BOOL SlayProcess(DWORD PID) { HANDLE hp = GetProcessHandleWithEnoughRights(PID, PROCESS_TERMINATE); if (hp != NULL) { // if all went well, we've now got a handle to the process // that grants us PROCESS_TERMINATE permissions BOOL bReturn = TerminateProcess(hp, 1); // don't forget to close process handle ::CloseHandle(hp); return(bReturn); } return(FALSE); }
BOOL WINAPI InjectLibW(DWORD dwProcessId, PCWSTR pszLibFile) { BOOL fOk = FALSE; // Assume that the function fails HANDLE hProcess = NULL, hThread = NULL; PWSTR pszLibFileRemote = NULL; // Get a handle for the target process. hProcess = GetProcessHandleWithEnoughRights( dwProcessId, PROCESS_QUERY_INFORMATION | // Required by Alpha PROCESS_CREATE_THREAD | // For CreateRemoteThread PROCESS_VM_OPERATION | // For VirtualAllocEx/VirtualFreeEx PROCESS_VM_WRITE // For WriteProcessMemory ); if (hProcess == NULL) return(FALSE); // Calculate the number of bytes needed for the DLL's pathname int cch = 1 + lstrlenW(pszLibFile); int cb = cch * sizeof(WCHAR); // Allocate space in the remote process for the pathname pszLibFileRemote = (PWSTR) VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE); if (pszLibFileRemote != NULL) { // Copy the DLL's pathname to the remote process's address space if (WriteProcessMemory(hProcess, pszLibFileRemote, (PVOID) pszLibFile, cb, NULL)) { // Get the real address of LoadLibraryW in Kernel32.dll PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW"); if (pfnThreadRtn != NULL) { // Create a remote thread that calls LoadLibraryW(DLLPathname) hThread = CreateRemoteThread(hProcess, NULL, 0, pfnThreadRtn, pszLibFileRemote, 0, NULL); if (hThread != NULL) { // Wait for the remote thread to terminate //WaitForSingleObject(hThread, INFINITE); fOk = TRUE; // Everything executed successfully //CloseHandle(hThread); } } } // Free the remote memory that contained the DLL's pathname //VirtualFreeEx(hProcess, pszLibFileRemote, 0, MEM_RELEASE); } //CloseHandle(hProcess); return(fOk); }