无DLL远程注入

界面如下：
主要代码如下：
 1 #define STRLEN 20
 2 
 3 typedef struct _DATA
 4 {
 5     DWORD dwLoadLibrary;
 6     DWORD dwGetProcAddress;
 7     DWORD dwGetModuleHandle;
 8     DWORD dwGetModuleFileName;
 9     
10     char User32Dll[STRLEN];
11     char MessageBox[STRLEN];
12     char Str[STRLEN];
13 }DATA, *PDATA;
14 
15 void CNoDllInjectDlg::OnBnClickedButtonInject()
16 {
17     // TODO: 在此添加控件通知处理程序代码
18     UpdateData(TRUE);
19     InjectCode(m_dwPid);
20 }
21 
22 
23 DWORD WINAPI RemoteThreadProc(LPVOID lpParam)
24 {
25     PDATA pData = (PDATA)lpParam;
26 
27     HMODULE (__stdcall *MyLoadLibrary)(LPCSTR);
28     FARPROC (__stdcall *MyGetProcAddress)(HMODULE, LPCSTR);
29     HMODULE (__stdcall *MyGetModuleHandle)(LPCSTR);
30     int (__stdcall *MyMessageBox)(HWND, LPCSTR, LPCSTR, UINT);
31     DWORD (__stdcall *MyGetModuleFileName)(HMODULE, LPSTR, DWORD);
32 
33     MyLoadLibrary = (HMODULE (__stdcall *)(LPCSTR))pData->dwLoadLibrary;
34     MyGetProcAddress = (FARPROC (__stdcall *)(HMODULE, LPCSTR))pData->dwGetProcAddress;
35     MyGetModuleHandle = (HMODULE (__stdcall *)(LPCSTR))pData->dwGetModuleHandle;
36     MyGetModuleFileName = (DWORD (__stdcall *)(HMODULE, LPSTR, DWORD))pData->dwGetModuleFileName;
37 
38     HMODULE hModule = MyLoadLibrary(pData->User32Dll);
39     MyMessageBox = (int (__stdcall *)(HWND, LPCSTR, LPCSTR, UINT))MyGetProcAddress(hModule, pData->MessageBox);
40     char szModuleName[MAX_PATH] = {0};
41     MyGetModuleFileName(NULL, szModuleName, MAX_PATH);
42 
43     MyMessageBox(NULL, pData->Str, szModuleName, MB_OK);
44 
45     return 0;
46 }
47 
48 
49 void CNoDllInjectDlg::InjectCode(DWORD dwPid)
50 {
51     DebugPrivilege();
52     HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
53     if (NULL == hProcess)
54     {
55         AfxMessageBox(_T("OpenProcess Error!"));
56         return;
57     }
58 
59     DATA Data = {0};
60     Data.dwLoadLibrary = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
61     Data.dwGetProcAddress = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetProcAddress");
62     Data.dwGetModuleHandle = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleHandleA");
63     Data.dwGetModuleFileName = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleFileNameA");
64 
65     strcpy(Data.User32Dll, "user32.dll");
66     strcpy(Data.MessageBox, "MessageBoxA");
67     strcpy(Data.Str, "Inject Code !!");
68 
69     LPVOID lpData = VirtualAllocEx(hProcess, NULL, sizeof(DATA), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
70     DWORD dwWriteNum = 0;
71     WriteProcessMemory(hProcess, lpData, &Data, sizeof(DATA), &dwWriteNum);
72 
73     DWORD dwFunSize = 0x2000;
74     LPVOID lpCode = VirtualAllocEx(hProcess, NULL, dwFunSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
75     WriteProcessMemory(hProcess, lpCode, RemoteThreadProc, dwFunSize, &dwWriteNum);
76 
77     HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpCode, lpData, 0, NULL);
78     WaitForSingleObject(hRemoteThread, INFINITE);
79 
80     CloseHandle(hRemoteThread);
81     CloseHandle(hProcess);
82 }
83 
84 void CNoDllInjectDlg::DebugPrivilege(void)
85 {
86     HANDLE hToken = NULL;
87     BOOL bRet = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);
88     if (TRUE == bRet)
89     {
90         TOKEN_PRIVILEGES tp;
91         tp.PrivilegeCount = 1;
92         LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
93         tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
94         AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
95 
96         CloseHandle(hToken);
97     }
98 }