a sprawdź na forach z hackami do gier, może pod hasłem "dll injection" będzie jakiś kodzik korzystający z tego?
//choć tam to pewnie będzie tylko VirtualAllocEx, WriteProcessMemory i CreateRemoteThread, ale chyba gdzieś też widziałem jakiś kod z tym CreateProcess, poszukać musisz (bardziej na zagranicznych forach)
//edit
// Based on DLLInject demonstratation by Rezmond( http://www.torry.net/authorsmore.php?id=3987 )
unit DLLInject;
interface
uses
Windows;
// Injects DLL into running process - Needs enough permisions
function InjectDLL(const aProcHandle: THandle; const aDLLFullFileName: string): HMODULE;
// Executes an EXE and injects DLL into new instance
// Requires full path names to files
function RunAndInjectDLL(const aEXEFullFileName, aDLLFullFileName: string; out aProcInfo: PProcessInformation; const aCreateFlags: Cardinal = 0; const aWorkingDirectory: string = ''): HMODULE; overload
implementation
uses
SysUtils;
type
EDLLInjectError = class(Exception);
const
KERNEL32_DLL = 'Kernel32.DLL';
LOADLIBRARY_NAME = {$IFDEF UNICODE} 'LoadLibraryW' {$ELSE} 'LoadLibraryA' {$ENDIF UNICODE};
resourcestring
ERR_CREATE_PROCESS = 'Unable to create process';
// Redeclared because lpBuffer should be ByRef variable
function FormatMessage(dwFlags: DWORD; lpSource: Pointer; dwMessageId: DWORD;
dwLanguageId: DWORD; var lpBuffer: PChar; nSize: DWORD; Arguments: Pointer): DWORD; stdcall;
external Kernel32 name {$IFDEF UNICODE} 'FormatMessageW' {$ELSE} 'FormatMessageA' {$ENDIF};
// Asks windows to format a message string from last error
function GetWindowsLastErrorMessage: string;
var
pMessage: PChar;
begin
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER or FORMAT_MESSAGE_FROM_SYSTEM,
nil, GetLastError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
pMessage, 0, nil);
Result:= pMessage;
end;
// Raise exception with a windows message
procedure Error(aMsg: string);
begin
raise EDLLInjectError.Create(aMsg + sLineBreak + GetWindowsLastErrorMessage);
end;
// Allocs a new string buffer and returns a pointer and length of buffer.
procedure StrToPCharAndLen(const aStr: string; out aBuf: PChar; out aBufLen: Cardinal); overload;
begin
aBufLen:= (Length(aStr) + 1) * SizeOf(Char);
aBuf:= AllocMem(aBufLen);
Move(aStr[1], aBuf^, aBufLen - SizeOf(Char));
end;
function InjectDLL(const aProcHandle: THandle; const aDLLFullFileName: string): HMODULE;
var
NewMem, PDLLPath: PChar;
DLLPathLen: Cardinal;
BytesWritten: Cardinal;
Kernel32Module: THandle;
LoadLibraryPtr: Pointer;
ThreadHandle: THandle;
ThreadID: Cardinal;
begin
// Get PCHar for DLL path and it's length
StrToPCharAndLen(aDLLFullFileName, PDLLPath, DLLPathLen);
// Alloc memory in remote process space for DLL name
NewMem:= VirtualAllocEx(aProcHandle, nil, DLLPathLen, MEM_COMMIT, PAGE_READWRITE);
try
// Write DLL name into remote process memory space
WriteProcessMemory(aProcHandle, NewMem, PDLLPath, DLLPathLen, BytesWritten);
// Get pointer to LoadLibrary function
Kernel32Module:= LoadLibrary(KERNEL32_DLL);
LoadLibraryPtr:= GetProcAddress(Kernel32Module, LOADLIBRARY_NAME);
// Create a thread using LoadLibrary as ThreadProc
ThreadHandle:= CreateRemoteThread(aProcHandle, nil, 0, LoadLibraryPtr, NewMem, 0, ThreadID);
// Wait for DLL initialization to finish
WaitForSingleObject(ThreadHandle, INFINITE);
// Get LoadLibrary result (remote handle to DLL)
GetExitCodeThread(ThreadHandle, Cardinal(Result));
// No need for Thread handle
CloseHandle(ThreadHandle);
finally
// Free used remote and local memory
VirtualFreeEx(aProcHandle, NewMem, 0, MEM_RELEASE);
FreeMem(PDLLPath);
end;
end;
function RunAndInjectDLL(const aEXEFullFileName, aDLLFullFileName: string;
out aProcInfo: PProcessInformation; const aCreateFlags: Cardinal;
const aWorkingDirectory: string): HMODULE;
var
StartInfo: TStartupInfo;
WorkingDirectory: string;
begin
// Initialize process structures
New(aProcInfo);
FillChar(aProcInfo^, SizeOf(TProcessInformation), 0);
FillChar(StartInfo, SizeOf(TStartupInfo), 0);
// If not set, set working directory to EXE path
if aWorkingDirectory <> '' then
WorkingDirectory:= aWorkingDirectory
else
WorkingDirectory:= ExtractFilePath(aEXEFullFileName);
// Execute process
if not CreateProcess(PChar(aEXEFullFileName), '', nil, nil, True, //<-------------------- tutaj coś
aCreateFlags, nil, PChar(WorkingDirectory), StartInfo, aProcInfo^)
then
Error(ERR_CREATE_PROCESS);
// Inject DLL into new process
Result:= InjectDLL(aProcInfo.hProcess, aDLLFullFileName);
end;
end.
mały burdel, ale na samym dole kodu coś tam jest, ale nie znam się na tym, zignoruj tego posta jakby co
//edit
http://www.daniweb.com/software-development/cpp/threads/238461
http://www.governmentsecurity.org/forum/index.php?showtopic=31679
http://komputery.katalogi.pl/C%2B%2B_programowanie_sieciowe_windows-t80741.html