15,471
社区成员
发帖
与我相关
我的任务
分享请发表友善的回复…
发表回复
demonsprite 2011-02-16
- 打赏
- 举报
是很难的。
mayorvb 2011-02-15
- 打赏
- 举报
yxwsbobo 非常非常非常感谢~~~
mayorvb 2011-02-15
- 打赏
- 举报
成功了~~~
// DllTest.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <windows.h>
typedef void (__stdcall * PFN_MESSAGEBOX)(int);
typedef struct _RemoteParam {
int myi; //MessageBox函数中显示的字符提示
DWORD dwMessageBox;//MessageBox函数的入口地址
} RemoteParam, * PRemoteParam;
DWORD __stdcall threadProc(LPVOID lParam)
{
RemoteParam* pRP = (RemoteParam*)lParam;
PFN_MESSAGEBOX pfnMessageBox;
pfnMessageBox = (PFN_MESSAGEBOX)pRP->dwMessageBox;
pfnMessageBox(pRP->myi);
return 0;
}
int _tmain(int argc, _TCHAR* argv[])
{
const DWORD dwThreadSize = 4096;
DWORD dwWriteBytes;
DWORD dwProcessId = 4600;
HANDLE hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
void* pRemoteThread = VirtualAllocEx(hTargetProcess, 0,
dwThreadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!WriteProcessMemory(hTargetProcess, pRemoteThread, &threadProc, dwThreadSize, 0)) {
return 0;
}
RemoteParam remoteData;
//HINSTANCE hUser32 = LoadLibrary("User32.dll");
remoteData.dwMessageBox = (DWORD)4544192;
//FreeLibrary(hUser32);
remoteData.myi=88;
RemoteParam* pRemoteParam = (RemoteParam*)VirtualAllocEx(
hTargetProcess , 0, sizeof(RemoteParam), MEM_COMMIT, PAGE_READWRITE);
if (!WriteProcessMemory(hTargetProcess , pRemoteParam, &remoteData, sizeof(remoteData), 0)) {
return 0;
}
HANDLE hRemoteThread = CreateRemoteThread(
hTargetProcess, NULL, 0, (DWORD (__stdcall *)(void *))pRemoteThread,
pRemoteParam, 0, &dwWriteBytes);
CloseHandle(hRemoteThread);
::MessageBox(0,L"ok",L"ok",0);
return 0;
}
// DllTest.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <windows.h>
typedef void (__stdcall * PFN_MESSAGEBOX)(int);
typedef struct _RemoteParam {
int myi; //MessageBox函数中显示的字符提示
DWORD dwMessageBox;//MessageBox函数的入口地址
} RemoteParam, * PRemoteParam;
DWORD __stdcall threadProc(LPVOID lParam)
{
RemoteParam* pRP = (RemoteParam*)lParam;
PFN_MESSAGEBOX pfnMessageBox;
pfnMessageBox = (PFN_MESSAGEBOX)pRP->dwMessageBox;
pfnMessageBox(pRP->myi);
return 0;
}
int _tmain(int argc, _TCHAR* argv[])
{
const DWORD dwThreadSize = 4096;
DWORD dwWriteBytes;
DWORD dwProcessId = 4600;
HANDLE hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
void* pRemoteThread = VirtualAllocEx(hTargetProcess, 0,
dwThreadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!WriteProcessMemory(hTargetProcess, pRemoteThread, &threadProc, dwThreadSize, 0)) {
return 0;
}
RemoteParam remoteData;
//HINSTANCE hUser32 = LoadLibrary("User32.dll");
remoteData.dwMessageBox = (DWORD)4544192;
//FreeLibrary(hUser32);
remoteData.myi=88;
RemoteParam* pRemoteParam = (RemoteParam*)VirtualAllocEx(
hTargetProcess , 0, sizeof(RemoteParam), MEM_COMMIT, PAGE_READWRITE);
if (!WriteProcessMemory(hTargetProcess , pRemoteParam, &remoteData, sizeof(remoteData), 0)) {
return 0;
}
HANDLE hRemoteThread = CreateRemoteThread(
hTargetProcess, NULL, 0, (DWORD (__stdcall *)(void *))pRemoteThread,
pRemoteParam, 0, &dwWriteBytes);
CloseHandle(hRemoteThread);
::MessageBox(0,L"ok",L"ok",0);
return 0;
}
mayorvb 2011-02-15
- 打赏
- 举报
#include "stdafx.h"
#include "windows.h"
typedef void (WINAPI * INPUTCHANGE)(int HK);
DWORD __stdcall RunFunction (LPVOID lpThreadParameter)
{
//lpThreadParameter 传入你的参数 HK
INPUTCHANGE InputChange = (INPUTCHANGE)4928292;//填入你的函数地址
InputChange((int)lpThreadParameter);
return 0;
}
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE hProcess=OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,1494);
PVOID FunBuffer = VirtualAllocEx(hProcess,NULL,1024*4,MEM_RESERVE|MEM_COMMIT
,PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess,FunBuffer,(PVOID)&RunFunction,1024*4,NULL);
CreateRemoteThread(hProcess,NULL,NULL,(LPTHREAD_START_ROUTINE)FunBuffer,(LPVOID)23,NULL,NULL);
CloseHandle(hProcess);
return 0;
}
还是失败~
#include "windows.h"
typedef void (WINAPI * INPUTCHANGE)(int HK);
DWORD __stdcall RunFunction (LPVOID lpThreadParameter)
{
//lpThreadParameter 传入你的参数 HK
INPUTCHANGE InputChange = (INPUTCHANGE)4928292;//填入你的函数地址
InputChange((int)lpThreadParameter);
return 0;
}
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE hProcess=OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,1494);
PVOID FunBuffer = VirtualAllocEx(hProcess,NULL,1024*4,MEM_RESERVE|MEM_COMMIT
,PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess,FunBuffer,(PVOID)&RunFunction,1024*4,NULL);
CreateRemoteThread(hProcess,NULL,NULL,(LPTHREAD_START_ROUTINE)FunBuffer,(LPVOID)23,NULL,NULL);
CloseHandle(hProcess);
return 0;
}
还是失败~
yxwsbobo 2011-02-15
- 打赏
- 举报
HANDLE hProcess=OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,ProcessId);
Lactoferrin 2011-02-15
- 打赏
- 举报
hProcess=OpenProcess(2035711,0,目标进程id);
hProcess几乎不可能是常数
hProcess几乎不可能是常数
mayorvb 2011-02-15
- 打赏
- 举报
没有成功~
#include "stdafx.h"
#include "windows.h"
typedef void (WINAPI * INPUTCHANGE)(int HK);
DWORD __stdcall RunFunction (LPVOID lpThreadParameter)
{
//lpThreadParameter 传入你的参数 HK
INPUTCHANGE InputChange = (INPUTCHANGE)4544192;//填入你的函数地址
InputChange((int)lpThreadParameter);
return 0;
}
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE hProcess=(HANDLE)0xdd4;
PVOID FunBuffer = VirtualAllocEx(hProcess,NULL,1024*4,MEM_RESERVE|MEM_COMMIT
,PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess,FunBuffer,(PVOID)&RunFunction,1024*4,NULL);
CreateRemoteThread(hProcess,NULL,NULL,(LPTHREAD_START_ROUTINE)FunBuffer,(LPVOID)23,NULL,NULL);
return 0;
}
可能是没有开hpeocess,
#include "stdafx.h"
#include "windows.h"
typedef void (WINAPI * INPUTCHANGE)(int HK);
DWORD __stdcall RunFunction (LPVOID lpThreadParameter)
{
//lpThreadParameter 传入你的参数 HK
INPUTCHANGE InputChange = (INPUTCHANGE)4544192;//填入你的函数地址
InputChange((int)lpThreadParameter);
return 0;
}
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE hProcess=(HANDLE)0xdd4;
PVOID FunBuffer = VirtualAllocEx(hProcess,NULL,1024*4,MEM_RESERVE|MEM_COMMIT
,PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess,FunBuffer,(PVOID)&RunFunction,1024*4,NULL);
CreateRemoteThread(hProcess,NULL,NULL,(LPTHREAD_START_ROUTINE)FunBuffer,(LPVOID)23,NULL,NULL);
return 0;
}
可能是没有开hpeocess,
mayorvb 2011-02-15
- 打赏
- 举报
恩 试一试~~
yxwsbobo 2011-02-15
- 打赏
- 举报
//typedef void (WINAPI * INPUTCHANGE)(int HK);
DWORD __stdcall RunFunction (LPVOID lpThreadParameter)
{
//lpThreadParameter 传入你的参数 HK
INPUTCHANGE InputChange = (INPUTCHANGE)0x33333//填入你的函数地址
InputChange((int)lpThreadParameter)
return 0;
}
int main()
{
PVOID FunBuffer = VirtualAllocEx(hProcess,NULL,1024*4,MEM_RESERVE|MEM_COMMIT
,PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess,FunBuffer,(PVOID)&RunFunction,1024*4,NULL);
CreateRemoteThread(HProcess,NULL,NULL,FunBuffer,HK,NULL,NULL);
}
//要确保有对目标进程进行这些操作的权限,并且要用Release版本
DWORD __stdcall RunFunction (LPVOID lpThreadParameter)
{
//lpThreadParameter 传入你的参数 HK
INPUTCHANGE InputChange = (INPUTCHANGE)0x33333//填入你的函数地址
InputChange((int)lpThreadParameter)
return 0;
}
int main()
{
PVOID FunBuffer = VirtualAllocEx(hProcess,NULL,1024*4,MEM_RESERVE|MEM_COMMIT
,PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess,FunBuffer,(PVOID)&RunFunction,1024*4,NULL);
CreateRemoteThread(HProcess,NULL,NULL,FunBuffer,HK,NULL,NULL);
}
//要确保有对目标进程进行这些操作的权限,并且要用Release版本
yxwsbobo 2011-02-15
- 打赏
- 举报
哦 不好意思 瞎说呢.......
