dll注入,VirtualAllocEx返回5
白昼不昼 2017-11-22 10:01:17 我现在要做一个dll注入器,将dll注入到其他进程(非外挂用途),将dll注入守望先锋游戏,提示注入成功,可是在注入最新的吃鸡游戏,VirtualAllocEx返回5给我,拒绝访问,DeBug权限有提升,OpenProcess也是PROCESS_ALL_ACCESS,想问问大家有没有方法解决???
void EnableDebugPriv()
{
HANDLE hToken;
LUID luid;
TOKEN_PRIVILEGES tkp;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = luid;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, false, &tkp, sizeof(tkp), NULL, NULL);
CloseHandle(hToken);
}
BOOL GetPidByProcessName(const char* lpszProcessName, DWORD &dwPid)
{
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (INVALID_HANDLE_VALUE == hSnapshot)
{
return FALSE;
}
PROCESSENTRY32 pe;
pe.dwSize = sizeof(PROCESSENTRY32);
if (!Process32First(hSnapshot, &pe))
{
::CloseHandle(hSnapshot);
return FALSE;
}
while (Process32Next(hSnapshot, &pe))
{
size_t len = strlen(lpszProcessName) + 1;
size_t converted = 0;
wchar_t *WStr;
WStr = (wchar_t*)malloc(len * sizeof(wchar_t));
mbstowcs_s(&converted, WStr, len, lpszProcessName, _TRUNCATE);
if (wcscmp(WStr, pe.szExeFile) == 0)
{
::CloseHandle(hSnapshot);
dwPid = pe.th32ProcessID;
return TRUE;
}
}
::CloseHandle(hSnapshot);
return FALSE;
}
//注入DLL到远程进程
BOOL InjectDllToRemoteProcess(const char* lpDllName, const char* lpPid, const char* lpProcName)
{
DWORD dwPid = 0;
if (NULL == lpPid || 0 == strlen(lpPid))
{
if (NULL != lpProcName && 0 != strlen(lpProcName))
{
if (!GetPidByProcessName(lpProcName, dwPid))
{
return FALSE;
}
}
else
{
return FALSE;
}
}
else
{
dwPid = atoi(lpPid);
}
//根据Pid得到进程句柄(注意必须权限)
HANDLE hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
if (INVALID_HANDLE_VALUE == hRemoteProcess)
{
return FALSE;
}
//计算DLL路径名需要的内存空间
DWORD dwSize = (1 + lstrlenA(lpDllName)) * sizeof(char);
//使用VirtualAllocEx函数在远程进程的内存地址空间分配DLL文件名缓冲区,成功返回分配内存的首地址.
LPVOID lpRemoteBuff = (char *)VirtualAllocEx(hRemoteProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
if (NULL == lpRemoteBuff)
{
CloseHandle(hRemoteProcess);
return FALSE;
}
//使用WriteProcessMemory函数将DLL的路径名复制到远程进程的内存空间,成功返回TRUE.
SIZE_T dwHasWrite = 0;
BOOL bRet = WriteProcessMemory(hRemoteProcess, lpRemoteBuff, lpDllName, dwSize, &dwHasWrite);
if (!bRet || dwHasWrite != dwSize)
{
VirtualFreeEx(hRemoteProcess, lpRemoteBuff, dwSize, MEM_COMMIT);
CloseHandle(hRemoteProcess);
return FALSE;
}
//创建一个在其它进程地址空间中运行的线程(也称:创建远程线程),成功返回新线程句柄.
DWORD dwRemoteThread = 0;
HANDLE hRemoteThread = CreateRemoteThread(hRemoteProcess, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, lpRemoteBuff, 0, &dwRemoteThread);
if (INVALID_HANDLE_VALUE == hRemoteThread)
{
VirtualFreeEx(hRemoteProcess, lpRemoteBuff, dwSize, MEM_COMMIT);
CloseHandle(hRemoteProcess);
return FALSE;
}
//注入成功释放句柄
WaitForSingleObject(hRemoteThread, INFINITE);
CloseHandle(hRemoteThread);
CloseHandle(hRemoteProcess);
return TRUE;
}