9,506
社区成员
发帖
与我相关
我的任务
分享高手看下这远程注入错在哪
#include <windows.h>
#include <iostream>
using namespace std;
//事先必须先单独测试该函数的长度,还有必须static 属性才是真正的函数地址
//否则只是 jmp 真正函数地址: 这一句代码的地址而已
//release下只有加static编译器才不会优化成普通代码,而当成一函数处理
static DWORD WINAPI ThreadProc(LPVOID lpParameter);
typedef HMODULE (WINAPI *LPLoadLibrary)(LPCSTR);
typedef FARPROC (WINAPI *LPGetProcAddress)(HMODULE, LPCSTR);
typedef int (WINAPI *LPMessageBox)(HWND, LPCSTR, LPCSTR, UINT);
//....
//如上这边可以列下线程所要用的api函数指针
struct para
{
LPLoadLibrary lploadlibrary;
LPGetProcAddress lpgetprocaddress;
char dllname[10][0xff];
char funname[10][0xff];
char strname[10][0xff];
};
void ShowError();
void main()
{
HWND hwnd;
DWORD PID;
HANDLE hProcess;
hwnd = ::FindWindowEx(NULL, NULL, "CalcFrame", "计算器");
if (hwnd == NULL)
{
ShowError();
::ExitProcess(0xff);
}
::GetWindowThreadProcessId(hwnd, &PID); //不必判断返回值
hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
if (hProcess == NULL)
{
ShowError();
::ExitProcess(0xff);
}
//构造传进去的参数
struct para parabuff;
memset(¶buff, 0, sizeof(struct para));
parabuff.lploadlibrary = (LPLoadLibrary)::GetProcAddress(::GetModuleHandle("kernel32.dll"), "LoadLibraryA");
parabuff.lpgetprocaddress = (LPGetProcAddress)::GetProcAddress(::GetModuleHandle("kernel32.dll"), "GetProcAddress");
memcpy(parabuff.dllname[0], "kernel32.dll", 0xff);
memcpy(parabuff.dllname[1], "user32.dll", 0xff );
memcpy(parabuff.dllname[2], "ws2_32.dll", 0xff);
memcpy(parabuff.funname[0], "MessageBoxA", 0xff);
memcpy(parabuff.funname[1], "GetModuleHandleA", 0xff);
memcpy(parabuff.strname[0], "欢迎使用远程线程", 0xff);
memcpy(parabuff.strname[1], "远程线程:", 0xff);
//....上面还可以列出要用到的*.dll与API
//申请参数结构空间
LPVOID databuff = ::VirtualAllocEx(hProcess, NULL, sizeof(struct para), MEM_COMMIT, PAGE_READWRITE);
if (databuff == NULL)
{
ShowError();
::ExitProcess(0xff);
}
if (!::WriteProcessMemory(hProcess, databuff, ¶buff, sizeof(parabuff), NULL ))
{
ShowError();
::VirtualFreeEx(hProcess, databuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
//代码长度是查出汇编文件查看出来的
LPVOID codebuff = ::VirtualAllocEx(hProcess, NULL, 0xff, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (codebuff == NULL)
{
ShowError();
::ExitProcess(0xff);
}
if (!::WriteProcessMemory(hProcess, codebuff, ThreadProc, 0xff, NULL ))
{
ShowError();
::VirtualFreeEx(hProcess, codebuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
HANDLE hThread;
hThread = ::CreateRemoteThread(hProcess, //进程句柄
NULL, //安全属性
0, //堆栈大小
(LPTHREAD_START_ROUTINE)codebuff,
databuff, //参数
0, //创建标志
NULL); //线程ID
if (hThread == NULL)
{
ShowError();
::VirtualFreeEx(hProcess, codebuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
if (::WaitForSingleObject(hThread, INFINITE) == WAIT_FAILED)
{
ShowError();
::VirtualFreeEx(hProcess, codebuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
DWORD status;
if (!::GetExitCodeThread(hThread, &status))
{
ShowError(); //函数失败
::VirtualFreeEx(hProcess, codebuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
