My use of CreateRemoteThread controls Excel right-click source program

Write the DLL into Excel.exe with CreateRemoteThread. Use setWindowlong () to change the right click message in Excel. DLL source program: #include

BOOL __stdcall DllMain (HANDLE, DWORD, LPVOID) {return TRUE;} / * # pragma data_seg ( "shared") # pragma data_seg () # pragma comment (linker, "/ SECTION: shared, rws") * / WNDPROC g_lpfnOldWndProc; HWND g_hMsgWnd; LRESULT APIENTRY HookExcelWndProc (HWND hWnd, UINT wMessage, WPARAM wParam, LPARAM lParam) {try {switch (wMessage) {case WM_RBUTTONDOWN: MessageBox (g_hMsgWnd, "u click the r button", "", MB_OK); return 1 ; break; case WM_CLOSE: :: ExitProcess (0); break; default: if (NULL == g_lpfnOldWndProc) return DefWindowProc (hWnd, wMessage, wParam, lParam); else return CallWindowProc (g_lpfnOldWndProc, hWnd, wMessage, wParam, lParam) ;}} catch (...) {} return 0;} LRESULT __stdcall HookExcelRightMenu (HWND hwnd) {g_hMsgWnd = hwnd; g_lpfnOldWndProc = (WNDPROC) :: SetWindowLong (hwnd, GWL_WNDPROC, (LONG) HookExcelWndProc); MSG msg; while (:: GetMessage (& MSG, NULL, 0, 0)) {TranslateMessage (& MSG); DispatchMessage (& MSG);} Return True;} Injecting Process Source Program: #include #include const in t MAXINJECTSIZE = 10240; typedef HMODULE (__stdcall * LPLOADLIBRARY) (LPCTSTR); typedef FARPROC (__stdcall * LPGETPROCADDRESS) (HMODULE, LPCTSTR); typedef BOOL (__stdcall * LPFREELIBRARY) (HMODULE); typedef LRESULT (__stdcall * LPHookExcelRightMenu) (HWND) ; typedef struct {LPLOADLIBRARY prcLoadLib; LPGETPROCADDRESS prcGetProcAddr; LPFREELIBRARY prcFreeLib; TCHAR szLibPath [MAX_PATH 1]; HWND hInjectWnd;} INJECT_DLL, * LPINJECT_DLL; DWORD GetProcessIdFromName (LPCTSTR name) {PROCESSENTRY32 pe; DWORD id = 0; HANDLE hSnapshot = CreateToolhelp32Snapshot ( TH32CS_SNAPPROCESS, 0); pe.dwsize = sizeof (Processentry32);

if (! Process32First (hSnapshot, & pe)) return 0; do {pe.dwSize = sizeof (PROCESSENTRY32); if (Process32Next (hSnapshot, & pe) == FALSE) break; if (stricmp (pe.szExeFile, name) == 0) {id = pe.th32ProcessID; break;}} while (1); CloseHandle (hSnapshot); return id;} void EnableDebugPriv (void) {HANDLE hToken; LUID sedebugnameValue; TOKEN_PRIVILEGES tkp; if (OpenProcessToken (GetCurrentProcess ()! , TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, & hToken)) return; if (LookupPrivilegeValue (NULL, SE_DEBUG_NAME, & sedebugnameValue)) {CloseHandle (hToken); return;} tkp.PrivilegeCount = 1; tkp.Privileges [0] .Luid = sedebugnameValue; tkp!. Privileges [0] .Attributes = SE_PRIVILEGE_ENABLED; if (AdjustTokenPrivileges (hToken, FALSE, & tkp, sizeof tkp, NULL, NULL)!) (hToken) CloseHandle;} #pragma check_stack (off) static DWORD __stdcall ControlExcelThread (LPVOID lpVoid) {try {LPINJECT_DLL LPINJECT = (LPINJECT_DLL) LPVOID; if (null == lpinject) Return -1; HModule HMOD = LpInject-> prcLoadLib (lpInject-> szLibPath); if (NULL == hMod) return -2; LPHookExcelRightMenu lpHookExcelRightMenu; lpHookExcelRightMenu = (LPHookExcelRightMenu) lpInject -> prcGetProcAddr (hMod, MAKEINTRESOURCE (1)); if (! LpHookExcelRightMenu) { Lpinject -> prcFreelib (hmod); Return-3;} lphookexcelrightmenu (lpinject-> hinjectWnd); lpinject -> prcFreeelib (hmod);} catCH (...) {return -1;} return 0;} # Pragma Check_stack on) LRESULT InJectDllIntoProcess (LPCSTR pstrProcessName, HWND hwnd) {DWORD dwProcessID = 0; // dwProcessID = GetProcessIdFromName (pstrProcessName); GetWindowThreadProcessId (hwnd, & dwProcessID);

if (dwProcessID <1) return -1; EnableDebugPriv (); HANDLE hInjectTarget = OpenProcess (PROCESS_ALL_ACCESS, FALSE, dwProcessID); if (hInjectTarget!) return -2; INJECT_DLL pstInjectDll; memset (& pstInjectDll, 0x0, sizeof (INJECT_DLL)); HMODULE hModule = :: LoadLibrary (TEXT ( "kernel32")); if (hModule!) return -3; pstInjectDll.prcLoadLib = (LPLOADLIBRARY) :: GetProcAddress (hModule, TEXT ( "LoadLibraryA")); pstInjectDll.prcFreeLib = ( LPFREELIBRARY) :: GetProcAddress (hModule, TEXT ( "FreeLibrary")); pstInjectDll.prcGetProcAddr = (LPGETPROCADDRESS) :: GetProcAddress (hModule, TEXT ( "GetProcAddress")); pstInjectDll.hInjectWnd = hwnd; lstrcpy (pstInjectDll.szLibPath, TEXT ( "E: //KDCP//backup//dll//injectdll//debug//injectdll.dll")); LPBYTE lpExcelAddr = (LPBYTE) :: VirtualAllocEx (hInjectTarget, NULL, MAXINJECTSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE); LPINJECT_DLL Param = (lpinject_dll) VirtualaLalkEx (HinjectTarget, 0, Sizeof (Inject_dll), MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory (HinjectTarget, LPEXCELADDR, & &) ControlExcelThread, MAXINJECTSIZE, 0); WriteProcessMemory (hInjectTarget, param, & pstInjectDll, sizeof (INJECT_DLL), 0); DWORD dwThreadId = 0; HANDLE hInjectThread; try {hInjectThread = :: CreateRemoteThread (hInjectTarget, NULL, 0, (LPTHREAD_START_ROUTINE) lpExcelAddr, param, 0, & dwThreadId);} catch (...) {} if (hInjectThread) dwThreadId = :: GetLastError ();! else CloseHandle (hInjectThread); CloseHandle (hInjectTarget); :: VirtualFreeEx (hInjectTarget, lpExcelAddr, 0, Mem_release) ;: VirtualFreeex (HinjectTarget, Param, 0, Mem_Release); Return 0;} void main () {hwnd hwnd; hWnd = FindWindowEx (NULL, NULL, "XLmain", null); if (hwnd) {hWnd =