90.
91. // Do not forget to clean up the snapshot object.
92. CloseHandle( hModuleSnap );
93.
94. if (bFound) //如果已经加载了模块,就不再加载
95. {
96. return FALSE;
97. }
98.
99. //如果没加载,打开进程,远程注入
100.
101. HANDLE hProcess = ::OpenProcess(PROCESS_CREATE_THREAD |PROCESS_VM_OPERATION |PROCESS_VM_WRITE, FALSE, dwProcessId);
102. if (hProcess == NULL)
103. {
104. return FALSE;
105. }
106. HMODULE hKernerl32 = GetModuleHandle("kernel32.dll");
107. LPTHREAD_START_ROUTINE pfnLoadLibraryA = (LPTHREAD_START_ROUTINE)::GetProcAddress(hKernerl32, "LoadLibraryA");
108.
109. int cbSize = strlen(m_szDllName)+1;
110. LPVOID lpRemoteDllName = ::VirtualAllocEx(hProcess, 0, cbSize, MEM_COMMIT, PAGE_READWRITE);
111. ::WriteProcessMemory(hProcess, lpRemoteDllName, m_szDllName, cbSize, NULL);
112. HANDLE hRemoteThread = ::CreateRemoteThreadEx(hProcess, NULL, 0, pfnLoadLibraryA, lpRemoteDllName, 0, NULL, NULL);
113. if (NULL == hRemoteThread)
114. {
115. ::CloseHandle(hProcess);
116. return FALSE;
117. }
118. //等待目标线程运行结束,即LoadLibraryA函数返回
119. ::WaitForSingleObject(hRemoteThread, INFINITE);
120. ::CloseHandle(hRemoteThread);
121. ::CloseHandle(hProcess);
122. return TRUE;
123. }
124.
125.
126. // 从指定的地址空间卸载DLL
127. BOOL CRemThreadInject::EjectModuleFrom(DWORD dwProcessId)
128. {
129. //
130. if (::GetCurrentProcessId() == dwProcessId)
131. {
132. return FALSE;
133. }
135. /************************************************************************/
136. /* 遍历模块 */
137. /************************************************************************/
138. HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
139. MODULEENTRY32 me32;
140.
141. // Take a snapshot of all modules in the specified process.
142. hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwProcessId );
143. if( hModuleSnap == INVALID_HANDLE_VALUE )
144. {
145. return( FALSE );
146. }
147. me32.dwSize = sizeof( MODULEENTRY32 );
148. if( !Module32First( hModuleSnap, &me32 ) )
149. {
150. CloseHandle( hModuleSnap ); // Must clean up the snapshot object!
151. return( FALSE );
152. }
153. do
154. {
155. if (stricmp(me32.szModule, m_szDllName) == 0)
156. {
157. bFound = TRUE;
158. break;
159. }
160. } while( Module32Next( hModuleSnap, &me32 ) );
161.
162. // Do not forget to clean up the snapshot object.
163. CloseHandle( hModuleSnap );
164.
165. if (!bFound) //如果没有加载模块,就不能卸载
166. {
167. return FALSE;
168. }
169.
170. //如果加载了,打开进程,远程注入
171.
172. HANDLE hProcess = ::OpenProcess(PROCESS_CREATE_THREAD |PROCESS_VM_OPERATION |PROCESS_VM_WRITE, FALSE, dwProcessId);
173. if (hProcess == NULL)
174. {
175. return FALSE;
176. }
177. HMODULE hKernerl32 = GetModuleHandle("kernel32.dll");
178. LPTHREAD_START_ROUTINE pfnFreeLibrary = (LPTHREAD_START_ROUTINE)::GetProcAddress(hKernerl