//CreateRemoteThread 使用 關閉遠端程序控制代碼 processID遠端程序的程序ID handle遠端程序的程序控制代碼
CloseRemoteHandle( DWORD processID, HANDLE handle )
…{
HANDLE ht = 0;
DWORD rc = 0;
// open the process
HANDLE hProcess = OpenProcess( PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_READ, FALSE, processID );
if ( hProcess == NULL )
…{
rc = GetLastError();
MessageBox( _T(“OpenProcess() failed “) );
return rc;
}
// load kernel32.dll
HMODULE hKernel32 = LoadLibrary( _T(“kernel32.dll”) );
// CreateRemoteThread()
ht = CreateRemoteThread(
hProcess,
0,
0,
(DWORD(__stdcall *)(void*))GetProcAddress(hKernel32,”CloseHandle”),
handle,
0,
&rc );
if ( ht == NULL )
…{
//Something is wrong with the privileges, or the process doesn’t like us
rc = GetLastError();
MessageBox( _T(“CreateRemoteThread() failed “) );
//Free up the kernel32.dll
FreeLibrary( hKernel32 );
CloseHandle( hProcess );
}
switch ( WaitForSingleObject( ht, 2000 ) )
…{
case WAIT_OBJECT_0:
//Well done
rc = 0;
MessageBox( _T(“Ok “));
break;
default:
//Oooops, shouldn’t be here
rc = GetLastError();
MessageBox( _T(“WaitForSingleObject() failed “) );
break;
}
//Closes the remote thread handle
CloseHandle( ht );
//Free up the kernel32.dll
if ( hKernel32 != NULL)
FreeLibrary( hKernel32 );
//Close the process handle
CloseHandle( hProcess );
return rc;
}
//CreateRemoteThread 使用 釋放遠端dll控制代碼 processID佔用dll的遠端程序的程序ID lpDllPath dll路徑
CloseRemoteDll( DWORD processID, LPCTSTR lpDllPath )
…{
HANDLE ht = 0;
DWORD rc = 0;
DWORD dwHandle;
HANDLE hProcess;
hProcess= OpenProcess(PROCESS_CREATE_THREAD | //允許遠端建立執行緒
PROCESS_VM_OPERATION | //允許遠端VM操作
PROCESS_VM_WRITE, //允許遠端VM寫
FALSE, processID );
if ( hProcess == NULL )
…{
rc = GetLastError();
//MessageBox( _T(“OpenProcess() failed “) );
return rc;
}
HMODULE hKernel32 = LoadLibrary(“kernel32.dll”);
//向目標程序地址空間寫入DLL名稱
DWORD dwSize, dwWritten;
CString str;
str=lpDllPath;
dwSize=str.GetLength() 1;
LPVOID lpBuf = VirtualAllocEx(hProcess,NULL,dwSize, MEM_COMMIT, PAGE_READWRITE );
if(!WriteProcessMemory(hProcess,lpBuf,(LPVOID)lpDllPath, dwSize,&dwWritten))
…{
rc=GetLastError();
VirtualFreeEx(hProcess,lpBuf,dwSize,MEM_DECOMMIT);
CloseHandle(hProcess);
return rc;
}
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
(DWORD(__stdcall *)(void*))GetProcAddress(hKernel32,”GetModuleHandleA”),
lpBuf ,0, NULL);
if(hThread == NULL)
…{
rc=GetLastError();
CloseHandle(hProcess);
return rc ;
}
//等待GetModuleHandle執行完畢
WaitForSingleObject(hThread, INFINITE);
//獲得GetModuleHandle的返回值
GetExitCodeThread(hThread,&dwHandle);
//釋放目標程序中申請的空間
VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT);
CloseHandle(hThread);
// CreateRemoteThread()
ht = CreateRemoteThread(
hProcess,
0,
0,
(DWORD(__stdcall *)(void*))GetProcAddress(hKernel32,”FreeLibrary”),
(LPVOID)dwHandle,
0,
&rc );
if ( ht == NULL )
…{
rc = GetLastError();
MessageBox( _T(“CreateRemoteThread() failed “) );
FreeLibrary( hKernel32 );
CloseHandle( hProcess );
return rc;
}
switch ( WaitForSingleObject( ht, 2000 ) )
…{
case WAIT_OBJECT_0:
rc = 0;
MessageBox( _T(“Ok “));
break;
default:
rc = GetLastError();
MessageBox( _T(“WaitForSingleObject() failed “) );
break;
}
//Closes the remote thread handle
CloseHandle(ht );
//Free up the kernel32.dll
if ( hKernel32 != NULL)
FreeLibrary( hKernel32 );
//Close the process handle
CloseHandle( hProcess );
return rc;
}
…{
…{