else
{
cout << "线程退出码:"<< hex << status << endl; //dll.dll在目标进程中的地址
}
if (!::CloseHandle(hThread))
{
ShowError();
::VirtualFreeEx(hProcess, codebuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
//释放目标进程申请的内存空间(MEM_RELEASE完全释放dwSize参数必须为0)
if (!::VirtualFreeEx(hProcess, databuff, 0, MEM_RELEASE))
{
ShowError();
::ExitProcess(0xff);
}
if (!::VirtualFreeEx(hProcess, codebuff, 0, MEM_RELEASE))
{
ShowError();
::ExitProcess(0xff);
}
}
//线程函数中不能调用任何API(kernel32.dll除外)及普通函数,
//(但kernel32.dll的API却不会),系统将kernel32.dll加载到每个进程相同的地址空间中,但其它
//*.dll导出的API系统可能会载到不同的空间中所以不能直接用其它*.dll里的API
DWORD WINAPI ThreadProc(LPVOID lpParameter)
{
struct para *parabuff = (struct para *)lpParameter;
LPLoadLibrary lpLoadLibrary = parabuff->lploadlibrary;
LPGetProcAddress lpGetProcAddress = parabuff->lpgetprocaddress;
HMODULE hUser = lpLoadLibrary(parabuff->dllname[1]);
LPMessageBox lpMessageBox = (LPMessageBox)lpGetProcAddress(hUser, parabuff->funname[0]);
lpMessageBox(NULL, parabuff->strname[0], parabuff->strname[1], MB_OK);
return 0;
}
void ShowError()
{
LPTSTR lpMsgBuf;
::FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
::GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR)&lpMsgBuf,
0,
NULL);
::MessageBox(NULL, lpMsgBuf, NULL, MB_OK | MB_ICONSTOP);
::LocalFree(lpMsgBuf);//释放操作系统开辟的缓冲区地址
}
//以上为完整代码.运行环境VS2008 + windows7 + Release +多字节(字符集)
//程序运行时目标程序崩溃,调试停在mov edi,edi;这一句(还没进入线程),然后单步执行直到线程结束都是正确的
//为什么?,请真正高手运行并确定bug后再教教小弟(没动手没发言权)
#include <iostream>
using namespace std;
//事先必须先单独测试该函数的长度,还有必须static 属性才是真正的函数地址
//否则只是 jmp 真正函数地址: 这一句代码的地址而已
//release下只有加static编译器才不会优化成普通代码,而当成一函数处理
static DWORD WINAPI ThreadProc(LPVOID lpParameter);
typedef HMODULE (WINAPI *LPLoadLibrary)(LPCSTR);
typedef FARPROC (WINAPI *LPGetProcAddress)(HMODULE, LPCSTR);
typedef int (WINAPI *LPMessageBox)(HWND, LPCSTR, LPCSTR, UINT);
//....
//如上这边可以列下线程所要用的api函数指针
struct para
{
LPLoadLibrary lploadlibrary;
LPGetProcAddress lpgetprocaddress;
char dllname[10][0xff];
char funname[10][0xff];
char strname[10][0xff];
};
void ShowError();
void main()
{
HWND hwnd;
DWORD PID;
HANDLE hProcess;
hwnd = ::FindWindowEx(NULL, NULL, "CalcFrame", "计算器");
if (hwnd == NULL)
{
ShowError();
::ExitProcess(0xff);
}
::GetWindowThreadProcessId(hwnd, &PID); //不必判断返回值
hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
if (hProcess == NULL)
{
ShowError();
::ExitProcess(0xff);
}
//构造传进去的参数
struct para parabuff;
memset(¶buff, 0, sizeof(struct para));
parabuff.lploadlibrary = (LPLoadLibrary)::GetProcAddress(::GetModuleHandle("kernel32.dll"), "LoadLibraryA");
parabuff.lpgetprocaddress = (LPGetProcAddress)::GetProcAddress(::GetModuleHandle("kernel32.dll"), "GetProcAddress");
memcpy(parabuff.dllname[0], "kernel32.dll", 0xff);
memcpy(parabuff.dllname[1], "user32.dll", 0xff );
memcpy(parabuff.dllname[2], "ws2_32.dll", 0xff);
memcpy(parabuff.funname[0], "MessageBoxA", 0xff);
memcpy(parabuff.funname[1], "GetModuleHandleA", 0xff);
memcpy(parabuff.strname[0], "欢迎使用远程线程", 0xff);
