noprocessexe.cpp

这是一本学习 window编程的很好的参考教材

/***************************************************************|
                        Author:   JIURL
						Email:    jiurl@mail.china.com
						Homepage: http://jiurl.yeah.net
/***************************************************************/
#include <winsock2.h>
#include <stdio.h>
#include <tlhelp32.h>

#pragma comment (lib,"Advapi32.lib")

int APIENTRY WinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPSTR     lpCmdLine,
                     int       nCmdShow)
{
	////////////////////////////////////////////////////////////
	//             查找explorer.exe进程的pid                  //
	////////////////////////////////////////////////////////////
	DWORD pid;

	HANDLE hSnapshot = NULL;

	hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);

	PROCESSENTRY32 pe;
	pe.dwSize = sizeof(PROCESSENTRY32);

	Process32First(hSnapshot,&pe);

	do
	{
		if(stricmp(pe.szExeFile,"Explorer.exe")==0)
		{
			pid = pe.th32ProcessID;
			break;
		}
	}
	while(Process32Next(hSnapshot,&pe)==TRUE);

	CloseHandle (hSnapshot);

	////////////////////////////////////////////////////////////
	//             把dll注入explorer.exe进程                  //
	////////////////////////////////////////////////////////////
	PWSTR pszLibFileRemote = NULL;
	HANDLE hRemoteProcess = NULL,hRemoteThread = NULL;

	hRemoteProcess = OpenProcess(
		 PROCESS_QUERY_INFORMATION |   // Required by Alpha
         PROCESS_CREATE_THREAD     |   // For CreateRemoteThread
         PROCESS_VM_OPERATION      |   // For VirtualAllocEx/VirtualFreeEx
         PROCESS_VM_WRITE,             // For WriteProcessMemory
         FALSE, pid);

	char CurPath[256];
	GetCurrentDirectory(256,CurPath);
	strcat(CurPath,"\\NoProcessDll.dll");

	int len = (strlen(CurPath)+1)*2;
	WCHAR wCurPath[256];
	MultiByteToWideChar(CP_ACP,0,CurPath,-1,wCurPath,256);

	pszLibFileRemote = (PWSTR) 
		VirtualAllocEx(hRemoteProcess, NULL, len, MEM_COMMIT, PAGE_READWRITE);

	WriteProcessMemory(hRemoteProcess, pszLibFileRemote, 
		(PVOID) wCurPath, len, NULL);

	PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
         GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");

	hRemoteThread = CreateRemoteThread(hRemoteProcess, NULL, 0, 
		pfnThreadRtn, pszLibFileRemote, 0, NULL);

	return 0;
}