遠程注入線程

#include <windows.h>
#include <string.h>
#include <Tlhelp32.h>
#include <iostream>
using namespace std;
class InjectionRemoteThread
{
public:
    InjectionRemoteThread(const char *FileName,const char *DllName);
    DWORD GetProcessID();             //獲取目標進程pid
    DWORD OpenRemoteProcess();        //打開遠程進程
    DWORD InjectionRemoteProcess();   //注入遠程線程
    DWORD FreeRemoteProcess();        //釋放遠程線程
protected:
    HANDLE hProcess;                  //進程句柄
    char m_FileName[MAX_PATH];        //進程名
    char m_DllName[MAX_PATH];         //注入的DLL文件名
    DWORD m_Size;                     //DLL路徑名長度
};
InjectionRemoteThread::InjectionRemoteThread(const char *FileName,const char *DllName){
    strncpy(m_FileName,FileName,MAX_PATH);
    strncpy(m_DllName,DllName,MAX_PATH);
    m_Size=(strlen(m_DllName)+1);
}
//獲取目標進程pid
DWORD InjectionRemoteThread::GetProcessID()  
{
    HANDLE myhProcess;
    PROCESSENTRY32 mype;
    BOOL mybRet;
    mype.dwSize = sizeof(PROCESSENTRY32);  //萬年坑
    //進行進程快照
    myhProcess=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); //TH32CS_SNAPPROCESS快照所有進程
    //開始進程查找
    mybRet=Process32First(myhProcess,&mype);
    //循環比較，得出ProcessID
    while(mybRet)
    {
        if(strcmp(m_FileName,mype.szExeFile)==0)
            return mype.th32ProcessID;
        else
            mybRet=Process32Next(myhProcess,&mype);
    }
    return 0;
}
 //打開遠程進程
DWORD InjectionRemoteThread::OpenRemoteProcess(){   
    //打開目標進程獲得進程句柄
    hProcess=OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE,false,GetProcessID());
    if(!hProcess){
        cout<<"打開進程失敗"<<endl;
        return 1;
    }
    return 0;
}
//注入遠程進程    
DWORD InjectionRemoteThread::InjectionRemoteProcess(){     
    //打開進程
    //OpenRemoteProcess();
    //分配內存空間
    LPVOID lpRemoteDllName=::VirtualAllocEx(hProcess,NULL,m_Size,MEM_COMMIT,PAGE_READWRITE);
    //將DLL路徑名拷貝到已分配的內存空間中
    ::WriteProcessMemory(hProcess,lpRemoteDllName,(LPVOID)m_DllName,m_Size,NULL);
    //取得LoadLibraryA函數地址
    LPVOID StartRoutine=LoadLibraryA;
    
    //啓動遠程線程
    HANDLE hRemoteThread=::CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)StartRoutine,lpRemoteDllName,0,NULL);
    //如果啓動注入失敗退出
    if(hRemoteThread==NULL){
        cout<<"啓動注入失敗"<<endl;
        ::CloseHandle(hProcess);
        return 1;
    }
    //等待目標線程結束
    ::WaitForSingleObject(hRemoteThread,INFINITE);
    //釋放空間關閉句柄
    ::VirtualFreeEx(hProcess,lpRemoteDllName,m_Size,MEM_DECOMMIT);
    ::CloseHandle(hRemoteThread);
    ::CloseHandle(hProcess);
    return 0;
}
//釋放注入線程
DWORD InjectionRemoteThread::FreeRemoteProcess(){
    //打開進程
    OpenRemoteProcess();
    //分配內存空間
    LPVOID lpRemoteDllName=::VirtualAllocEx(hProcess,NULL,8,MEM_COMMIT,PAGE_READWRITE);
    //將DLL路徑名拷貝到已分配的內存空間中
    ::WriteProcessMemory(hProcess,lpRemoteDllName,(LPVOID)m_DllName,8,NULL);
    //取得GetModuleHandleA函數地址
    LPVOID StartRoutine=GetModuleHandleA;
    //啓動遠程線程
    HANDLE hRemoteThread=::CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)StartRoutine,lpRemoteDllName,0,NULL);
    //如果啓動注入失敗退出
    if(hRemoteThread==NULL){
        cout<<"啓動注入失敗"<<endl;
        ::CloseHandle(hProcess);
        return 1;
    }
    DWORD dwHandle;
    //等待目標線程結束
    ::WaitForSingleObject(hRemoteThread,INFINITE);
    //釋放空間關閉句柄
    ::GetExitCodeThread(hRemoteThread, &dwHandle);
    ::VirtualFreeEx(hProcess,lpRemoteDllName,m_Size,MEM_DECOMMIT);
    ::CloseHandle(hRemoteThread);
    // 使目標進程調用FreeLibrary，卸載DLL
    StartRoutine=FreeLibrary;
    // 等待FreeLibrary卸載完畢
    hRemoteThread=::CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)StartRoutine,(LPVOID)dwHandle,0,NULL);
    ::WaitForSingleObject(hRemoteThread,INFINITE);
    ::CloseHandle(hRemoteThread);
    ::CloseHandle(hProcess);
    return 0;
}
int main(){
    //構造函數重載
    InjectionRemoteThread myIRT("目標進程名","dll絕對路徑");
    //遠程注入線程
    myIRT.InjectionRemoteProcess();
    //遠程卸載線程
    myIRT.FreeRemoteProcess();  
    //返回最後一個錯誤
    cout<<GetLastError()<<endl;
    return 
}