injectdll.cpp

This file (the project file) contains information at the project level and is used to build a sing

#include <Windows.h>
#include <tlhelp32.h>
#include <stdio.h>
#include <conio.h>

BOOL EnablePrivilege(char *PrviName)
{
	HANDLE hToken;
	TOKEN_PRIVILEGES Newtp;
	BOOL bRet=FALSE;

	OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken);
	if(LookupPrivilegeValue(NULL,PrviName,&Newtp.Privileges[0].Luid))
	{
		Newtp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
		Newtp.PrivilegeCount=1;
		if(AdjustTokenPrivileges(hToken,FALSE,&Newtp,sizeof(Newtp),NULL,NULL))
			bRet=TRUE;
	}
	
	CloseHandle(hToken);

	return bRet;
}

DWORD Process2PID(LPCTSTR lpszProcess)
{
	HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
	PROCESSENTRY32 pe;
	DWORD dwRet=0;
	pe.dwSize=sizeof(PROCESSENTRY32);
	if(hSnap)
	{
		Process32First(hSnap,&pe);
		do {
			if(!lstrcmpi(lpszProcess,pe.szExeFile))
			{
				dwRet=pe.th32ProcessID;
				break;
			}
		} while(Process32Next(hSnap,&pe));
		CloseHandle(hSnap);
	}
	return dwRet;
}

BOOL InjectDLL(DWORD dwPid,LPCTSTR lpszDll)
{
	if(!EnablePrivilege(SE_DEBUG_NAME))
		return FALSE;
	BOOL bRet=FALSE;
	HANDLE hProcess=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwPid);
	LPVOID pAddr=VirtualAllocEx(hProcess,NULL,MAX_PATH,MEM_COMMIT,PAGE_READWRITE);
	WriteProcessMemory(hProcess,pAddr,lpszDll,lstrlen(lpszDll)+1,NULL);
	LPTHREAD_START_ROUTINE pfnLoadLibrary=(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
	bRet=(BOOL)CreateRemoteThread(hProcess,NULL,1024,pfnLoadLibrary,pAddr,0,NULL);
	CloseHandle(hProcess);
	return bRet;
}

int main(int argc,char **argv)
{
	printf("Inject DLL to explorer.exe %s\n",InjectDLL(Process2PID(argv[1]),argv[2])?"successful":"failed");
	getch();
	return 0;
}