//复制自MSDN杂志Windows XP Escape from DLL Hell with Custom Debugging and Instrumentation Tools and Utilities的代码
        //get current session ID
        CWTSWrapper WTS;
        if (WTS.IsValid())
        {
            DWORD dwCurSessionID = -1;
            LPTSTR pSessionInfo=NULL;
            DWORD dwBytes;
            if(WTS.WTSQuerySessionInformation(WTS_CURRENT_SERVER_HANDLE,WTS_CURRENT_SESSION,
                WTSSessionId, (LPTSTR*)&pSessionInfo, &dwBytes)){
                    dwCurSessionID =*((DWORD*)pSessionInfo);
                    // enumerate processes
                    PWTS_PROCESS_INFO pProcessInfo = NULL;
                    DWORD ProcessCount = 0;
                    BOOL bFound;
                    if (WTS.WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, 0, 1,
                        &pProcessInfo, &ProcessCount)){
                    for (DWORD CurrentProcess = 0; CurrentProcess < ProcessCount; CurrentProcess++){
                        CString strCurExePath(pProcessInfo[CurrentProcess].pProcessName);
                        CString strRemoteProc(lpszProcName);
                        strCurExePath.MakeLower();
                        strRemoteProc.MakeLower();
                        bFound = (strCurExePath.Find(strRemoteProc) != -1);
                        if(bFound && dwCurSessionID==pProcessInfo[CurrentProcess].SessionId) {
                            dwProcessID = pProcessInfo[CurrentProcess].ProcessId;
                            break;
                        }
                    }
                }
                WTS.WTSFreeMemory(pSessionInfo);
            }
        }
    }
    else{
        //end added by jiangsheng 2002-11-8
        BOOL bResult;
        hSnapshot = CreateToolhelp32Snapshot((DWORD)TH32CS_SNAPPROCESS,0);
        ProcStruct.dwSize = sizeof(PROCESSENTRY32);
        bResult = Process32First(hSnapshot,&ProcStruct);
        while(bResult)
        {
            BOOL bFound;
            CString strCurExePath(ProcStruct.szExeFile);
            CString strRemoteProc(lpszProcName);
            strCurExePath.MakeLower();
            strRemoteProc.MakeLower();
            bFound = (strCurExePath.Find(strRemoteProc) != -1);
            if(bFound)
            {
                dwProcessID = ProcStruct.th32ProcessID;
                break;
            }
            bResult = Process32Next(hSnapshot,&ProcStruct);
        }
        CloseHandle(hSnapshot);
    }
    return dwProcessID;
}
//---------------------------------------------------------------------------
// 插入代码
//---------------------------------------------------------------------------
//InjectFunc
void __fastcall InjectFunc()
{
    HANDLE hRemoteProcess=NULL;
    DWORD dwRemoteProcess=NULL;

    DWORD dwThreadSize=0;
    INJECTLIBINFO InjectLibInfo;
    PVOID pRemoteThread=NULL;
    PVOID pRemoteParam=NULL;
    DWORD dwWriten=0;
    DWORD dwRet=0;

    //提升本进程权限然后打开目的进程
    //当前用户必须具有调试权限
    EnablePrivilege(SE_DEBUG_NAME,true);
    dwRemoteProcess = GetPIDFromName(szRemoteProcessName);
    if(dwRemoteProcess == (DWORD)-1)
    {
        MessageBox(NULL,_T("Failed to Query Process ID."),NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING);
        return;
    }
    hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,false,dwRemoteProcess);
    if(hRemoteProcess == NULL)
    {
        MessageBox(NULL,_T("Failed to Open Process. Err = ") + SysErrorMessage(GetLastError()),
        NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING);
        return;
    }
    //初始化参数
    ZeroMemory(&InjectLibInfo,sizeof(INJECTLIBINFO ));
    InjectLibInfo.pfnLoadLibrary = (PLOADLIBRARY)GetProcAddress(GetModuleHandle("Kernel32.dll"),LoadLibraryFuncStr);
    InjectLibInfo.pfnGetLastError = (PGETLASTERROR)GetProcAddress(GetModuleHandle("Kernel32.dll"),GetLastErrorFuncStr);
    lstrcpyn(InjectLibInfo.szDllName,CTaskKeyMgr::strRemoteDllName,CTaskKeyMgr::strRemoteDllName.GetLength()+1);
    //在远程线程分配内存来存放参数
    pRemoteParam = VirtualAllocEx(hRemoteProcess,NULL,sizeof(INJECTLIBINFO),MEM_COMMIT,PAGE_READWRITE);
    if(pRemoteParam == NULL)
    {
        MessageBox(NULL,_T("Failed to Allocate Memory at Remote Process for Param.Err = ") +                 SysErrorMessage(GetLastError()),
            NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING);
        return;
    }
    dwRet = WriteProcessMemory(hRemoteProcess,pRemoteParam,(LPVOID)&InjectLibInfo,sizeof(INJECTLIBINFO),&dwWriten);
    if(dwRet == 0)
    {
        MessageBox(NULL,_T("Failed to Write Param to Remote Process.Err = ") + SysErrorMessage(GetLastError()),
            NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING);
        return;
    }

    //拷贝线程体
    dwThreadSize = (int)AfterThreadFuncAttach - (int)ThreadFuncAttach + 1024 + sizeof(INJECTLIBINFO);

    pRemoteThread = VirtualAllocEx(hRemoteProcess,NULL,dwThreadSize,MEM_COMMIT,PAGE_READWRITE);
    if(pRemoteThread == NULL)
    {
        MessageBox(NULL,_T("Failed to Allocate Memory at Remote Process for Thread Code.Err = ") + SysErrorMessage(GetLastError()),
        NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING);
        return;
    }
    dwRet = WriteProcessMemory(hRemoteProcess,pRemoteThread,(LPVOID)ThreadFuncAttach,dwThreadSize,&dwWriten);
    if(dwRet == 0)
    {
        MessageBox(NULL,_T("Failed to Write Thread Code to Remote Process.Err = ") + SysErrorMessage(GetLastError()),
        NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING);
        return;
    }
    //启动远程线程
    HANDLE hRemoteThread;

    hRemoteThread = CreateRemoteThread(hRemoteProcess,0,0,(DWORD(__stdcall *)(VOID*))pRemoteThread,(INJECTLIBINFO*)pRemoteParam,0,&dwWriten);
    ::WaitForSingleObject(hRemoteThread,INFINITE);
   
    if(hRemoteThread == NULL)
    {
        MessageBox(NULL,_T("Failed to create unload thread.Err=") + SysErrorMessage(GetLastError()),NULL,MB_OK |MB_APPLMODAL | MB_ICONWARNING);
    }
    else
    {
        ;
    }

 

文章录入：编辑01    责任编辑：编辑01