isdllpresent.cpp

Cracker终结者——提供最优秀的软件保护技术

//#define UNICODE
#ifdef UNICODE
  #define _UNICODE
#endif
#include <windows.h>
#include <stdio.h>
#include <conio.h>
#include <tchar.h>
//#define AH_STATIC_LINKING
#include <ApiHooks.h>
//#define PW_STATIC_LINKING
#include <PrcWorks.h>

DWORD _tmain(int argc, TCHAR** argv) {
  DWORD AHResult = 0;
  if(argc != 3)
    _tprintf(_T("Usage: %s <ProcessName> <ModuleName>"), argv[0]);
  else {
    TCHAR ProcessName[MAX_PATH];
    ExpandEnvironmentStrings(argv[1], ProcessName, MAX_PATH);
    DWORD PID = ProcessName2PID(ProcessName);
    if((PID == PW_PIDERROR) || (PID==PW_SESERROR))
      _tprintf(_T("Process '%s' not found!"), argv[1]);
    else
      if(PID == PW_MEMERROR)
        _tprintf(_T("Not enough memory!"));
      else {
        HINSTANCE hntdll;
        BYTE  WasEn;
        typedef LONG (WINAPI *TRAP)(DWORD, BOOL, DWORD, BYTE*);
        TRAP  RAP;
        if(hntdll = GetModuleHandle(_T("ntdll.dll")))
          if(RAP = (TRAP)GetProcAddress(hntdll, "RtlAdjustPrivilege"))
            RAP(20, TRUE, 0, &WasEn);
       
        TCHAR ModuleName[MAX_PATH];
        ExpandEnvironmentStrings(argv[2], ModuleName, MAX_PATH);
        RCINFO lRCI;
        memcpy(&lRCI, GetDefaultRCInfo(), sizeof(lRCI));
        lRCI.RCFlags = RC_FL_OWNTIMEOUT;
      
#define RETURN_SUSPENDED 0
      
        AHResult = IsModuleLoaded(&lRCI, ModuleName, PID, RETURN_SUSPENDED);
        if(AHResult == ErrorAHTimeOut) {
          SetThreadPriority(lRCI.hThread, THREAD_PRIORITY_HIGHEST);
          ResumeThread(lRCI.hThread);
          _tprintf(_T("Waiting for thread ..."));
          WaitForSingleObject(lRCI.hThread, INFINITE);
          GetExitCodeThread(lRCI.hThread, &AHResult);
          CloseHandle(lRCI.hThread);
          if(lRCI.ProcFlags & RC_PF_NATIVE)
            lRCI.RtlFreeMem(lRCI.hProcess, lRCI.ThreadStack);
          if(lRCI.RCFlags & RC_FL_OWNFREE)
            lRCI.RtlFreeMem(lRCI.hProcess, lRCI.ThreadBody);
          CloseHandle(lRCI.hProcess);
        }

        if(ErrorAHRemote == AHResult)
          _tprintf(_T("\nRemote exception!"));
        else
          if((ErrorAHMin < AHResult) && (AHResult < ErrorAHTimeOut))
            _tprintf(_T("\nCan't prepare remote execution!"));        
          else
            if(0 == AHResult)
              _tprintf(_T("\n'%s' is not present in '%s'."), argv[2], argv[1]);
            else
              _tprintf(_T("\n'%s' is loaded at 0x%X."), argv[2], AHResult);
      }
  }
  getch();
  return(AHResult);
}