// remote06.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include "windows.h"
BOOL func(DWORD ProcessID,char* DllPathName)
{
    DWORD ThreadID = NULL;
    //1.获取进程句柄
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,ProcessID);
    if (hProcess == NULL)
    {
        OutputDebugString("OpenProcess失败!");
        CloseHandle(hProcess);
        return FALSE;
    }
    //2.计算DLL路径长度,并且加上0结尾长度strlen
    DWORD LenOfDllPathName = strlen(DllPathName)+1;
    
    //3.在目标进程分配内存VirtualAllocEx
    LPVOID lpAllocAddr = VirtualAllocEx(hProcess,NULL,LenOfDllPathName,MEM_COMMIT,PAGE_READWRITE);
    if (lpAllocAddr == NULL)
    {
        OutputDebugString("VirtualAllocEx失败!");
        CloseHandle(hProcess);
        return FALSE;
    }
    //4.拷贝DLL路径到目标进程新分配的内存WriteProcessMemory
    DWORD bRet = WriteProcessMemory(hProcess,lpAllocAddr,DllPathName,LenOfDllPathName,NULL);
    if (!bRet)
    {
        OutputDebugString("WriteProcessMemory失败!");
        CloseHandle(hProcess);
        return FALSE;
    }
    //5.获得模块地址GetModuleHandle
    HMODULE hml = GetModuleHandle("Kernel32.dll");
    if (hml == NULL)
    {
        OutputDebugString("GetModuleHandle失败!");
        CloseHandle(hProcess);
        return FALSE;
    }
    
    //6.获得LoadLibraryA函数地址GetProcAddress
    DWORD lpLoadAddr = (DWORD)GetProcAddress(hml,"LoadLibraryA");
    if (!lpLoadAddr)
    {
        OutputDebugString("GetProcAddress失败!");
        CloseHandle(hProcess);
        CloseHandle(hml);
        return FALSE;
    }
    
    //7.创建远程线程,加载DLL
    HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpLoadAddr,lpAllocAddr,0,NULL);
    if (hThread == NULL)
    {
        OutputDebugString("CreateRemoteThread失败!");
        CloseHandle(hThread);
        CloseHandle(hml);
        CloseHandle(hProcess);
        return FALSE;
    }
    //关闭资源
    CloseHandle(hThread);
    CloseHandle(hml);
    CloseHandle(hProcess);
    return TRUE;
}
int main(int argc, char* argv[])
{
    func(进程ID,DLL路径);
    
    
    return 0;
}