void injection(HANDLE hprocess, LPCTSTR lpszModuleName)
{
//this->EnableDebugPrivilege(1);
//计算dll路径名需要的空间
int cb = 1 + strlen(lpszModuleName);
//使用VirtualAllocEx函数在远程进程的内存地址空间分配dll文件缓冲区
LPVOID pszLibFileRemote = VirtualAllocEx(hprocess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);
//使用WriteProcessMemory函数将dll的路径名复制到远程进程的内存空间
BOOL iReturnCode = WriteProcessMemory(hprocess, pszLibFileRemote, (PVOID)lpszModuleName, cb, NULL);
if (iReturnCode)
{
//计算LoadLibrary的入口地址
LPTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
//启动远程线程LoadLibrary,通过远程线程调用用户的dll文件
HANDLE hRemoteThread = CreateRemoteThread(hprocess, NULL, 0, pfnStartAddr, pszLibFileRemote, 0, NULL);
if (hRemoteThread) {
WaitForSingleObject(hRemoteThread, INFINITE);
CloseHandle(hRemoteThread);
VirtualFreeEx(hProcess, pszLibFileRemote, 0, MEM_RELEASE);
}
}
}
bklang
