15,471
社区成员
发帖
与我相关
我的任务
分享进程注入问题
网上找代码,东拼西凑
char szPath[MAX_PATH] = {0};
GetProcDirectory(szPath);
CString path;
path.Format("%s", szPath);
path += "\\DLL.dll";
杀毒软件,安全工具全关了,操作系统win2003 sp1
RemoteLoadDLL(pid , path)调用中有中文 debug注入成功,release注入失败
RemoteLoadDLL(pid , "F:\\DLL.dll") 调用debug release均成功
请高人是不是与路径中文字符有关,如何修改
----------------------------------------------------------------
卸载DLL 注释部分是为了兼容不同操作系统,实际上无法卸载DLL
BOOL CinjectthreadDlg::RemoteLoadDLL(DWORD dwProcessID, LPCSTR lpszDll)
{
// 打开目标进程
HANDLE hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwProcessID );
// 向目标进程地址空间写入DLL名称
DWORD dwSize, dwWritten;
dwSize = lstrlenA( lpszDll ) + 1;
LPVOID lpBuf = VirtualAllocEx( hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE );
if ( NULL == lpBuf )
{
CloseHandle( hProcess );
return FALSE;
}
if ( WriteProcessMemory( hProcess, lpBuf, (LPVOID)lpszDll, dwSize, &dwWritten ) )
{
// 要写入字节数与实际写入字节数不相等,仍属失败
if ( dwWritten != dwSize )
{
VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );
CloseHandle( hProcess );
return FALSE;
}
}
else
{
CloseHandle( hProcess );
return FALSE;
}
// 使目标进程调用LoadLibrary,加载DLL
DWORD dwID;
PTHREAD_START_ROUTINE pFunc=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("kernel32"),"LoadLibraryA");
HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0, pFunc, lpBuf, 0, &dwID );
// 等待LoadLibrary加载完毕
WaitForSingleObject( hThread, INFINITE );
// 释放目标进程中申请的空间
VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );
CloseHandle( hThread );
CloseHandle( hProcess );
return TRUE;
}
void CinjectthreadDlg::GetProcDirectory(char *Path)
{
CString szPath;
char szExePath[MAX_PATH] = {0};
GetModuleFileName(NULL, szExePath, MAX_PATH);
szPath.Format("%s",szExePath);
int iPos = szPath.ReverseFind('\\');
memcpy(Path, szPath, 26);
}char szPath[MAX_PATH] = {0};
GetProcDirectory(szPath);
CString path;
path.Format("%s", szPath);
path += "\\DLL.dll";
杀毒软件,安全工具全关了,操作系统win2003 sp1
RemoteLoadDLL(pid , path)调用中有中文 debug注入成功,release注入失败
RemoteLoadDLL(pid , "F:\\DLL.dll") 调用debug release均成功
请高人是不是与路径中文字符有关,如何修改
----------------------------------------------------------------
卸载DLL 注释部分是为了兼容不同操作系统,实际上无法卸载DLL
BOOL CinjectthreadDlg::RemoteFreeDLL(DWORD dwProcessID, LPCSTR lpszDll)
{
// 打开目标进程
HANDLE hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwProcessID );
// 向目标进程地址空间写入DLL名称
DWORD dwSize, dwWritten;
dwSize = lstrlenA( lpszDll ) + 1;
LPVOID lpBuf = VirtualAllocEx( hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE );
if ( NULL == lpBuf )
{
CloseHandle( hProcess );
return FALSE;
}
if ( WriteProcessMemory( hProcess, lpBuf, (LPVOID)lpszDll, dwSize, &dwWritten ) )
{
// 要写入字节数与实际写入字节数不相等,仍属失败
if ( dwWritten != dwSize )
{
VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );
CloseHandle( hProcess );
return FALSE;
}
}
else
{
CloseHandle( hProcess );
return FALSE;
}
// 使目标进程调用GetModuleHandle,获得DLL在目标进程中的句柄
DWORD dwHandle, dwID;
LPVOID pFunc = GetModuleHandleA;
HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, lpBuf, 0, &dwID );
// 等待GetModuleHandle运行完毕
WaitForSingleObject( hThread, INFINITE );
// 获得GetModuleHandle的返回值
GetExitCodeThread( hThread, &dwHandle );
// 释放目标进程中申请的空间
VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );
CloseHandle( hThread );
// 使目标进程调用FreeLibrary,卸载DLL
pFunc = FreeLibrary;
hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, (LPVOID)dwHandle, 0, &dwID );
// 等待FreeLibrary卸载完毕
WaitForSingleObject( hThread, INFINITE );
CloseHandle( hThread );
CloseHandle( hProcess );
return TRUE;
// // 打开目标进程
// HANDLE hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwProcessID );
// // 向目标进程地址空间写入DLL名称
// DWORD dwSize, dwWritten;
// dwSize = lstrlenA( lpszDll ) + 1;
// LPVOID lpBuf = VirtualAllocEx( hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE );
// if ( NULL == lpBuf )
// {
// CloseHandle( hProcess );
// return FALSE;
// }
// if ( WriteProcessMemory( hProcess, lpBuf, (LPVOID)lpszDll, dwSize, &dwWritten ) )
// {
// // 要写入字节数与实际写入字节数不相等,仍属失败
// if ( dwWritten != dwSize )
// {
// VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );
// CloseHandle( hProcess );
// return FALSE;
// }
// }
// else
// {
// CloseHandle( hProcess );
// return FALSE;
// }
// // 使目标进程调用GetModuleHandle,获得DLL在目标进程中的句柄
// DWORD dwHandle, dwID;
// PTHREAD_START_ROUTINE pFunc = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("kernel32"),"GetModuleHandleA");
// HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0, pFunc, lpBuf, 0, &dwID );
// // 等待GetModuleHandle运行完毕
// WaitForSingleObject( hThread, INFINITE );
// // 获得GetModuleHandle的返回值
// GetExitCodeThread( hThread, &dwHandle );
// // 释放目标进程中申请的空间
// VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );
// CloseHandle( hThread );
// // 使目标进程调用FreeLibrary,卸载DLL
//
//pFunc=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("kernel32"),"LoadLibraryA");
// hThread = CreateRemoteThread( hProcess, NULL, 0, pFunc, (LPVOID)dwHandle, 0, &dwID );
// // 等待FreeLibrary卸载完毕
// WaitForSingleObject( hThread, INFINITE );
// CloseHandle( hThread );
// CloseHandle( hProcess );
// return TRUE;
}
...全文
请发表友善的回复…
发表回复
uldm1027 2009-02-13
- 打赏
- 举报
晕.你肯定没调,就发问题来了.呵呵
winmenaruto 2009-02-05
- 打赏
- 举报
好贴
lqmcctv 2009-01-20
- 打赏
- 举报
好贴
andycnm 2008-10-09
- 打赏
- 举报
问题解决,是太粗心了代码没看仔细
int iPos = szPath.ReverseFind('\\');
memcpy(Path, szPath, 26);
// // 使目标进程调用FreeLibrary,卸载DLL
//
//pFunc=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("kernel32"),"LoadLibraryA");
// hThread = CreateRemoteThread( hProcess, NULL, 0, pFunc, (LPVOID)dwHandle, 0, &dwID );andycnm 2008-10-09
- 打赏
- 举报
没有使用unicode字符集
使用的是多字节字符集
使用的是多字节字符集
阿呆_ 2008-10-09
- 打赏
- 举报
先确认你的工程设置没有使用unicode字符集
andycnm 2008-10-08
- 打赏
- 举报
网速差,发重复了,请版主删一个
