuf) // failed
{
Closehandle (HPrO );
Return false;
}
// Write
If (writeprocessmemory (HPrO, lpbuf, (lpvoid) lpszdll, dwsize, & dwwr
Itten ))
{
// Determine whether the actual write size is the same as the write size. If you do not want to write the data, the write fails.
If (dwwritten! = Dwsize)
{
// Release the allocated space
Virtualfree (HPrO, lpbuf, dwsize, mem_decommit );
Closehandle (HPrO );
Return false;
}
} Else // write failed
{
Closehandle (HPrO );
Return false;
}
Pfun = loadlibrarya;
Hthread = createremotethread (
HPrO, // specifies the process handle of the thread,
Null, // thread Security Attribute
0, // default system size
(Lpthread_start_routine) pfun, // call loadlibrary to load DLL
Lpbuf, // actual address of the thread function
0, // Parameter
& Dwid // thread creation flag
);
// Wait until freelibrary has been uninstalled
Waitforsingleobject (hthread, infinite );
Closehandle (hthread); // closes the thread handle
Closehandle (HPrO); // closes the Process Handle
Return true;
}