15,471
社区成员
发帖
与我相关
我的任务
分享
PROCESS_INFORMATION pi;
STARTUPINFO si;
memset(&si, 0, sizeof(STARTUPINFO));
si.cb = sizeof(STARTUPINFO);
BOOL bRet = CreateProcess(_T("C:\\111.exe"), NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
if (bRet)
{
WCHAR wFilePath[256] = _T("C:\\EmptyDLL.dll");
LPWSTR pszLibFile = NULL;
int len = (lstrlenW(wFilePath) + 1) * 2;
pszLibFile = (PWSTR)VirtualAllocEx(pi.hProcess, NULL, len, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(pi.hProcess, pszLibFile, (PVOID) wFilePath, len, NULL);
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
HANDLE hRemoteThread = CreateRemoteThread(pi.hProcess, NULL, 0, pfnThreadRtn, pszLibFile, 0, NULL);
WaitForSingleObject(hRemoteThread, INFINITE);
if (pszLibFile != NULL)
{
VirtualFreeEx(pi.hProcess, pszLibFile, 0, MEM_RELEASE);
}
CloseHandle(hRemoteThread);
ResumeThread(pi.hThread);
DWORD dwErr = GetLastError();
CString str;
str.Format(_T("0x%08x"), dwErr);
MessageBox(str);
}
WCHAR wFilePath[256] = _T("C:\\EmptyDLL.dll");
UNICODE_STRING us;
LPWSTR pszLibFile = NULL;
int len = (lstrlenW(wFilePath) + 1) * 2;
pszLibFile = (PWSTR)VirtualAllocEx(pi.hProcess, NULL, len + 50 + 50 + 4, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess, pszLibFile, (PVOID) wFilePath, len, NULL);
DWORD addr = (DWORD)GetProcAddress(GetModuleHandle(_T("ntdll.dll")), "LdrLoadDll");
unsigned char asm1[] = {
0x68, 0x0, 0x0, 0x0, 0x0, //push, OUT PHANDLE
0x68, 0x0, 0x0, 0x0, 0x0, //push, IN PUNICODE_STRING
0x6a, 0x0,
0x6a, 0x0,
0xbe, 0x0, 0x0, 0x0, 0x0, //mov esi, LdrLoadDll
0xff, 0xd6, //call esi
0xc3};
us.MaximumLength = len;
us.Length = len - 2;
us.Buffer = pszLibFile;
WriteProcessMemory(pi.hProcess, (LPVOID)((DWORD)pszLibFile + len), (PVOID)&us, sizeof(us), NULL);
*((DWORD*)(asm1 + 1)) = (DWORD)((DWORD)pszLibFile + len + 50 + 50);
*((DWORD*)(asm1 + 6)) = (DWORD)((DWORD)pszLibFile + len + 50);
*((DWORD*)(asm1 + 15)) = addr;
WriteProcessMemory(pi.hProcess, (LPVOID)((DWORD)pszLibFile + len + 50), (PVOID)asm1, sizeof(asm1), NULL);
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)((DWORD)pszLibFile + len + 50);
HANDLE hRemoteThread = CreateRemoteThread(pi.hProcess, NULL, 0, pfnThreadRtn, NULL, 0, NULL);
hWnd = ::CreateDialogIndirect(hInst, lpDialogTemplate,
pParentWnd->GetSafeHwnd(), AfxDlgProc);
#ifdef _DEBUG
dwError = ::GetLastError();
#endif
/* This is a bit tricky. At this point, 1 of 3 things has happened:
* 1) ::CreateDialogIndirect() created successfully and hWnd != NULL.
* 2) ::CreateDialogIndirect() did create a window and then send the appropiate
* creation messages (ie. WM_CREATE). However, the user handled WM_CREATE and
* returned -1. This causes windows to send WM_DESTROY and WM_NCDESTROY to the
* newly created window. Since WM_NCDESTROY has been sent, the destructor of this
* CWnd object has been called. And ::CreateDialogIndirect() returns NULL.
* 3) ::CreateDialogIndirect() did NOT create the window (ie. due to error in template)
* and returns NULL.
*
* (Note: In 3, this object is still valid; whereas in 2, this object has been deleted).
*
* Adding to the complexity, this function needs to do 2 memory clean up (call
* pOccManager->PostCreateDialog() and delete occDialogInfo) if the destructor of
* this object hasn't been called. If the destructor has been called, the clean up is done
* in the destructor.
*
* We can use the return valid of AfxUnhookWindowCreate() to differentiate between 2 and 3.
* - If AfxUnhookWindowCreate() returns true and hWnd==NULL, this means that (2) has happened
* and we don't have to clean up anything. (Cleanup should be done in the destructor).
* - If AfxUnhookWindowCreate() returns false and hWnd== NULL, this means that (3) has happened
* and we need to call PostNcDestroy().
*
* Note: hWnd != NULL implies that AfxUnhookWindowCreate() return TRUE.
*
* Note2: From this point on, don't access any member variables without checking hWnd. If
* hWnd == NULL, the object has been destroyed already.
*/