dllinjector.cpp

远程注入DLL进程的VC源代码 是不可多得的源代码 是近段时间才兴起的技术

#include<windows.h>
#include<stdio.h>
#include<tlhelp32.h>
#include"resource.h"
HINSTANCE hinst;
BOOL CALLBACK DialogProc(HWND,UINT,WPARAM,LPARAM);
BOOL UpPrivilege(HANDLE,LPCTSTR);
BOOL MyFreeLibrary(HWND,HANDLE,DWORD,LPSTR);
int WINAPI WinMain(HINSTANCE h,HINSTANCE hp,LPSTR cmdline,int cmdshow)
{
	hinst=h;
	char privilege[]=SE_DEBUG_NAME;
	HANDLE hprocess;
	hprocess=GetCurrentProcess();
	if(!UpPrivilege(hprocess,privilege))
		MessageBox(NULL,"提升进程特权失败！","错误",MB_OK|MB_ICONERROR);
	LoadIcon(h,(LPSTR)IDI_ICON);
	DialogBox(h,(LPSTR)IDD_tianj03,NULL,(DLGPROC)DialogProc);
	return 0;
}
BOOL CALLBACK DialogProc(HWND hdlg,UINT message,WPARAM wparam,LPARAM lparam)
{
	int cbSize=0,iProcessId=0;
	char lpProcessId[15],lpObjectProcess[260];
	BOOL repeat=FALSE,bIsFree=FALSE;
	HICON hIcon=LoadIcon(hinst,(LPSTR)IDI_ICON1);
	HMODULE hmodule=GetModuleHandle("kernel32.dll");
	HANDLE handle=NULL;
	LPVOID lpRemoteDll;
	switch(message)
	{
	case WM_INITDIALOG:
		SetWindowPos(hdlg,HWND_NOTOPMOST,150,50,0,0,SWP_NOSIZE|SWP_NOREDRAW);
		SendMessage(hdlg,WM_SETICON,ICON_BIG,(LPARAM)hIcon);
		CheckDlgButton(hdlg,IDC_RADIO1,BST_CHECKED);
		return TRUE;
	case WM_CLOSE:
		EndDialog(hdlg,0);
		PostQuitMessage(0);
		return TRUE;
	case WM_COMMAND:
		switch(LOWORD(wparam))
		{
		case IDOK:
			if(SendDlgItemMessage(hdlg,IDC_EDIT1,WM_GETTEXT,(WPARAM)10,(LPARAM)lpProcessId)==0)
				MessageBox(hdlg,"ID不能为空","错误",MB_OK);
			if(SendDlgItemMessage(hdlg,IDC_EDIT2,WM_GETTEXT,(WPARAM)10,(LPARAM)lpObjectProcess)==0)
				MessageBox(hdlg,"无效模块","错误",MB_OK);
			else
			{
				iProcessId=atoi(lpProcessId);
                cbSize=(strlen(lpObjectProcess)+1);
				handle=OpenProcess(PROCESS_ALL_ACCESS,0,iProcessId);
				lpRemoteDll=VirtualAllocEx(handle,NULL,cbSize,MEM_COMMIT,PAGE_READWRITE);
				if(lpRemoteDll==NULL)
					MessageBox(hdlg,"分配失败","错误",MB_OK);
				else
				{
					WriteProcessMemory(handle,lpRemoteDll,lpObjectProcess,cbSize,NULL);
					if(handle==NULL)
						MessageBox(hdlg,"打开目标进程失败","错误",MB_OK);
					else
					{
						if(IsDlgButtonChecked(hdlg,IDC_RADIO1)==BST_CHECKED)
						{
							if(CreateRemoteThread(handle,NULL,0,(LPTHREAD_START_ROUTINE(GetProcAddress(hmodule,"LoadLibraryA"))),lpRemoteDll,0,NULL)==NULL)
								MessageBox(hdlg,"注入失败","错误",MB_OK);
							else
								MessageBox(hdlg,"注入目标进程成功","消息",MB_OK);
						}
						else
						{
							if(strrchr(lpObjectProcess,46)==NULL)
								*lpObjectProcess=*(strcat(lpObjectProcess,".dll"));