memcpy(parabuff.strname[1], "远程线程:", 0xff);
//....上面还可以列出要用到的*.dll与API
//申请参数结构空间
LPVOID databuff = ::VirtualAllocEx(hProcess, NULL, sizeof(struct para), MEM_COMMIT, PAGE_READWRITE);
if (databuff == NULL)
{
ShowError();
::ExitProcess(0xff);
}
if (!::WriteProcessMemory(hProcess, databuff, ¶buff, sizeof(parabuff), NULL ))
{
ShowError();
::VirtualFreeEx(hProcess, databuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
//代码长度是查出汇编文件查看出来的
LPVOID codebuff = ::VirtualAllocEx(hProcess, NULL, 0xff, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (codebuff == NULL)
{
ShowError();
::ExitProcess(0xff);
}
if (!::WriteProcessMemory(hProcess, codebuff, ThreadProc, 0xff, NULL ))
{
ShowError();
::VirtualFreeEx(hProcess, codebuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
HANDLE hThread;
hThread = ::CreateRemoteThread(hProcess, //进程句柄
NULL, //安全属性
0, //堆栈大小
(LPTHREAD_START_ROUTINE)codebuff,
databuff, //参数
0, //创建标志
NULL); //线程ID
if (hThread == NULL)
{
ShowError();
::VirtualFreeEx(hProcess, codebuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
if (::WaitForSingleObject(hThread, INFINITE) == WAIT_FAILED)
{
ShowError();
::VirtualFreeEx(hProcess, codebuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
DWORD status;
if (!::GetExitCodeThread(hThread, &status))
{
ShowError(); //函数失败
::VirtualFreeEx(hProcess, codebuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
else
{
cout << "线程退出码:"<< hex << status << endl; //dll.dll在目标进程中的地址
}
if (!::CloseHandle(hThread))
{
ShowError();
::VirtualFreeEx(hProcess, codebuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
//释放目标进程申请的内存空间(MEM_RELEASE完全释放dwSize参数必须为0)
if (!::VirtualFreeEx(hProcess, databuff, 0, MEM_RELEASE))
{
ShowError();
::ExitProcess(0xff);
}
if (!::VirtualFreeEx(hProcess, codebuff, 0, MEM_RELEASE))
{
ShowError();
::ExitProcess(0xff);
}
}
//线程函数中不能调用任何API(kernel32.dll除外)及普通函数,
//(但kernel32.dll的API却不会),系统将kernel32.dll加载到每个进程相同的地址空间中,但其它
//*.dll导出的API系统可能会载到不同的空间中所以不能直接用其它*.dll里的API
DWORD WINAPI ThreadProc(LPVOID lpParameter)
{
struct para *parabuff = (struct para *)lpParameter;
LPLoadLibrary lpLoadLibrary = parabuff->lploadlibrary;
LPGetProcAddress lpGetProcAddress = parabuff->lpgetprocaddress;
HMODULE hUser = lpLoadLibrary(parabuff->dllname[1]);
LPMessageBox lpMessageBox = (LPMessageBox)lpGetProcAddress(hUser, parabuff->funname[0]);
lpMessageBox(NULL, parabuff->strname[0], parabuff->strname[1], MB_OK);
return 0;
}
void ShowError()
{
LPTSTR lpMsgBuf;
::FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
::GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR)&lpMsgBuf,
0,
NULL);
::MessageBox(NULL, lpMsgBuf, NULL, MB_OK | MB_ICONSTOP);
::LocalFree(lpMsgBuf);//释放操作系统开辟的缓冲区地址
}
//以上为完整代码.运行环境VS2008 + windows7 + Release +多字节(字符集)
//程序运行时目标程序崩溃,调试停在mov edi,edi;这一句(还没进入线程),然后单步执行直到线程结束都是正确的
//为什么?,请真正高手运行并确定bug后再教教小弟(没动手没发言权)
...全文
请发表友善的回复…
发表回复
古井荡月 2010-01-27
- 打赏
- 举报
请到编程区。。。
菜市场里会有很多买肉的人吗?
菜市场里会有很多买肉的人吗?
VirtualRookit 2010-01-27
- 打赏
- 举报
没路过的高手吗?
