BOOL InjectDll(DWORD dwProcsId)
{
if(EnableDebugPriv(SE_DEBUG_NAME) == 0)
{
return FALSE;
}
//第一个值得结果要注意,否则获得的句柄值可能无效
HANDLE hProc = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwProcsId);
if(NULL == hProc)
return FALSE;
//get LoadLibraryA addr
THREAD_START_FUNC pFuncAddr = (THREAD_START_FUNC)GetProcAddress(GetModuleHandleA("kernel32"), "LoadLibraryA");
if(NULL == pFuncAddr)
return FALSE;
//alloc remote process addr to save dll path
void * pRemoteDllPathAddr = VirtualAllocEx(hProc, NULL, sizeof(g_szDllPath), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(NULL == pRemoteDllPathAddr)
return FALSE;
//write dll path, g_szDllPath is dll path...
if(FALSE == WriteProcessMemory(hProc, pRemoteDllPathAddr, g_szDllPath, sizeof(g_szDllPath), NULL))
return FALSE;
//inject dll
if (NULL == CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)pFuncAddr, pRemoteDllPathAddr, NULL, NULL))
return FALSE;
return TRUE;
}
int EnableDebugPriv(WCHAR szName[])
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
// 打开进程环令牌
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
return 0;
}
if(!LookupPrivilegeValueW(NULL,szName,&luid))
{
return 0;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = luid;
// 调整权限
if(!AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
{
return 0;
}
return 1;
}