kLoEr - Coding & Reversing

一樣亂挖挖到，配合 Hook API 可以實現對特定 Process 作 Hook API，
當然，Inject 到所有 Process 就是全局 Hook API 了！

BOOL InjectDll(DWORD pid, LPCTSTR dllname)
{
 LPVOID remaddr;
 HANDLE hproc, rthread;
 HMODULE kmodh;

 //open remote process
 if((hproc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid)) == NULL) return FALSE;

 //allocate memory in remote process
 if((remaddr = VirtualAllocEx(hproc, NULL, strlen(dllname), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE)) == NULL)
  return FALSE;

 //copy the dll name to memory allocated in the remote processes' address space
 if(!WriteProcessMemory(hproc, remaddr, (LPVOID)dllname, strlen(dllname), NULL)) {
  VirtualFreeEx(hproc, remaddr, strlen(dllname), MEM_RELEASE | MEM_DECOMMIT);
  return FALSE;
 }

 //need kernel32's handle for call to CreateRemoteThread()
 kmodh = GetModuleHandle("KERNEL32.DLL");

 //create thread in remote process, passing the address of LoadLibraryA for the thread's entry point
 //and the address of the DLL's pathname as an argument to the thread
 //note: For Unicode support, call LoadLibraryW instead of LoadLibraryA
 rthread = CreateRemoteThread(hproc, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(kmodh, "LoadLibraryA"), remaddr, 0, NULL);
 if(rthread == NULL) {
  VirtualFreeEx(hproc, remaddr, strlen(dllname), MEM_RELEASE | MEM_DECOMMIT);
  return FALSE;
 }

 //cleanup
 VirtualFreeEx(hproc, remaddr, strlen(dllname), MEM_RELEASE | MEM_DECOMMIT);
 CloseHandle(hproc);

 return TRUE;
}