Gossip, look at the code:
//
RMTDLL.CPP: Defines the entry point for the console application.
//
#include
"
STDAFX.H
"
#include
<
Windows.h
>
#include
<
STDLIB.H
>
#include
<
stdio.h
>
#include
"
PSAPI.H
"
//
#include "psapi.h"
//
#pragma comment (lib, "psapi.lib")
DWORD Processtopid
charr
*
);
//
Convert the process name to PID functions
Void
Checkerror
int
,
int
,
charr
*
);
//
Error handler function
Void
USAGE
charr
*
);
//
Use instructions function
PDWORD PDWTHREADID; HREMOTEPROCESS; DWORD FDWCREATE, DWSTACKSIZE, DWREMOTEPROCESSID; PWSTR PSZLIBFILEMOTE
=
NULL;
Void
Main
int
Argc,
charr
**
Argv) {
int
IreturNCode;
charr
LPDLFULLPATHNAME [MAX_PATH]; wchar pszlibfilename [max_path]
=
{
0
}
//
Processing command line parameters
/ *
Argv [0] = "f: /testtempprogramming/rmtdll/debug/rtdll.exe"; argv [1] = "Explorer.exe"; argv [2] = "f: /testtempprogramming/testdll/debug/testdll.dll" ;
* /
IF
(Argc)
! =
3
USAGE
"
Parametes Number IncorRect!
"
);
Else
{
//
Convert to PID if you enter a process name
IF
(Isdigit)
*
Argv [
1
])) DWREMOTEPROCESSID
=
ATOI (Argv [
1
]);
Else
DwremoteProcessid
=
Processtopid (Argv [
1
]);
//
Judging whether the input DLL file name is absolute path
IF
(strstr (argv [
2
],
"
: /
"
)
! =
NULL) STRNCPY (LPDLFULLPATHNAME, ARGV [
2
], MAX_PATH);
Else
{
//
Get the current directory, convert the relative path into an absolute path
IReturnCode
=
GetCurrentDirectory (max_path, lpdllfullpathname); Checkerror (IReturncode,
0
,
"
GetCurrentDirectory
"
STRCAT (LPDLFULLPATHNAME,
"
/
"
); Strcat (lpdllfullpathname, argv [
2
]); Printf
"
Convert DLL FileName To Fullpathname:% s "
LPDLLLLLPATHNAME);
//
Determine if the DLL file exists
IReturnCode
=
(
int
_Lopen (LPDLFULLPATHNAME, OF_READ);
//
IReturnCode = 0;
Checkerror (IReturncode, Hfile_ERROR,
"
DLL File Not Exist
"
);
//
Convert the ANSI code of the DLL file full path to Unicode code
IReturnCode
=
MultibyToWideChar (CP_ACP, MB_ERR_INVALID_CHARS, LPDLLLLPATHNAME, STRLEN (LPDLLLLPATHNAME), PSZLIBFILENAME, MAX_PATH); Checkerror (IReturncode,
0
,
"
MultByToWideChar
"
);
//
Output last operational parameters
WPrintf (L)
"
Will inject% s
"
, Pszlibfilename); Printf
"
INTO Process:% s pid =% d
"
, Argv [
1
], Dwremoteprocessid;}
//
Open remote process
HREMOTEPROCESS
=
OpenProcess (Process_create_thread
|
//
Allow creation threads
Process_vm_operation
|
//
Allow VM operation
Process_vm_write,
//
Allow VM to write
False, dwremoteProcessId; Checkerror
int
HREMOTEPROCESS, NULL,
"
Remote Process Not Exist or Access Denied!
"
);
//
Calculate memory space required for DLL path name
int
CB
=
(
1
Lstrlenw (pszlibfilename))
*
Sizeof
(Wchar); pszlibfileremote
=
(PWSTR) Virtualallocex (HremoteProcess, NULL, CB, MEM_COMMIT, PAGE_READWRITE); Checkerror
int
Pszlibfileremote, NULL,
"
VirtualaLalkEx
"
);
//
Copy the path name of the DLL to the memory space of the remote process
IReturnCode
=
WriteProcessMemory (HremoteProcess, PszlibfileRemote, (PVOID) PSzlibfileName, CB, NULL; Checkerror (IReturncode,
False
,
"
WriteProcessMemory
"
);
//
Calculate the entrance address of LoadLibraryw
Pthread_start_routine PfnStartAddr
=
(Pthread_start_routine) getProcadDress (getModuleHandle (Text)
"
Kernel32
"
))
"
LoadLibraryw
"
CHECKERROR
int
PfnStartAddr, NULL,
"
GetProcaddress "
);
//
Start the remote thread, call the user's DLL file via the remote thread
HremoteThread
=
CreateRemoteThread (HremoteProcess, Null,
0
, Pfnstartaddr, pszlibfileremote,
0
, NULL); Checkerror
int
HREMOTETHREAD, NULL,
"
CREATE Remote Thread
"
);
//
Wait for remote thread to exit
WaitforsingleObject (HREMOTETHREAD, INFINITE);
//
Qingfang processing
IF
(pszlibfileremote
! =
NULL) VirtualFreeEx (HremoteProcess, PszlibfileRemote,
0
MEM_RELEASE;
IF
(HREMOTETHREAD)
! =
NULL) CloseHandle (HREMOTETHREAD);
IF
(HremoteProcess)
! =
NULL) CloseHandle (HREMOTEPROCESS);
//
Convert the process name to PID functions
DWORD Processtopid
charr
*
InputProcessName) {DWORD APROCESSES [
1024
], CBNEED, CPROCESS; UNSIGNED
int
HMODule HMOD;
charr
szprocessname [max_path]
=
"
UnknownProcess
"
;
//
Calculate how many processes currently, Aprocesses [] used to store effective process PIDS
IF
(
!
