远程线程挂接DLL的实现模型

#include <windows.h>
#include <stdio.h>
#include <Tlhelp32.h>
void usage(char *);

int main(int argc, char* argv[])
{
//char *Dll = "C://DLL.dll";
HANDLE hProcess = NULL,hRometeThread = NULL,hRometeThread2 = NULL;

LPVOID pszRemoteMemory = NULL;
HANDLE hSnapShot = NULL;
int PID = atoi(argv[1]);
char *Dll = argv[2];

if(argc!=3)
{
usage(argv[0]);
return 1;
}

__try
{
hProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,PID);

if(hProcess==NULL)
{
printf("failed to open process.");
__leave;
}

pszRemoteMemory = VirtualAllocEx(hProcess,NULL,30,MEM_COMMIT,PAGE_READWRITE);

if(pszRemoteMemory==NULL)
{
printf("/n failed to malloc memory in the remote process.");
__leave;
}

if(!WriteProcessMemory(hProcess,pszRemoteMemory,Dll,30,NULL))
{
printf("/n failed to write remote memory.");
__leave;
}

PTHREAD_START_ROUTINE pAddrOfLoad = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("Kernel32"),"LoadLibraryA");
if(pAddrOfLoad==NULL)
{
printf("/n failed to get loadlibrary proc addr.");
__leave;
}

hRometeThread = CreateRemoteThread(hProcess,NULL,0,pAddrOfLoad,pszRemoteMemory,0,NULL);
if(hRometeThread==NULL)
{
printf("/n failed to create remote thread");
__leave;
}

WaitForSingleObject(hRometeThread,INFINITE);

Sleep(5000);

PTHREAD_START_ROUTINE pAddrOfFree = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("Kernel32"),"FreeLibrary");
if(pAddrOfFree==NULL)
{
printf("/n failed to get freelibrary proc addr.");
__leave;
}

MODULEENTRY32 DllModules; DllModules.dwSize = sizeof(DllModules);

hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,PID);
if(hSnapShot==NULL)
{
printf("/n failed to get modules.");
__leave;
}

Module32First(hSnapShot,&DllModules);
while(DllModules.szModule!=szDllFile)
{
if(!Module32Next(hSnapShot,&DllModules))
break;
}

hRometeThread2 = CreateRemoteThread(hProcess,NULL,0,pAddrOfFree,DllModules.modBaseAddr,0,NULL);
if(hRometeThread2==NULL)
{
printf("/n failed to free dll.");
__leave;
}

WaitForSingleObject(hRometeThread2,INFINITE);

}
__finally
{
if(hProcess!=NULL)
CloseHandle(hProcess);
if(pszRemoteMemory!=NULL)
VirtualFreeEx(hProcess,pszRemoteMemory,0,MEM_RELEASE);
if(hRometeThread!=NULL)
CloseHandle(hRometeThread);
if(hSnapShot!=NULL)
CloseHandle(hSnapShot);
if(hRometeThread2!=NULL)
CloseHandle(hRometeThread2);
}

return 0;
}

void usage(char *tool)
{
printf(" /n using remote thread to inject dlls demoing ");
printf("/n %s usage:%s PID DLL",tool,tool);
printf("/n by Rhett 2005.05.13");
}