							bIsFree=MyFreeLibrary(hdlg,handle,iProcessId,lpObjectProcess);
							if(!bIsFree)
							{
								MessageBox(hdlg,"卸载失败","错误",MB_OK);
							}
							else
							{
								MessageBox(hdlg,"卸载成功","消息",MB_OK);
							}
						}
					}
				}
			}
			return TRUE;
		case IDCANCEL:
		    EndDialog(hdlg,0);
		    PostQuitMessage(0);
			return TRUE;
		case IDC_CHECK1:
			if(SendMessage(GetDlgItem(hdlg,IDC_CHECK1),BM_GETCHECK,0,0)==BST_CHECKED)
			{
				SetWindowPos(hdlg,HWND_TOPMOST,0,0,0,0,SWP_NOMOVE|SWP_NOSIZE|SWP_NOREDRAW);
			}
			else
			{
				SetWindowPos(hdlg,HWND_NOTOPMOST,0,0,0,0,SWP_NOMOVE|SWP_NOSIZE|SWP_NOREDRAW);
			}
		}
	}
	return 0;
}
BOOL UpPrivilege(HANDLE hprocess,LPCTSTR lpname)
{
	HANDLE hToken;
	TOKEN_PRIVILEGES Privileges;
    LUID luid;
	OpenProcessToken(hprocess,TOKEN_ADJUST_PRIVILEGES,&hToken);
    Privileges.PrivilegeCount=1;
    LookupPrivilegeValue(NULL,lpname,&luid);
    Privileges.Privileges[0].Luid=luid;
    Privileges.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
    if(AdjustTokenPrivileges(hToken,FALSE,&Privileges,NULL,NULL,NULL)!=0)
		return TRUE;
	return FALSE;
}
BOOL MyFreeLibrary(HWND hdlg,HANDLE hRemoteHandle,DWORD iProcessId,LPSTR lpDll)
{
	int i=0;
	char b[10];
	BOOL repeat=FALSE,bOk=FALSE;
	HMODULE hmodule=GetModuleHandle("kernel32.dll");
	HANDLE hsnapshot=NULL,hRemoteThread=NULL;
	MODULEENTRY32 me={0};
	me.dwSize=sizeof(MODULEENTRY32);
	hsnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,iProcessId);
	if(hsnapshot==NULL)
		MessageBox(hdlg,"枚举模块失败","错误",MB_OK);
	repeat=Module32First(hsnapshot,&me);
	if((lstrcmpi(me.szModule,lpDll)==0)||(lstrcmpi(me.szExePath,lpDll)==0))
	{
		i=1;
		hRemoteThread=CreateRemoteThread(hRemoteHandle,NULL,0,(LPTHREAD_START_ROUTINE(GetProcAddress(hmodule,"FreeLibrary"))),me.modBaseAddr,0,NULL);
        if(hRemoteThread==NULL)
		{
			bOk=FALSE;
            MessageBox(hdlg,"1","错误",MB_OK);
		}
		else
		{
			bOk=TRUE;
		}
	}
	do
	{
		repeat=Module32Next(hsnapshot,&me);
		if(repeat)
		{
			i=i+1;
			if((lstrcmpi(me.szExePath,lpDll)==0)||(lstrcmpi(me.szModule,lpDll)==0))
			{
				sprintf(b,"%i",i);
				MessageBox(hdlg,me.szExePath,b,MB_OK);
				hRemoteThread=CreateRemoteThread(hRemoteHandle,NULL,0,(LPTHREAD_START_ROUTINE(GetProcAddress(hmodule,"FreeLibrary"))),me.hModule,0,NULL);
				if(hRemoteThread==NULL)
				{
					MessageBox(hdlg,"2","错误",MB_OK);
					bOk=FALSE;
				}
				else
				{
					bOk=TRUE;
				}
			}
		}
	}while(repeat);
	CloseHandle(hsnapshot);
	return bOk;
}