mayorvb 2011-02-15
- 打赏
- 举报
哎,还是不行,程序出错。
函数原型:
typedef void (WINAPI * InputChange)(int HK);
我这儿地址都有就是不知道怎么调用。。。
函数原型:
typedef void (WINAPI * InputChange)(int HK);
我这儿地址都有就是不知道怎么调用。。。
mayorvb 2011-02-15
- 打赏
- 举报
[Quote=引用 8 楼 yxwsbobo 的回复:]
如果是B进程让A进程调用函数
那么就直接CreateRemoteThread 就可以了,传入函数地址,和相应参数就行了,如果是字符串,要保证字符串在A进程中
[/Quote]
明白了,我试试运气看看能不能成功,函数有一个4个字节的整型参数。
如果是B进程让A进程调用函数
那么就直接CreateRemoteThread 就可以了,传入函数地址,和相应参数就行了,如果是字符串,要保证字符串在A进程中
[/Quote]
明白了,我试试运气看看能不能成功,函数有一个4个字节的整型参数。
mayorvb 2011-02-15
- 打赏
- 举报
[Quote=引用 6 楼 m_tornado 的回复:]
CreateRemoteThread注入
GetProcAddress函数地址
_asm call 或者转换函数地址调用都可以
[/Quote]
麻烦您了,能不能详细点?现在已知函数地址应该不用GetProcAddress。而且这个进程是正在运行的进程。
CreateRemoteThread注入
GetProcAddress函数地址
_asm call 或者转换函数地址调用都可以
[/Quote]
麻烦您了,能不能详细点?现在已知函数地址应该不用GetProcAddress。而且这个进程是正在运行的进程。
yxwsbobo 2011-02-15
- 打赏
- 举报
如果是B进程让A进程调用函数
那么就直接CreateRemoteThread 就可以了,传入函数地址,和相应参数就行了,如果是字符串,要保证字符串在A进程中
那么就直接CreateRemoteThread 就可以了,传入函数地址,和相应参数就行了,如果是字符串,要保证字符串在A进程中
yxwsbobo 2011-02-15
- 打赏
- 举报
要在B进程中调用A进程的函数
需要将A进程的函数代码复制到B进程 ReadProcessMemroy ,函数大小不知道的话可以多复制点过来,只要全就行,多了不怕
之后如果有的话需要修改相应的全局变量,API调用,重定位,如果函数简单没有这些就不需要了
需要将A进程的函数代码复制到B进程 ReadProcessMemroy ,函数大小不知道的话可以多复制点过来,只要全就行,多了不怕
之后如果有的话需要修改相应的全局变量,API调用,重定位,如果函数简单没有这些就不需要了
m_tornado 2011-02-15
- 打赏
- 举报
CreateRemoteThread注入
GetProcAddress函数地址
_asm call 或者转换函数地址调用都可以
GetProcAddress函数地址
_asm call 或者转换函数地址调用都可以
mayorvb 2011-02-15
- 打赏
- 举报
[Quote=引用 2 楼 fishion 的回复:]
远程进程注入,你有函数地址,有这函数的参数表没
[/Quote]
有,函数名,函数地址,函数参数原型都有。关键是如何调用了。能不能详细点?
远程进程注入,你有函数地址,有这函数的参数表没
[/Quote]
有,函数名,函数地址,函数参数原型都有。关键是如何调用了。能不能详细点?
fishion 2011-02-15
- 打赏
- 举报
不过,这样也行..刚刚看错了
fishion 2011-02-15
- 打赏
- 举报
远程进程注入,你有函数地址,有这函数的参数表没
lw1211 2011-02-15
- 打赏
- 举报
ReadProcessMemory
