1. #include <Windows.h> 
2. #include <tchar.h> 
3. #include <TlHelp32.h> 
4.  
5. BOOL LoadRemoteDll(DWORD dwProcessId,LPTSTR lpszLibName); 
6. DWORD EnablePrivilege (PCSTR name); 
7. BOOL GetProcessIdByName(LPSTR szProcessName, LPDWORD lpPID); 
8.  
9. DWORD EnablePrivilege (PCSTR name) 
10. { 
11.     HANDLE hToken; 
12.     BOOL rv; 
13.     TOKEN_PRIVILEGES priv = { 1, {0, 0, SE_PRIVILEGE_ENABLED} }; 
14.     LookupPrivilegeValue ( 
15.         0, 
16.         name, 
17.         &priv.Privileges[0].Luid 
18.         ); 
19.     OpenProcessToken( 
20.         GetCurrentProcess (), 
21.         TOKEN_ADJUST_PRIVILEGES, 
22.         &hToken 
23.         ); 
24.     AdjustTokenPrivileges ( 
25.         hToken, 
26.         FALSE, 
27.         &priv, 
28.         sizeof priv, 
29.         0, 
30.         0 
31.         ); 
32.     rv = GetLastError(); 
33.     CloseHandle (hToken); 
34.     return rv; 
35. } 
36.  
37. BOOL GetProcessIdByName(LPSTR szProcessName, LPDWORD lpPID) 
38. { 
39.     STARTUPINFO st; 
40.     PROCESS_INFORMATION pi; 
41.     PROCESSENTRY32 ps; 
42.     HANDLE hSnapshot; 
43.     ZeroMemory(&st, sizeof(STARTUPINFO)); 
44.     ZeroMemory(&pi, sizeof(PROCESS_INFORMATION)); 
45.     st.cb = sizeof(STARTUPINFO); 
46.     ZeroMemory(&ps,sizeof(PROCESSENTRY32)); 
47.     ps.dwSize = sizeof(PROCESSENTRY32); 
48.  
49.     hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0); 
50.     if(hSnapshot == INVALID_HANDLE_VALUE) 
51.     { 
52.         return FALSE; 
53.     } 
54.  
55.     if(!Process32First(hSnapshot,&ps)) 
56.     { 
57.         return FALSE; 
58.     } 
59.     do 
60.     { 
61.  
62.         if(lstrcmpi(ps.szExeFile,"explorer.exe")==0) 
63.         { 
64.  
65.             *lpPID = ps.th32ProcessID; 
66.             CloseHandle(hSnapshot); 
67.             return TRUE; 
68.         } 
69.     } 
70.     while(Process32Next(hSnapshot,&ps)); 
71.  
72.     CloseHandle(hSnapshot); 
73.     return FALSE; 
74. } 
75.  
76. BOOL LoadRemoteDll(DWORD dwProcessId,LPTSTR lpszLibName){ 
77.     BOOL bResult = FALSE; 
78.     HANDLE hProcess = NULL; 
79.     HANDLE hThread = NULL; 
80.     PSTR pszLibFileRemote = NULL; 
81.     DWORD cch; 
82.     PTHREAD_START_ROUTINE pfnThreadRtn; 
83.  
84.     __try{ 
85.         hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessId); 
86.         if(hProcess == NULL){ 
87.             __leave; 
88.         } 
89.         cch = 1 + lstrlen(lpszLibName); 
90.         pszLibFileRemote = (PSTR)VirtualAllocEx(hProcess,NULL,cch,MEM_COMMIT,PAGE_READWRITE); 
91.         if(pszLibFileRemote == NULL){ 
92.             __leave; 
93.         } 
94.         if(!WriteProcessMemory(hProcess,(LPVOID)pszLibFileRemote,(LPVOID)lpszLibName,cch,NULL)){ 
95.             __leave; 
96.         } 
97.         pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),TEXT("LoadLibraryA")); 
98.         if(pfnThreadRtn == NULL){ 
99.             __leave; 
100.         } 
101.         hThread = CreateRemoteThread(hProcess,NULL,0,pfnThreadRtn,(PVOID)pszLibFileRemote,0,NULL); 
102.         if(hThread == NULL){ 
103.             __leave; 
104.         } 
105.         WaitForSingleObject(hThread,INFINITE); 
106.         bResult = TRUE; 
107.     }__finally{ 
108.         if(pszLibFileRemote != NULL){ 
109.             VirtualFreeEx(hProcess,(PVOID)pszLibFileRemote,0,MEM_RELEASE); 
110.         } 
111.         if(hThread != NULL){ 
112.             CloseHandle(hThread); 
113.         } 
114.         if(hProcess != NULL){ 
115.             CloseHandle(hProcess); 
116.         } 
117.     } 
118.     return bResult; 
119. } 
120.  
121. int WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPTSTR lpCmdLine,int nCmdShow){ 
122.     DWORD dwPID; 
123.     if(0!=EnablePrivilege(SE_DEBUG_NAME)); 
124.     return 0; 
125.     if(!GetProcessIdByName("explorer.exe",&dwPID)) 
126.         return 0; 
127.     if(!LoadRemoteDll(dwPID,"msg.dll")) 
128.         return 0; 
129. } 

本文转hackfreer51CTO博客，原文链接：http://blog.51cto.com/pnig0s1992/630125，如需转载请自行联系原作者