DWORD GetProcessIdByName(LPCTSTR szProcess)//注意要加exe后缀{DWORD dwRet=0;HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);PROCESSENTRY32 pe32;pe32.dwSize=sizeof(PROCESSENTRY32);Process32First(hSnapshot,&pe32);do {if (_tcscmp(pe32.szExeFile,szProcess)==0){dwRet=pe32.th32ProcessID;break;}} while (Process32Next(hSnapshot,&pe32));CloseHandle(hSnapshot);return dwRet;}BOOL Inject(LPCTSTR szModule, DWORD dwID){HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwID);if ( !hProcess ) {return FALSE;}int cByte = (_tcslen(szModule)+1) * sizeof(TCHAR);LPVOID pAddr = VirtualAllocEx(hProcess, NULL, cByte, MEM_COMMIT, PAGE_READWRITE);if ( !pAddr || !WriteProcessMemory(hProcess, pAddr, szModule, cByte, NULL)) {return FALSE;}#ifdef _UNICODEPTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryW");#elsePTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryA");#endif//Kernel32.dll总是被映射到相同的地址if ( !pfnStartAddr ) {return FALSE;}DWORD dwThreadID = 0;HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, pfnStartAddr, pAddr, 0, &dwThreadID);if ( !hRemoteThread ) {return FALSE;}WaitForSingleObject(hRemoteThread,INFINITE);VirtualFreeEx(hProcess,pAddr,cByte,MEM_COMMIT);CloseHandle(hRemoteThread);CloseHandle(hProcess);return TRUE;}
简单提权函数
BOOL EnablePrivilege(LPCTSTR lpszPrivilegeName, BOOL bEnable){HANDLE hToken = NULL;TOKEN_PRIVILEGES tp;LUID luid;if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_READ, &hToken))return FALSE;if(!LookupPrivilegeValue(NULL, lpszPrivilegeName, &luid))return TRUE;tp.PrivilegeCount = 1;tp.Privileges[0].Luid = luid;tp.Privileges[0].Attributes = (bEnable) ? SE_PRIVILEGE_ENABLED : 0;AdjustTokenPrivileges(hToken, FALSE, &tp, NULL, NULL, NULL);CloseHandle(hToken);return (GetLastError() == ERROR_SUCCESS);}
BOOL UnLoadDll(LPCTSTR szDllName, DWORD dwID)//要卸载的DLL名,,进程PID{HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwID);if ( !hProcess ) {return FALSE;}int cByte = (_tcslen(szDllName)+1) * sizeof(TCHAR);LPVOID pAddr = VirtualAllocEx(hProcess, NULL, cByte, MEM_COMMIT, PAGE_READWRITE);if ( !pAddr || !WriteProcessMemory(hProcess, pAddr, szDllName, cByte, NULL)) {return FALSE;}#ifdef _UNICODEPTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetModuleHandleW;#elsePTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetModuleHandleA;#endif//Kernel32.dll总是被映射到相同的地址if ( !pfnStartAddr ) {return FALSE;}DWORD dwThreadID = 0,dwFreeId=0,dwHandle;HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, pfnStartAddr, pAddr, 0, &dwThreadID);if ( !hRemoteThread ) {return FALSE;}WaitForSingleObject(hRemoteThread,INFINITE);// 获得GetModuleHandle的返回值GetExitCodeThread(hRemoteThread,&dwHandle);CloseHandle(hRemoteThread);// 使目标进程调用FreeLibrary,卸载DLL#ifdef _UNICODEPTHREAD_START_ROUTINE pfnFreeAddr = (PTHREAD_START_ROUTINE)FreeLibrary;#elsePTHREAD_START_ROUTINE pfnFreeAddr = (PTHREAD_START_ROUTINE)FreeLibrary;#endifHANDLE hFreeThread = CreateRemoteThread(hProcess, NULL, 0, pfnFreeAddr,(LPVOID)dwHandle,0,&dwFreeId);if ( !hFreeThread ) {return FALSE;}WaitForSingleObject(hFreeThread,INFINITE);VirtualFreeEx(hProcess,pAddr,cByte,MEM_COMMIT);CloseHandle(hFreeThread);CloseHandle(hProcess);return TRUE;}
旅行,有一种苍凉,“浮云游子意,落日故人情”,
