远程加载与卸载DLL

DWORD GetProcessIdByName(LPCTSTR szProcess)//注意要加exe后缀
{
	DWORD dwRet=0;
	HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
	PROCESSENTRY32 pe32;
	pe32.dwSize=sizeof(PROCESSENTRY32);
	Process32First(hSnapshot,&pe32);
	do 
	{
		if (_tcscmp(pe32.szExeFile,szProcess)==0)
		{
			dwRet=pe32.th32ProcessID;
			break;
		}
	} while (Process32Next(hSnapshot,&pe32));
	CloseHandle(hSnapshot);
	return dwRet;
}

BOOL Inject(LPCTSTR szModule, DWORD dwID)
{
	HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwID);
	if ( !hProcess ) {
		return FALSE;
	}
	int cByte  = (_tcslen(szModule)+1) * sizeof(TCHAR);
	LPVOID pAddr = VirtualAllocEx(hProcess, NULL, cByte, MEM_COMMIT, PAGE_READWRITE);
	if ( !pAddr || !WriteProcessMemory(hProcess, pAddr, szModule, cByte, NULL)) {
		return FALSE;
	}
#ifdef _UNICODE
	PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
#else
	PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
#endif
//Kernel32.dll总是被映射到相同的地址
	if ( !pfnStartAddr ) {
		return FALSE;
	}
	DWORD dwThreadID = 0;
	HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, pfnStartAddr, pAddr, 0, &dwThreadID);
	if ( !hRemoteThread ) {
		return FALSE;
	}
	WaitForSingleObject(hRemoteThread,INFINITE);
	VirtualFreeEx(hProcess,pAddr,cByte,MEM_COMMIT);
	CloseHandle(hRemoteThread);
	CloseHandle(hProcess);
	return TRUE;
}

简单提权函数

BOOL EnablePrivilege(LPCTSTR lpszPrivilegeName, BOOL bEnable)
{
	HANDLE hToken = NULL;
	TOKEN_PRIVILEGES tp;
	LUID luid;

	if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_READ, &hToken))
		return FALSE;
	if(!LookupPrivilegeValue(NULL, lpszPrivilegeName, &luid))
		return TRUE;

	tp.PrivilegeCount = 1;
	tp.Privileges[0].Luid = luid;
	tp.Privileges[0].Attributes = (bEnable) ? SE_PRIVILEGE_ENABLED : 0;

	AdjustTokenPrivileges(hToken, FALSE, &tp, NULL, NULL, NULL);
	CloseHandle(hToken);
	return (GetLastError() == ERROR_SUCCESS);
} 

BOOL UnLoadDll(LPCTSTR szDllName, DWORD dwID)//要卸载的DLL名，进程PID
{
	HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwID);
	if ( !hProcess ) {
		return FALSE;
	}
	int cByte  = (_tcslen(szDllName)+1) * sizeof(TCHAR);
	LPVOID pAddr = VirtualAllocEx(hProcess, NULL, cByte, MEM_COMMIT, PAGE_READWRITE);
	if ( !pAddr || !WriteProcessMemory(hProcess, pAddr, szDllName, cByte, NULL)) {
		return FALSE;
	}
#ifdef _UNICODE
	PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetModuleHandleW;
#else
	PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetModuleHandleA;
#endif
	//Kernel32.dll总是被映射到相同的地址
	if ( !pfnStartAddr ) {
		return FALSE;
	}
	DWORD dwThreadID = 0,dwFreeId=0,dwHandle;
	HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, pfnStartAddr, pAddr, 0, &dwThreadID);
	if ( !hRemoteThread ) {
		return FALSE;
	}
	WaitForSingleObject(hRemoteThread,INFINITE);
	// 获得GetModuleHandle的返回值
	GetExitCodeThread(hRemoteThread,&dwHandle);
	CloseHandle(hRemoteThread);
	// 使目标进程调用FreeLibrary，卸载DLL
#ifdef _UNICODE
	PTHREAD_START_ROUTINE pfnFreeAddr = (PTHREAD_START_ROUTINE)FreeLibrary;
#else
	PTHREAD_START_ROUTINE pfnFreeAddr = (PTHREAD_START_ROUTINE)FreeLibrary;
#endif
	HANDLE hFreeThread = CreateRemoteThread(hProcess, NULL, 0, pfnFreeAddr,(LPVOID)dwHandle,0,&dwFreeId);
	if ( !hFreeThread ) {
		return FALSE;
	}
	WaitForSingleObject(hFreeThread,INFINITE);
	VirtualFreeEx(hProcess,pAddr,cByte,MEM_COMMIT);
	CloseHandle(hFreeThread);	
	CloseHandle(hProcess);
	return TRUE;
}