15,471
社区成员
发帖
与我相关
我的任务
分享请发表友善的回复…
发表回复
wangfcp02 2012-07-25
- 打赏
- 举报
关键是exe创建远程线程没有问题,dll里面创建远程线程就不行?纳闷
gmyhbio 2012-07-25
- 打赏
- 举报
晚上回家再给看看。
wangfcp02 2012-07-25
- 打赏
- 举报
当杀软全部卸载后,电脑重启了,远程线程注入钩子直接失败,创建远程线程失败,错误码为8.请指教
wangfcp02 2012-07-25
- 打赏
- 举报
代码如下,这是创建远程线程,希望大神解答一下,分不够可以再加
wangfcp02 2012-07-25
- 打赏
- 举报
DWORD dwWrite,dwSize;
FullPath = new char[MAX_PATH];
TCHAR szDllPath[MAX_PATH] = {0};
TCHAR szModuleFileName[MAX_PATH] = {0};
TCHAR* pExeName = NULL;
::GetModuleFileName(NULL, szModuleFileName, MAX_PATH);
::GetFullPathName(szModuleFileName, MAX_PATH, szDllPath, &pExeName);
_tcscpy(pExeName,_T("DocHook.dll"));
#ifdef UNICODE
WideCharToMultiByte(CP_ACP, 0, szDllPath, -1, FullPath, MAX_PATH, 0, 0 );
#else
strcpy(FullPath, szDllPath);
#endif
/*dwSize = strlen(FullPath);
strcpy(FullPath,"D:\\复制,打印,粘贴\\新建文件夹\\DocHook\\DocHook\\Release\\DocHook.dll");*/
dwSize = strlen(FullPath);
HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION |PROCESS_VM_READ|
PROCESS_VM_WRITE, FALSE, dwProcessId);
if (hProcess==NULL)
break;
LPVOID LoadLibraryAddr = (LPVOID)GetProcAddress(GetModuleHandle(_T("kernel32.dll")),
"LoadLibraryA"); //Get LoadLibraryA address
if (LoadLibraryAddr == NULL)
break;
LPVOID LLParam = (LPVOID)VirtualAllocEx(hProcess, NULL, strlen(FullPath),
MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); //Allocate some memory for DLL string
if (LLParam==NULL)
break;
WriteProcessMemory(hProcess, LLParam, FullPath, strlen(FullPath), &dwWrite); //Write it
if (dwWrite != dwSize)
{
OutputDebugStringW(TEXT("写入的字节不对"));
return ;
}
HANDLE hRemoteThread =CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibraryAddr,
LLParam, NULL, NULL); //New thread with LoadLibrary as start and our string as param
if (hRemoteThread != NULL)
{
OutputDebugString(TEXT("远程线程安装钩子成功"));
}
else
{
DWORD dwLastError = GetLastError();
TCHAR szTest[MAX_PATH] = {0};
wsprintf(szTest, TEXT("%u"), dwLastError);
OutputDebugString(TEXT("错误码为:"));
OutputDebugString(szTest);
OutputDebugString(TEXT("远程线程安装钩子失败"));
}
WaitForSingleObject(hRemoteThread, INFINITE );
VirtualFreeEx(hProcess, LLParam, strlen(FullPath), MEM_DECOMMIT);
CloseHandle(hRemoteThread);
CloseHandle(hProcess);
FullPath = new char[MAX_PATH];
TCHAR szDllPath[MAX_PATH] = {0};
TCHAR szModuleFileName[MAX_PATH] = {0};
TCHAR* pExeName = NULL;
::GetModuleFileName(NULL, szModuleFileName, MAX_PATH);
::GetFullPathName(szModuleFileName, MAX_PATH, szDllPath, &pExeName);
_tcscpy(pExeName,_T("DocHook.dll"));
#ifdef UNICODE
WideCharToMultiByte(CP_ACP, 0, szDllPath, -1, FullPath, MAX_PATH, 0, 0 );
#else
strcpy(FullPath, szDllPath);
#endif
/*dwSize = strlen(FullPath);
strcpy(FullPath,"D:\\复制,打印,粘贴\\新建文件夹\\DocHook\\DocHook\\Release\\DocHook.dll");*/
dwSize = strlen(FullPath);
HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION |PROCESS_VM_READ|
PROCESS_VM_WRITE, FALSE, dwProcessId);
if (hProcess==NULL)
break;
LPVOID LoadLibraryAddr = (LPVOID)GetProcAddress(GetModuleHandle(_T("kernel32.dll")),
"LoadLibraryA"); //Get LoadLibraryA address
if (LoadLibraryAddr == NULL)
break;
LPVOID LLParam = (LPVOID)VirtualAllocEx(hProcess, NULL, strlen(FullPath),
MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); //Allocate some memory for DLL string
if (LLParam==NULL)
break;
WriteProcessMemory(hProcess, LLParam, FullPath, strlen(FullPath), &dwWrite); //Write it
if (dwWrite != dwSize)
{
OutputDebugStringW(TEXT("写入的字节不对"));
return ;
}
HANDLE hRemoteThread =CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibraryAddr,
LLParam, NULL, NULL); //New thread with LoadLibrary as start and our string as param
if (hRemoteThread != NULL)
{
OutputDebugString(TEXT("远程线程安装钩子成功"));
}
else
{
DWORD dwLastError = GetLastError();
TCHAR szTest[MAX_PATH] = {0};
wsprintf(szTest, TEXT("%u"), dwLastError);
OutputDebugString(TEXT("错误码为:"));
OutputDebugString(szTest);
OutputDebugString(TEXT("远程线程安装钩子失败"));
}
WaitForSingleObject(hRemoteThread, INFINITE );
VirtualFreeEx(hProcess, LLParam, strlen(FullPath), MEM_DECOMMIT);
CloseHandle(hRemoteThread);
CloseHandle(hProcess);
gmyhbio 2012-07-24
- 打赏
- 举报
发你代码来看看?
wangfcp02 2012-07-24
- 打赏
- 举报
错误码为8,远程线程的句柄为空。我按你的办法提升权限了的,还是不行。我是在一个DLL里面创建远程线程就创建老是失败。而在exe里面却不存在这个问题,求大侠解答?
gmyhbio 2012-07-24
- 打赏
- 举报
确定杀软的驱动也卸载了的?
如果杀软退了,驱动在运行,防御依然存在。
或者是你打开一个进程时,权限不够,自然不能钩了。
提升下权限就行了。
如果杀软退了,驱动在运行,防御依然存在。
或者是你打开一个进程时,权限不够,自然不能钩了。
提升下权限就行了。
void GetPrivilege()
{
HMODULE hDll = ::LoadLibraryW(_T("ntdll.dll"));
if (hDll)
{
int nCallAddr = (int)GetProcAddress(hDll, "RtlAdjustPrivilege");
int nNull = 0;
int* pNull = &nNull;
_asm
{
push pNull
push 0
push 1
push 0x14
call nCallAddr
}
FreeLibrary(hDll);
}
}