DLL inject Porcess code

Source: Internet
Author: User

Implement DLL injection into the explorer process

# Include <windows. h>
# Include <tlhelp32.h> // declare the header file of the snapshot function
# Include "stdio. H"
# Include "tchar. H" // _ tcsrchr

// Insert the DLL target process
Lptstr target = "iexplore.exe ";

DWORD findprocess (lptstr lpszproname); // query the process
Bool remoteloadlibrary (DWORD dwpid, lpcstr lpszdll); // Insert Process

Int main (INT argc, char * argv [])
{
Dword pid;
Char dir [max_path];
Getmodulefilename (null, Dir, sizeof (DIR); // obtain the path of the current module.
(_ Tcsrchr (Dir, _ T ('\') [1] = 0; // delete the file name and only obtain the path string
Strcat (Dir, "injectdll. dll"); // dll path
PID = findprocess (target );
// Printf ("% u \ n", pid );
// Printf ("% s \ n", DIR );
If (remoteloadlibrary (PID, (lpcstr) DIR ))
{
Printf ("inject success! \ N ");
Return 1;
} Else
{
Printf ("inject failed! \ N ");
Return 0;
}
Return 1;
}

DWORD findprocess (lptstr lpszproname)
{
Bool bmore = false; // Return Value
Handle hsnap = NULL; // snapshot handle
DWORD dwpid = 0; // process ID
Processentry32 pe32; // Process Information Structure
Pe32.dwsize = sizeof (pe32); // initialize the process structure size
Hsnap = createconlhelp32snapshot (th32cs_snapprocess, 0 );
If (hsnap = invalid_handle_value) // failed
{
Return-1;
}
// Process snapshot Traversal
Bmore = process32first (hsnap, & pe32 );
While (bmore)
{
// Compare process names, case insensitive
If (lstrcmpi (pe32.szexefile, lpszproname) = 0)
{
Dwpid = pe32.th32processid;
Break;
}
Bmore = process32next (hsnap, & pe32 );
}
// Release the snapshot object
Closehandle (hsnap );
Return dwpid;
}

// Inject DLL to the specified process
// Entry parameter: dwpid-> process id value
// Lpszdll-> dll path to be injected
// Return value: True-> success false-> failed
Bool remoteloadlibrary (DWORD dwpid, lpcstr lpszdll)
{
DWORD dwsize, dwwritten;
DWORD dwid = 0;
Handle hthread = NULL;
Lpvoid pfun = NULL;

Handle HPrO = NULL;
Lpvoid lpbuf = NULL;
HPrO = OpenProcess (// open the process and return the Process Handle
Process_create_thread // prevents conflicts with createremotethread
| Process_vm_operation // allows the virtualprotectex function to use this handle to modify the virtual memory of a process.
| Process_vm_write, // allow function access and write permissions
False, // cancel the transfer
Dwpid // specify the process ID
);
// Calculate the write size
Dwsize = lstrlena (lpszdll) + 1;
// Allocate virtual space in the specified process space
Lpbuf = virtualallocex (
HPrO, // Process Handle where the applied memory is located
Null, // reserve the memory address of the page and set it to NULL for automatic allocation
Dwsize, // memory size to be allocated
Mem_commit, // allocate physical storage in memory or disk page files for a specific page Area
Page_readwrite // read/write the memory area
);
If (null = lpbuf) // failed
{
Closehandle (HPrO );
Return false;
}
// Write
If (writeprocessmemory (HPrO, lpbuf, (lpvoid) lpszdll, dwsize, & dwwr

Itten ))
{
// Determine whether the actual write size is the same as the write size. If you do not want to write the data, the write fails.
If (dwwritten! = Dwsize)
{
// Release the allocated space
Virtualfree (HPrO, lpbuf, dwsize, mem_decommit );
Closehandle (HPrO );
Return false;
}
} Else // write failed
{
Closehandle (HPrO );
Return false;
}

Pfun = loadlibrarya;
Hthread = createremotethread (
HPrO, // specifies the process handle of the thread,
Null, // thread Security Attribute
0, // default system size
(Lpthread_start_routine) pfun, // call loadlibrary to load DLL
Lpbuf, // actual address of the thread function
0, // Parameter
& Dwid // thread creation flag
);
// Wait until freelibrary has been uninstalled
Waitforsingleobject (hthread, infinite );
Closehandle (hthread); // closes the thread handle
Closehandle (HPrO); // closes the Process Handle
Return true;
}

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.