zuru1.rar

十大富商的方式发生的方式的方式的 ?蟾簧痰姆绞椒⑸姆绞降姆绞降??蟾簧痰姆绞椒⑸姆绞?的

DWORD CInsertDlg::GetProcessId()//获取explorer.exe进程的ID
{
DWORD Pid=-1;
HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);//创建系统快照
PROCESSENTRY32 lPrs;
ZeroMemory(&lPrs,sizeof(lPrs));
lPrs.dwSize=sizeof(lPrs);
Process32First(hSnap,&lPrs);
if (strstr(targetFile,lPrs.szExeFile))//判断进程信息是否是explorer.exe
{
Pid=lPrs.th32ProcessID;
return Pid;
}

while(1)
{
ZeroMemory(&lPrs,sizeof(lPrs));
lPrs.dwSize=(&lPrs,sizeof(lPrs));
if (!Process32Next(hSnap,&lPrs))//继续枚举进程信息
{
Pid=-1;
break;
}
if (strstr(targetFile,lPrs.szExeFile))
{
Pid=lPrs.th32ProcessID;
break;
}
}

return Pid;

}


void CInsertDlg::OnButton1()
{
DWORD Pid=-1;
Pid=GetProcessId();//得到进程ID

if (Insert(Pid))//执行远程进程注入
{
}
else
{
return 0;}
}

BOOL CInsertDlg::Insert(DWORD dwProcessId)
{
HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessId);//得到对目标进程操作的所有权限

if (hProcess==NULL)
{
return FALSE;
}

char szModulePath[MAX_PATH];
GetModuleFileName(NULL,szModulePath,MAX_PATH);
PathRemoveFileSpec(szModulePath);
CString strModlePath = _T(szModulePath);
if(strModlePath[strModlePath.GetLength() - 1] != '\\')strModlePath += _T('\\');
strModlePath += _T("test.dll");//获取DLL路径


//为DLL路径分配内存空间
LPVOID RemoteMemory = VirtualAllocEx(hProcess,NULL,strModlePath.GetLength() + 1,MEM_COMMIT,PAGE_READWRITE);

if (RemoteMemory==NULL)
{
return FALSE;
}


//将DLL路径写入目标进程的分配的内存
if (!WriteProcessMemory(hProcess,RemoteMemory,(void *)(LPCTSTR)strModlePath,strModlePath.GetLength() + 1,NULL))
{
return FALSE;
}

//得到LoadLibraryA函数的指针
PTHREAD_START_ROUTINE pfn=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"LoadLibraryA");

if (pfn==NULL)
{
return FALSE;
}


//在远程进程里创建线程
HANDLE hThread=CreateRemoteThread(hProcess,NULL,0,pfn,RemoteMemory,0,NULL);

if (hThread==NULL)
{
return FALSE;
}
WaitForSingleObject(hThread,INFINITE);//等待线程的返回
VirtualFreeEx(hProcess,RemoteMemory,0,MEM_RELEASE);//释放内存
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}
}