C++封装远程注入类CreateRemoteThreadEx实例

.cpp源文件如下：

复制代码代码如下:#include"RemThreadInject.h" 
#include<tlhelp32.h>  
 
CRemThreadInject::CRemThreadInject(LPSTRlpDllName) 
{ 
   memcpy(m_szDllName,lpDllName,MAX_PATH); 
   EnableDebugPrivilege(TRUE); 
} 
 
CRemThreadInject::~CRemThreadInject(void) 
{ 
   EnableDebugPrivilege(FALSE); 
} 
 
BOOLCRemThreadInject::EnableDebugPrivilege(BOOLbEnable) 
{ 
   HANDLEhToken=INVALID_HANDLE_VALUE; 
   //OpenProcessToken 
   if(0==::OpenProcessToken(::GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken)) 
   { 
       returnFALSE; 
   } 
   LUIDluid; 
     
   // 
   ::LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid); 
   TOKEN_PRIVILEGEStp; 
   tp.PrivilegeCount=1; 
   tp.Privileges[0].Luid=luid; 
   if(bEnable) 
       tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; 
   else 
       tp.Privileges[0].Attributes=0; 
   if(!AdjustTokenPrivileges( 
       hToken,  
       FALSE,  
       &tp,  
       sizeof(TOKEN_PRIVILEGES),  
       (PTOKEN_PRIVILEGES)NULL,  
       (PDWORD)NULL)) 
   {  
       returnFALSE;  
   }  
   if(GetLastError()==ERROR_NOT_ALL_ASSIGNED) 
   { 
       returnFALSE; 
   }  
   ::CloseHandle(hToken); 
   returnTRUE; 
} 
 
//注入DLL到指定的地址空间 
BOOLCRemThreadInject::InjectModuleInto(DWORDdwProcessId) 
{ 
   // 
   if(::GetCurrentProcessId()==dwProcessId) 
   { 
       returnFALSE;  
   } 
   BOOLbFound; 
   /************************************************************************/ 
   /*遍历模块                                                             */ 
   /************************************************************************/ 
   HANDLEhModuleSnap=INVALID_HANDLE_VALUE;  
   MODULEENTRY32me32;  
 
   // Takeasnapshotofallmodulesinthespecifiedprocess.  
   hModuleSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwProcessId);  
   if(hModuleSnap==INVALID_HANDLE_VALUE)  
   {  
       return(FALSE);  
   }  
   me32.dwSize=sizeof(MODULEENTRY32);  
   if(!Module32First(hModuleSnap,&me32))  
   {  
       CloseHandle(hModuleSnap);    //Mustcleanupthesnapshotobject!  
       return(FALSE);  
   }  
   do  
   {  
       if(stricmp(me32.szModule,m_szDllName)==0) 
       { 
           bFound=TRUE; 
           break; 
       } 
   }while(Module32Next(hModuleSnap,&me32));  
 
   // Donotforgettocleanupthesnapshotobject.  
   CloseHandle(hModuleSnap);  
 
   if(bFound)//如果已经加载了模块，就不再加载 
   { 
       returnFALSE; 
   } 
 
   //如果没加载，打开进程，远程注入 
     
   HANDLEhProcess=::OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwProcessId); 
   if(hProcess==NULL) 
   { 
       returnFALSE; 
   } 
   HMODULE hKernerl32=GetModuleHandle("kernel32.dll"); 
   LPTHREAD_START_ROUTINEpfnLoadLibraryA=(LPTHREAD_START_ROUTINE)::GetProcAddress(hKernerl32,"LoadLibraryA");  
 
   intcbSize=strlen(m_szDllName)+1; 
   LPVOIDlpRemoteDllName=::VirtualAllocEx(hProcess,0,cbSize,MEM_COMMIT,PAGE_READWRITE); 
   ::WriteProcessMemory(hProcess,lpRemoteDllName,m_szDllName,cbSize,NULL); 
   HANDLEhRemoteThread=::CreateRemoteThreadEx(hProcess,NULL,0,pfnLoadLibraryA,lpRemoteDllName,0,NULL,NULL); 
   if(NULL==hRemoteThread) 
   { 
       ::CloseHandle(hProcess); 
       returnFALSE; 
   } 
   //等待目标线程运行结束，即LoadLibraryA函数返回 
   ::WaitForSingleObject(hRemoteThread,INFINITE); 
   ::CloseHandle(hRemoteThread); 
   ::CloseHandle(hProcess); 
   returnTRUE; 
} 
 
//从指定的地址空间卸载DLL 
BOOLCRemThreadInject::EjectModuleFrom(DWORDdwProcessId) 
{ 
   // 
   if(::GetCurrentProcessId()==dwProcessId) 
   { 
       returnFALSE;  
   } 
   BOOLbFound; 
   /************************************************************************/ 
   /*遍历模块                                                             */ 
   /************************************************************************/ 
   HANDLEhModuleSnap=INVALID_HANDLE_VALUE;  
   MODULEENTRY32me32;  
 
   // Takeasnapshotofallmodulesinthespecifiedprocess.  
   hModuleSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwProcessId);  
   if(hModuleSnap==INVALID_HANDLE_VALUE)  
   {  
       return(FALSE);  
   }  
   me32.dwSize=sizeof(MODULEENTRY32);  
   if(!Module32First(hModuleSnap,&me32))  
   {  
       CloseHandle(hModuleSnap);    //Mustcleanupthesnapshotobject!  
       return(FALSE);  
   }  
   do  
   {  
       if(stricmp(me32.szModule,m_szDllName)==0) 
       { 
           bFound=TRUE; 
           break; 
       } 
   }while(Module32Next(hModuleSnap,&me32));  
 
   // Donotforgettocleanupthesnapshotobject.  
   CloseHandle(hModuleSnap);  
 
   if(!bFound)//如果没有加载模块，就不能卸载 
   { 
       returnFALSE; 
   } 
 
   //如果加载了，打开进程，远程注入 
 
   HANDLEhProcess=::OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwProcessId); 
   if(hProcess==NULL) 
   { 
       returnFALSE; 
   } 
   HMODULE hKernerl32=GetModuleHandle("kernel32.dll"); 
   LPTHREAD_START_ROUTINEpfnFreeLibrary=(LPTHREAD_START_ROUTINE)::GetProcAddress(hKernerl32,"FreeLibrary");
 
   intcbSize=strlen(m_szDllName)+1; 
   LPVOIDlpRemoteDllName=::VirtualAllocEx(hProcess,0,cbSize,MEM_COMMIT,PAGE_READWRITE); 
   ::WriteProcessMemory(hProcess,lpRemoteDllName,m_szDllName,cbSize,NULL); 
   HANDLEhRemoteThread=::CreateRemoteThreadEx(hProcess,NULL,0,pfnFreeLibrary,lpRemoteDllName,0,NULL,NULL); 
   if(NULL==hRemoteThread) 
   { 
       ::CloseHandle(hProcess); 
       returnFALSE; 
   } 
   //等待目标线程运行结束，即LoadLibraryA函数返回 
   ::WaitForSingleObject(hRemoteThread,INFINITE); 
   ::CloseHandle(hRemoteThread); 
   ::CloseHandle(hProcess); 
   returnTRUE; 
}

希望本文所述对大家的C++程序设计有所帮助。

本文地址： C++封装远程注入类CreateRemoteThreadEx实例