Enumprocesses (Aprocesses,
Sizeof
(Aprocesses),
&
CBNEEDED)
Return
0
CPROCESSES
=
Cbeneeded
/
Sizeof
(DWORD);
//
Traverse all processes by effective PID
for
(I
=
0
I
<
cprocesses; i
) {
//
Open a specific PID process
HProcess
=
OpenProcess (Process_Query_Information
|
Process_vm_read, false, aprocesses [i]);
//
Take a specific PID process name
IF
(Hprocess) {
IF
(ENUMPROCESSMODULES (HProcess,
&
hmod,
Sizeof
(HMOD),
&
CBNeeded) {getModuleBaseName (HProcess, HMOD, SZProcessName,
Sizeof
(szprocessname));
//
Compare the acquired process name and the input process name, if the process is returned to the process PID
IF
(
!
_StriCMP (SzprocessName, InputProcessName) {CloseHandle (HProcess);
Return
Aprocesses [I];}}}
//
End of if (hprocess)
}
//
END OF FOR
//
Didn't find the corresponding process name, return 0
CloseHandle (HPROCESS);
Return
0
}
//
End of processtopid
//
Error handler checkerror ()
//
If IReturnCode is equal to IerrorCode, output PERRORMSG and exit
Void
Checkerror
int
IReturncode,
int
Irrorcode,
charr
*
PERRORMSG) {
IF
(iReturnCode)
==
Irrorcode) {printf
"
% s error:% D
"
, PERRORMSG, GetLastError ());
//
Qingfang processing
IF
(pszlibfileremote
! =
NULL) VirtualFreeEx (HremoteProcess, PszlibfileRemote,
0
MEM_RELEASE;
IF
(HREMOTETHREAD)
! =
NULL) CloseHandle (HREMOTETHREAD);
IF
(HremoteProcess)
! =
NULL) CloseHandle (HREMOTEPROCESS; EXIT);
0
}}
//
End of checkerror ()
//
Method Description Function USAGE ()
Void
USAGE
charr
*
PERRORMSG) {Printf
"
% s
"
, PERRORMSG); Printf
"
Remote Process Dll by Shotgun
"
PRINTF
"
This Program CAN Inject A DLL INTO Remote Process
"
PRINTF
"
Email:
"
PRINTF
"
Shotgun@xici.net
"
PRINTF
"
Homepage:
"
PRINTF
"
http://it.xici.net
"
PRINTF
"
http://www.patching.net
"
PRINTF
"
USAGE:
"
PRINTF
"
RMTDLL.EXE PID [| ProcessName] DLLFULLPATHNAME
"
PRINTF
"
EXAMPLE:
"
PRINTF
"
RMTDLL.EXE 1024 C: /WINNT/SYSTEM32/Mydll.dll
"
PRINTF
"
RMTDLL.EXE EXPLORER.EXE C: /MYDLL.DLL
"
EXIT (EXIT)
0
}
//
End of usage ()
/ With "Get Current Process ID Code ------> TestDLL.DLL" and "Startup Process Code"
//
Testdll.cpp: Defines The entry point for the dll application.
//
#include
"
STDAFX.H
"
#include
<
Windows.h
>
#include
<
STDLIB.H
>
#include
<
stdio.h
>
Bool Apientry Dllmain (Handle Hmodule, DWord Reason, LPVOID LPRESERVED) {char
Szprocessid [
64
];
Switch
(REASON) {
Case
(DLL_PROCESS_ATTACH: {Process_information Pi; Startupinfo Si; Memset
&
Si,
0
,
Sizeof
(Si)); Si.cb
=
Sizeof
(Si); Si.WShowWindow
=
SW_SHOW; Si.dwflags
=
STARTF_USESHOWWINDOW;
Bool
Fret
=
CreateProcess
"
E: /Download/vcfans/thread/thread/release/threadDemo1.exe
"
Null, NULL, FALSE, NULL, NULL, NULL, NULL,
&
Si,
&
pi);
IF
(FRET) {MessageBox (NULL,
"
The startup process is successful!
"
,
"
^ _ ^
"
, MB_OK);
Else
{MessageBox (NULL,
"
Process starts failed!
"
,
"
T_T
"
, MB_OK);
//
Get the current process ID
_itoa (getCurrentProcessid (), SzprocessID,
10
); MessageBox (null, szprocessid,
"
Remotedll
"
, MB_OK);
DEFAULT
:
Return
True;}}
