15,471
社区成员
发帖
与我相关
我的任务
分享请发表友善的回复…
发表回复
zwfgdlc 2011-03-27
- 打赏
- 举报
似乎用的是SEH API HOOK.
http://wenku.baidu.com/view/4fd7420ef12d2af90242e62f.html
http://wenku.baidu.com/view/4fd7420ef12d2af90242e62f.html
野男孩 2011-03-27
- 打赏
- 举报
不成功的情况下,失败是在哪一步??
OpenProcess?
VirtualAllocEx??
WriteProcessMemory???
还是CreateRemoteThread????
总有些信息吧,失败原因,GetLastError之类的。。
OpenProcess?
VirtualAllocEx??
WriteProcessMemory???
还是CreateRemoteThread????
总有些信息吧,失败原因,GetLastError之类的。。
huchangjiangz 2011-03-27
- 打赏
- 举报
TOKEN_PRIVILEGES tkp;
HANDLE hToken;
tkp.PrivilegeCount = 1;
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken);
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid);
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,(PTOKEN_PRIVILEGES) NULL, 0);
HINSTANCE hDll = GetModuleHandle("Kernel32.dll");
LPVOID OldFun = GetProcAddress(hDll,"LoadLibraryA");
char fp[50] = {"F:\\wrecv.dll"};
char *name = "Warcraft III
HWND jb = FindWindowEx(0,0,0,name);
DWORD id ; GetWindowThreadProcessId(jb,&id);
HANDLE hand = OpenProcess(PROCESS_ALL_ACCESS,false,id);
LPVOID p = VirtualAllocEx(hand, NULL, 30, MEM_COMMIT, PAGE_READWRITE);
DWORD n ; WriteProcessMemory(hand,p,fp,30,&n);
HANDLE haw= CreateRemoteThread(hand, NULL, 0, (PTHREAD_START_ROUTINE)OldFun, p, 0, NULL);
WaitForSingleObject(haw,-1);
就这样,不开vs可以注入魔兽,开了vs也可以注入,但是成功率10%左右。但是WPE是无论怎样都注入的进去。
我想知道他是怎么做到的
HANDLE hToken;
tkp.PrivilegeCount = 1;
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken);
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid);
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,(PTOKEN_PRIVILEGES) NULL, 0);
HINSTANCE hDll = GetModuleHandle("Kernel32.dll");
LPVOID OldFun = GetProcAddress(hDll,"LoadLibraryA");
char fp[50] = {"F:\\wrecv.dll"};
char *name = "Warcraft III
HWND jb = FindWindowEx(0,0,0,name);
DWORD id ; GetWindowThreadProcessId(jb,&id);
HANDLE hand = OpenProcess(PROCESS_ALL_ACCESS,false,id);
LPVOID p = VirtualAllocEx(hand, NULL, 30, MEM_COMMIT, PAGE_READWRITE);
DWORD n ; WriteProcessMemory(hand,p,fp,30,&n);
HANDLE haw= CreateRemoteThread(hand, NULL, 0, (PTHREAD_START_ROUTINE)OldFun, p, 0, NULL);
WaitForSingleObject(haw,-1);
就这样,不开vs可以注入魔兽,开了vs也可以注入,但是成功率10%左右。但是WPE是无论怎样都注入的进去。
我想知道他是怎么做到的
zwfgdlc 2011-03-27
- 打赏
- 举报
[Quote=引用 2 楼 huchangjiangz 的回复:]
我注入dll也是用的这种远程线程,但是有的注入不进去 wpe就可以
[/Quote]
先用AdjustTokenPrivileges提权,如果还不能注入,那可能是有驱动保护了.
我注入dll也是用的这种远程线程,但是有的注入不进去 wpe就可以
[/Quote]
先用AdjustTokenPrivileges提权,如果还不能注入,那可能是有驱动保护了.
huchangjiangz 2011-03-27
- 打赏
- 举报
我注入dll也是用的这种远程线程,但是有的注入不进去 wpe就可以
邓学彬 2011-03-27
- 打赏
- 举报
bool InsertDll(DWORD dwProcessId,CString strDllFile)//注入DLL
{
HANDLE hProcess = OpenProcess (PROCESS_ALL_ACCESS, 0, dwProcessId); // 打开进程
if(!hProcess)return false;//打开进程失败
bool bRetValue=false;
int nLen =(int)strlen(strDllFile.GetBuffer()) + 1; // 取出dll的全路径nLen
HANDLE hMem = VirtualAllocEx (hProcess, 0, nLen, MEM_COMMIT, PAGE_READWRITE); // hMem用来保存GetModuleHandleA的参数
if(WriteProcessMemory (hProcess, hMem,strDllFile, nLen, 0)){// 将参数写到远程的进程内存中
HMODULE hModule = GetModuleHandleA (_T("Kernel32"));
PTHREAD_START_ROUTINE hProc = (PTHREAD_START_ROUTINE)GetProcAddress (hModule, _T("LoadLibraryA"));
HANDLE hThread =CreateRemoteThread (hProcess, 0, 0, hProc, hMem, 0, 0); // 远程执行命令
WaitForSingleObject (hThread, -1); // 等待执行退出
CloseHandle (hThread); // 关闭线程
bRetValue=true;
}
VirtualFreeEx (hProcess, hMem, nLen, 16384); // 释放内存
CloseHandle (hProcess);
return bRetValue;
}huchangjiangz 2011-03-27
- 打赏
- 举报
回复: 5楼
GetLastError每次API调用完全成功,而且远程线程ID都返回了
GetLastError每次API调用完全成功,而且远程线程ID都返回了
