void DllFileSelect()
{
OPENFILENAME ofn;
char szFile[MAX_PATH] = "InJect.dll";
char szFileTitle[MAX_PATH];
memset( &ofn,0,sizeof(ofn) );
ofn.lStructSize = sizeof(ofn);
ofn.hwndOwner = g_hWnd;
//ofn.lpstrFilter = "Dll Files(*.dll)\0*.dll\0All Files(*.*)\0*.*\0\0";
ofn.lpstrFilter = "Dll Files(*.dll)\0*.dll\0\0";
ofn.nFilterIndex = 0;
ofn.lpstrFile = szFile;
ofn.nMaxFile = sizeof(szFile);
ofn.lpstrFileTitle = szFileTitle;
ofn.nMaxFileTitle = sizeof(szFileTitle);
ofn.lpstrInitialDir = "c:\\windows\\system32\\";
ofn.Flags = OFN_PATHMUSTEXIST | OFN_FILEMUSTEXIST | OFN_EXPLORER | OFN_ALLOWMULTISELECT;
if(GetOpenFileName(&ofn))
{
HWND hWndA;
hWndA = GetDlgItem(g_hWnd,IDC_EDIT_DLL);
SetWindowText( hWndA,ofn.lpstrFile );
}
}
bool EnableDebugPrivilege()
{
HANDLE hToken = NULL;
LUID luid;
TOKEN_PRIVILEGES tkp; //令牌权限结构
if( !OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES,&hToken) )
{
//printf("OpenProcessToken failed\n");
return false;
}
if( !LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid) ) //查询 DEBUG 权限值
{
return false;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = luid;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; //权限属性使能
//调整为 DEBUG 权限
if( !AdjustTokenPrivileges(hToken,false,&tkp,sizeof(tkp),NULL,NULL) )
{
return false;
}
CloseHandle( hToken );
return true;
}
bool RemoteLoadLibrary(DWORD dwProcessID,LPCSTR lpszDll)
{
//打开目标进程
HANDLE hProcess;
hProcess = OpenProcess( PROCESS_ALL_ACCESS,
FALSE,dwProcessID);
//向目标进程地址空间写入DLL名称
DWORD dwSize, dwWritten;
dwSize = lstrlenA( lpszDll ) + 1;
LPVOID lpBuf = VirtualAllocEx( hProcess,NULL,dwSize,MEM_COMMIT,PAGE_READWRITE );
if( NULL==lpBuf )
{
CloseHandle( hProcess );
return false;
}
if( WriteProcessMemory(hProcess,lpBuf,(LPVOID)lpszDll,dwSize,&dwWritten) )
{
//要写入字节数与实际写入字节数不相等,仍属失败
if ( dwWritten!=dwSize )
{
VirtualFreeEx( hProcess,lpBuf,dwSize,MEM_DECOMMIT );
CloseHandle( hProcess );
return false;
}
}
else
{
CloseHandle( hProcess );
return false;
}
//使目标进程调用LoadLibrary,加载DLL
DWORD dwID;
LPVOID pFunc = LoadLibraryA;
HANDLE hThread;
hThread = CreateRemoteThread( hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,
lpBuf,0,&dwID );
//等待LoadLibrary加载完毕(INFINITE 一直等待,会不会死在这里?)
WaitForSingleObject( hThread,INFINITE );
//释放目标进程中申请的空间
VirtualFreeEx( hProcess,lpBuf,dwSize,MEM_DECOMMIT );
CloseHandle( hThread );
CloseHandle( hProcess );
return true;
}
bool RemoteFreeLibrary(DWORD dwProcessID,LPCSTR lpszDll)
{
//打开目标进程
HANDLE hProcess;
hProcess = OpenProcess( PROCESS_ALL_ACCESS,
FALSE,dwProcessID );
//向目标进程地址空间写入DLL名称
DWORD dwSize, dwWritten;
dwSize = lstrlenA( lpszDll ) + 1;
LPVOID lpBuf = VirtualAllocEx( hProcess,NULL,dwSize,MEM_COMMIT,PAGE_READWRITE );
if( NULL==lpBuf )
{
CloseHandle( hProcess );
return false;
}
if( WriteProcessMemory(hProcess,lpBuf,(LPVOID)lpszDll,dwSize,&dwWritten) )
{
//要写入字节数与实际写入字节数不相等,仍属失败
if( dwWritten!=dwSize )
{
VirtualFreeEx( hProcess,lpBuf,dwSize,MEM_DECOMMIT );
CloseHandle( hProcess );
return false;
}
}
else
{
CloseHandle( hProcess );
return false;
}
//使目标进程调用GetModuleHandle,获得DLL在目标进程中的句柄
DWORD dwHandle, dwID;
LPVOID pFunc = GetModuleHandleA;
HANDLE hThread;
hThread = CreateRemoteThread( hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,
lpBuf,0,&dwID );
//等待GetModuleHandle运行完毕
WaitForSingleObject( hThread,INFINITE );
//获得GetModuleHandle的返回值
GetExitCodeThread( hThread,&dwHandle );
//释放目标进程中申请的空间
VirtualFreeEx( hProcess,lpBuf,dwSize,MEM_DECOMMIT );
CloseHandle( hThread );
// 使目标进程调用FreeLibrary,卸载DLL
pFunc = FreeLibrary;
hThread = CreateRemoteThread( hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,
(LPVOID)dwHandle,0,&dwID );
// 等待FreeLibrary卸载完毕
WaitForSingleObject( hThread,INFINITE );
CloseHandle( hThread );
CloseHandle( hProcess );
return true;
}