Implement dll injection into the explorer process

I wrote down a piece of code written by a small program and checked a lot of information.
//
// Implement dll injection to the explorer process code by LengF 2011-5-3
//

# Include
# Include // Declare the header file of the snapshot function
# Include "stdio. h"
# Include "tchar. h" // _ tcsrchr

// Insert the dll target process
LPTSTR Target = "iexplore.exe ";

DWORD FindProcess (LPTSTR lpszProName); // query the process
BOOL RemoteLoadLibrary (DWORD dwPID, LPCSTR lpszDll); // Insert Process

Int main (int argc, char * argv [])
{
DWORD pid;
Char dir [MAX_PATH];
GetModuleFileName (NULL, dir, sizeof (dir); // obtain the path of the current module.
(_ Tcsrchr (dir, _ T (\) [1] = 0; // delete the file name and only obtain the path string
Strcat (dir, "injectdll. dll"); // dll path
Pid = FindProcess (Target );
// Printf ("% u", pid );
// Printf ("% s", dir );
If (RemoteLoadLibrary (pid, (LPCSTR) dir ))
{
Printf ("Inject Success! ");
Return 1;
} Else
{
Printf ("Inject Failed! ");
Return 0;
}
Return 1;
}


DWORD FindProcess (LPTSTR lpszProName)
{
BOOL bMore = FALSE; // Return Value
HANDLE hSnap = NULL; // snapshot HANDLE
DWORD dwPID = 0; // process ID
PROCESSENTRY32 pe32; // Process Information Structure
Pe32.dwSize = sizeof (pe32); // initialize the process structure size
HSnap = createconlhelp32snapshot (TH32CS_SNAPPROCESS, 0 );
If (hSnap = INVALID_HANDLE_VALUE) // Failed
{
Return-1;
}
// Process snapshot Traversal
BMore = Process32First (hSnap, & pe32 );
While (bMore)
{
// Compare process names, case insensitive
If (lstrcmpi (pe32.szExeFile, lpszProName) = 0)
{
DwPID = pe32.th32ProcessID;
Break;
}
BMore = Process32Next (hSnap, & pe32 );
}
// Release the snapshot object
CloseHandle (hSnap );
Return dwPID;
}

// Inject dll to the specified process
// Entry parameter: DwPID-> process ID value
// LpszDll-> DLL path to be injected
// Return value: TRUE-> Success FALSE-> Failed
BOOL RemoteLoadLibrary (DWORD dwPID, LPCSTR lpszDll)
{
DWORD dwSize, dwWritten;
DWORD dwID = 0;
HANDLE hThread = NULL;
LPVOID pFun = NULL;

HANDLE hPro = NULL;
LPVOID lpBuf = NULL;
HPro = OpenProcess (// open the process and return the Process Handle
PROCESS_CREATE_THREAD // prevents conflicts with CreateRemoteThread
| PROCESS_VM_OPERATION // allows the VirtualProtectEx function to use this handle to modify the virtual memory of a process.
| PROCESS_VM_WRITE, // allow function access and write permissions
FALSE, // cancel the transfer
DwPID // specify the process ID
);
// Calculate the write size
DwSize = lstrlenA (lpszDll) + 1;
// Allocate virtual space in the specified process space
LpBuf = VirtualAllocEx (
HPro, // Process Handle where the applied memory is located
NULL, // reserve the memory address of the page and set it to NULL for automatic allocation
DwSize, // memory size to be allocated
MEM_COMMIT, // allocate physical storage in memory or disk page files for a specific page Area
PAGE_READWRITE // read/write the memory area
);
If (NULL = lpBuf) // Failed
{
CloseHandle (hPro );
Return FALSE;
}
// Write
If (WriteProcessMemory (hPro, lpBuf, (LPVOID) lpszDll, dwSize, & dwWritten ))
{
// Determine whether the actual write size is the same as the write size. If you do not want to write the data, the write fails.
If (dwWritten! = DwSize)
{
// Release the allocated space
VirtualFree (hPro, lpBuf, dwSize, MEM_DECOMMIT );
CloseHandle (hPro );
Return FALSE;
}
} Else // write failed
{
CloseHandle (hPro );
Return FALSE;
}

PFun = LoadLibraryA;
HThread = CreateRemoteThread (
HPro, // specifies the process handle of the thread,
NULL, // thread Security Attribute
0, // default system size
(LPTHREAD_START_ROUTINE) pFun, // call LoadLibrary to load dll
LpBuf, // actual address of the thread function
0, // Parameter
& DwID // thread creation flag
);
// Wait until FreeLibrary has been uninstalled
WaitForSingleObject (hThread, INFINITE );
CloseHandle (hThread); // closes the thread handle
CloseHandle (hPro); // closes the Process Handle
Return TRUE;
}