// Inject DLL into the window process // hwnd: Remote Window Process hwnd // lpcstr dllname: DLL namebool injectdlltoprocess to be injected (hwnd, lpcstr dllname) {DWORD processid; getwindowthreadprocessid (hwnd, & processid); // open the process and set full access to handle hprocess = OpenProcess (process_all_access, false, processid); If (hprocess = NULL) {return false;} // attaches the current program execution path to the dll path char DLL [500]; getcurrentdirectorya (sizeof (DLL), DLL); strcat_s (DLL, "//"); s Trcat_s (DLL, dllname); // calculate the DLL name String Length size_t size = strlen (DLL) + 1; // remotely allocate lpvoid parmaddr = virtualallocex (hprocess, null, size, mem_commit, page_readwrite); // write the DLL name to the remote process dword d; If (! Writeprocessmemory (hprocess, parmaddr, DLL, size, & D) {return false;} // read loadlibrarya address proc funaddr = getprocaddress (getmodulehandlea ("Kernel32 "), "loadlibrarya"); If (null = funaddr) {return false;} // create a remote thread to load the DLL. handle thread = createremotethread (hprocess, null, 0, (lpthread_start_routine) funaddr, parmaddr, 0, null); If (null = thread) {return false ;} // wait for the remote thread to end waitforsingleobject (thread, INFI Nite); closehandle (thread); closehandle (hprocess); Return true;} // inject DLL to Window Process // hwnd: Remote Window Process hwnd // lpcstr dllname: DLL namebool injectdlltoprocess (hwnd, lpcstr dllname) {DWORD processid; getwindowthreadprocessid (hwnd, & processid); // open the process, and set full access permissions handle hprocess = OpenProcess (process_all_access, false, processid); If (hprocess = NULL) {return false ;} // Add the current program execution path to the dll path char DLL [5 00]; getcurrentdirectorya (sizeof (DLL), DLL); strcat_s (DLL, "//"); strcat_s (DLL, dllname ); // calculate the DLL name String Length size_t size = strlen (DLL) + 1; // remotely allocate lpvoid parmaddr = virtualallocex (hprocess, null, size, mem_commit, page_readwrite ); // write the DLL name to the remote process dword d; If (! Writeprocessmemory (hprocess, parmaddr, DLL, size, & D) {return false;} // read loadlibrarya address proc funaddr = getprocaddress (getmodulehandlea ("Kernel32 "), "loadlibrarya"); If (null = funaddr) {return false;} // create a remote thread to load the DLL. handle thread = createremotethread (hprocess, null, 0, (lpthread_start_routine) funaddr, parmaddr, 0, null); If (null = thread) {return false ;} // wait for the remote thread to end waitforsingleobject (thread, infinite); closehandle (thread); closehandle (hprocess); Return true ;}