北京奥运

北京奥运会就这么闭幕了，ORZ…从头至尾没怎么认真关注过，大约也就看认真了一两场比赛，再加上个开幕式和闭幕式。倒是每天看报纸的时候特地注意了金牌榜，然后中午吃饭时间听同事们忽悠，也算了解了不少。想到10年以后还可以翻出来晒晒，就过来随便留点什么。

 

北京奥运让我感动的地方：开幕式，某小女孩的《歌唱祖国》。当歌声在鸟巢里响起的时候，其实我是掉眼泪的。为什么？我觉得奥运会能够在咱祖国举行，可以说明咱中国的确强大了。尽管平时很愤青，对国家，对社会，这个看不惯，那个也看不惯，但是当听到这歌声的时候，当五星红旗徐徐升起在奥运会场的时候，我是真的为自己这个恨铁不成钢的祖国而感到骄傲。

 

北京奥运让我猥琐一笑的两场比赛：

• 某射击比赛，某国外高手遥遥领先，但是在决定性的最后一枪，却打出了一个4.x环。这让咱中国捡便宜了，也让我乐坏了。
• 某xx量级柔道比赛，最终中国队通过“观察”评分夺得了冠军。

北京奥运看得很有感觉的比赛，女子平衡木决赛。在星之锻炼身体，一边举/拉/推器械，一边和同事一起看，的确很有节奏感。那天扩胸的器械貌似不留神比预定的多做了20个。

 

嗯，也就这么多了。最后北京奥运是2008年8月8号8点08分开始的，8月24号结束的。中国总共51块金牌，把美国，英国，俄罗斯和等等远远地甩在了后面。

Ease code injection

[Update: format the post and remove some nonsense]

It is always inconvenient to debug .NET Profiler within Visual Studio IDE. Why? Because Visual Studio is acting as a CLR host, which means if we setup environment variables, CLR hosted by Visual Studio will be profiled, instead of the application/debugee. As we all know, environment variables can be modified before the child procss is launched, otherwise, there’s no direct way to do it. In other words, we have to look for indirect way to achieve the task. So, here comes the code injection.

 

Usually, there are three ways to inject code into another process (search the key words "Three ways" with google, you will find it). I prefer the simplest one (combination of CreateRemoteThread and LoadLibrary)^^, actually it is one of the two ways that we can use to inject a console application. Another is using WriteProcessMemory to copy binary/machine code into target process. Since I am not so sophiscated with ASM, I gave it up^^ Here is the source code and usage, really easy?? hehe~~~

 

For Agent.dll, I will not attach source code here, because it is really easy, you should get it done in less than 5 minutes after looking up it in MSDN. The core work of it is just to modify the environment variable with SetEnvironmentVariables API.

 

• Command Line: inject.exe <Target Process> <DLL to be injected>
• For example: inject.exe notepad.exe Agent.dll 
• Source Code (inject.exe):

#include "windows.h"

#include "tchar.h"

#include "TLHELP32.H"

#include "stddef.h"

#include "stdio.h"

#include "Shlwapi.h"

 

#pragma comment(lib, "shlwapi.lib")

 

DWORD FindTarget(LPCTSTR lpszProcess);

void Inject(DWORD dProcessId, LPCTSTR lpszDllName);

 

DWORD hLibModule = 0;

 

int _tmain(int argc, _TCHAR* argv[])

{

      if (argc != 3)

      {

           printf("Usage: Envedit.exe <process id> <dll to be injected>\n");

           return -1;

      }

 

      DWORD dProcessId = 0;

 

      dProcessId = FindTarget((LPCTSTR)argv[1]);

      if (dProcessId == 0)

      {

           printf("Cannot find process specified as the command line option.\n");

           return -1;

      }

 

      TCHAR szLibPath[MAX_PATH];

      GetCurrentDirectory(MAX_PATH, szLibPath);

      _tcscat(szLibPath, _T("\\"));

      _tcscat(szLibPath, (LPCTSTR)argv[2]);

 

      if (!PathFileExists(szLibPath))

      {

           printf("Cannot find .dll file specified as the command line option.\n");

           return -1;

      }

 

      Inject(dProcessId, szLibPath);

 

      return 0;

}

 

DWORD FindTarget(LPCTSTR lpszProcess)

{

      DWORD  dwRet     = 0;

      PROCESSENTRY32 pe32 = { sizeof( PROCESSENTRY32 ) };

      HANDLE hSnapshot = NULL;

 

      hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

 

      Process32First(hSnapshot, &pe32);

      do

      {

           if (0 == lstrcmpi(pe32.szExeFile, lpszProcess))

           {

                 dwRet = pe32.th32ProcessID;

                 break;

           }

      } while (Process32Next(hSnapshot, &pe32));

 

      CloseHandle(hSnapshot);

      return dwRet;

}

 

void Inject(DWORD dProcessId, LPCTSTR lpszDllName)

{

      HANDLE hProcess = NULL;

      HANDLE hThread = NULL;

      LPVOID lpRemoteAddress = NULL;

      BOOL bResult = FALSE;

 

      do

      {

           hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE,

                 FALSE, dProcessId);

           if (hProcess == NULL)

           {

                 break;

           }

 

           lpRemoteAddress = VirtualAllocEx(hProcess, NULL, _tcslen(lpszDllName) * sizeof(TCHAR),

                 MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);

           if (lpRemoteAddress == NULL)

           {

                 break;

           }

 

           bResult = WriteProcessMemory(hProcess, lpRemoteAddress, (LPVOID)lpszDllName, _tcslen(lpszDllName) * sizeof(TCHAR), NULL);

           if (bResult == FALSE)

           {

                 break;

           }

 

           LPTHREAD_START_ROUTINE pFun =

                 (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32.dll")), "LoadLibraryW");

 

           hThread = CreateRemoteThread(hProcess, NULL, 0, pFun, lpRemoteAddress, 0, NULL);

           if (hThread == NULL)

           {

                 break;

           }

 

           if (WAIT_FAILED == WaitForSingleObject(hThread, INFINITE))

           { 

                 break;

           }

 

           if (0 == GetExitCodeThread(hThread, &hLibModule))

           {

                 break;

           }

 

           CloseHandle(hThread);

 

           pFun = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32.dll")), "FreeLibrary" );

 

           hThread = CreateRemoteThread(hProcess, NULL, 0, pFun, lpRemoteAddress, 0, NULL);

           if (hThread == FALSE)

           {

                 break;

           }

 

           if (WAIT_FAILED == WaitForSingleObject(hThread, INFINITE))

           {

                 break;

           }

 

      } while (0);

 

      if (hThread != NULL)

      {

           CloseHandle(hThread);

      }

      if (hProcess != NULL)

      {

           CloseHandle(hProcess);

      }

      if (lpRemoteAddress != NULL)

      {

           VirtualFreeEx( hProcess, lpRemoteAddress, _tcslen(lpszDllName) * sizeof(TCHAR), MEM_RELEASE);

      }

}

Hope this can help…