首页 > 代码库 > CreateRemoteThread
CreateRemoteThread
/************************************************************************//* 通过CreateRemoteThread注入进程/* 参数:进程ID,dll路径/************************************************************************/BOOL InjectModuleToProcessByRT(DWORD dwProcessId, LPWSTR lpDllPath) { BOOL bRet = FALSE; HANDLE hProcess = NULL, hThread = NULL; LPWSTR lpRemoteDllName = NULL; WCHAR szBuf[MAX_PATH] = {0}; DWORD dwSmss = GetProcessIdByName(L"smss.exe"); DWORD dwCsrss = GetProcessIdByName(L"csrss.exe"); if( (dwProcessId == 0)||(dwProcessId == 4)||(dwProcessId == dwSmss)||(dwProcessId == dwCsrss)) { return bRet; } __try { //获取目标进程句柄 hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId); if (hProcess == NULL) { wsprintf(szBuf,L"[error]OpenProcess(%d)",GetLastError()); OutputDebugString(szBuf); __leave; } // 计算dll路径所需要的字节数 int cch = 1 + lstrlenW(lpDllPath); int cb = cch * sizeof(wchar_t); // 为远程线程的路径分配空间 lpRemoteDllName = (LPWSTR) VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE); if (lpRemoteDllName == NULL) { wsprintf(szBuf,L"[error]VirtualAllocEx(%d)",GetLastError()); OutputDebugString(szBuf); __leave; } //将dll路径写入远程线程空间 if (!WriteProcessMemory(hProcess, lpRemoteDllName, (PVOID) lpDllPath, cb, NULL)) { wsprintf(szBuf,L"[error]WriteProcessMemory(%d)",GetLastError()); OutputDebugString(szBuf); __leave; } // 获取LoadLibraryW在Kernel32.dll中的地址 PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle(L"Kernel32"), "LoadLibraryW"); if (pfnThreadRtn == NULL) { OutputDebugString(L"[error]Get LoadLibraryW Address Fail"); __leave; } // 创建远程线程 hThread = CreateRemoteThread(hProcess, NULL, 0, pfnThreadRtn, lpRemoteDllName, 0, NULL); //hThread = LibCreateRemoteThread(hProcess, pfnThreadRtn, lpRemoteDllName, 0, NULL); if (hThread == NULL) { wsprintf(szBuf,L"[error]CreateRemoteThread(%d)",GetLastError()); OutputDebugString(szBuf); __leave; } // 等待远程线程结束 WaitForSingleObject(hThread, INFINITE); bRet = TRUE; } __finally { if (lpRemoteDllName != NULL) VirtualFreeEx(hProcess, lpRemoteDllName, 0, MEM_RELEASE); if (hThread != NULL) CloseHandle(hThread); if (hProcess != NULL) CloseHandle(hProcess); } return bRet;}CreateRemoteThread
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。