#include <windows.h>
#include <tchar.h>
#include <stdio.h>

bool Start(TCHAR* buff,DWORD pid);
BOOL EnablePrivilege(LPCTSTR lpszPrivilegeName, BOOL bEnable);


int main (void)
{
	EnablePrivilege(SE_DEBUG_NAME,TRUE);//获取本进程权限
	DWORD lpdword,pid;
	TCHAR strbuff[100]={0};
	memcpy(strbuff,TEXT("D:\\个人资料\\桌面\\WKS\\dll.dll"),100);
	HWND hwnd=FindWindow(NULL,TEXT("ok"));
	if (hwnd)
	{
		lpdword=GetWindowThreadProcessId(hwnd,&pid);
	}
	else
	{
		printf("没有找到句柄\n");
		return 0;
	}
	Start(strbuff,pid);
	return 0;
}


bool Start(TCHAR* buff,DWORD pid)
{
	HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);//打开进程
	if (hProcess)
	{
		int len=_tcslen(buff);
		LPVOID pAddr=VirtualAllocEx(hProcess,NULL,len,MEM_COMMIT, PAGE_READWRITE);  //在远程进程申请内存空间
		if (pAddr)
		{
			if (WriteProcessMemory(hProcess,pAddr,buff,len,NULL)) //写dll路径到目标进程
			{
				PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA"); //获取函数地址
				if (pfnStartAddr)
				{
					DWORD lpdword;HANDLE rThread;
					rThread=CreateRemoteThread(hProcess,NULL,NULL,pfnStartAddr,pAddr,0,&lpdword);
					if (rThread)
						printf("远程线程执行成功!");
					CloseHandle(rThread);
				}
			}
		}
		CloseHandle(hProcess);

	}

	return true;
}


BOOL EnablePrivilege(LPCTSTR lpszPrivilegeName, BOOL bEnable)
{
	HANDLE hToken = NULL;
	TOKEN_PRIVILEGES tp;
	LUID luid;

	if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_READ, &hToken))
		return FALSE;
	if(!LookupPrivilegeValue(NULL, lpszPrivilegeName, &luid))
		return TRUE;

	tp.PrivilegeCount = 1;
	tp.Privileges[0].Luid = luid;
	tp.Privileges[0].Attributes = (bEnable) ? SE_PRIVILEGE_ENABLED : 0;

	AdjustTokenPrivileges(hToken, FALSE, &tp, NULL, NULL, NULL);
	CloseHandle(hToken);
	return (GetLastError() == ERROR_SUCCESS);
}