BOOL inject_dll( const char *dll_path, const DWORD remote_pro_id )

{

HANDLE h_token;

if ( OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &h_token ) )

{

TOKEN_PRIVILEGES tkp;

//修改进程权限

LookupPrivilegeValue( NULL,SE_DEBUG_NAME, &tkp.Privileges[0].Luid );

tkp.PrivilegeCount = 1;

tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

//通知系统修改进程权限

AdjustTokenPrivileges( h_token, FALSE, &tkp, sizeof( tkp ), NULL, NULL );

}

HANDLE h_remote_process;

//打开远程线程

if( ( h_remote_process = OpenProcess( PROCESS_CREATE_THREAD | //允许远程创建线程

PROCESS_VM_OPERATION | //允许远程VM操作

PROCESS_VM_WRITE, //允许远程VM写

FALSE, remote_pro_id ) )== NULL )

{

//AfxMessageBox("OpenProcess Error!");

return FALSE;

}

char *lib_func_buf;

//在远程进程的内存地址空间分配DLL文件名缓冲区

lib_func_buf = (char *) VirtualAllocEx( h_remote_process, NULL, lstrlen(dll_path) + 1,

MEM_COMMIT, PAGE_READWRITE);

if( lib_func_buf == NULL )

{

//AfxMessageBox("VirtualAllocEx error! ");

return FALSE;

}

//将DLL的路径名复制到远程进程的内存空间

if( WriteProcessMemory( h_remote_process,

lib_func_buf, ( void * )dll_path, lstrlen( dll_path ) + 1, NULL ) == 0 )

{

//AfxMessageBox("WriteProcessMemory Error");

return FALSE;

}

//计算LoadLibraryA的入口地址

PTHREAD_START_ROUTINE load_start_addr = ( PTHREAD_START_ROUTINE )

GetProcAddress( GetModuleHandle( TEXT("Kernel32") ), "LoadLibraryA");

if( load_start_addr == NULL )

{

//AfxMessageBox("GetProcAddress Error");

return FALSE;

}

HANDLE h_remote_thread;

if( (h_remote_thread = CreateRemoteThread( h_remote_process, NULL, 0,

load_start_addr, lib_func_buf, 0, NULL ) ) == NULL)

{

//AfxMessageBox("CreateRemoteThread Error");

return FALSE;

}

return TRUE;

}