65,186
社区成员
发帖
与我相关
我的任务
分享快哭啦~ CreateRemoteThread x64位的远程线程老是把目标进程给干掉啦
我想用远程线程注入的方式目标进程中注入CloseHandle()函数,win32正常执行,x64位目标进程的exe会异常退出,怎么办?
DWORD CloseRemoteHandle( LPCTSTR lpProcessName, DWORD processID, HANDLE handle )
{
DWORD dwThreadSize = 0x1000;
RemoteParam remoteData;
ZeroMemory(&remoteData, sizeof(RemoteParam));
HINSTANCE kernel32 = LoadLibrary(L"Kernel32.dll");
remoteData.pCloseHandle = (DWORD)GetProcAddress(kernel32, "CloseHandle");
remoteData.handle = handle;
HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, processID );
void* pRemoteThread = VirtualAllocEx(hProcess, 0, dwThreadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess, pRemoteThread, &threadProc, dwThreadSize, 0);
RemoteParam* pRemoteParam = (RemoteParam*)VirtualAllocEx( hProcess , 0, sizeof(RemoteParam), MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, pRemoteParam, &remoteData, sizeof(remoteData), 0);
HANDLE hRemoteThread = CreateRemoteThread(
hProcess,
NULL,
0,
(DWORD (__stdcall *)(void *))pRemoteThread,
pRemoteParam,
0,
0);
::WaitForSingleObject(hRemoteThread, INFINITE);
CloseHandle(hRemoteThread);
return TRUE;
}
DWORD CloseRemoteHandle( LPCTSTR lpProcessName, DWORD processID, HANDLE handle )
{
DWORD dwThreadSize = 0x1000;
RemoteParam remoteData;
ZeroMemory(&remoteData, sizeof(RemoteParam));
HINSTANCE kernel32 = LoadLibrary(L"Kernel32.dll");
remoteData.pCloseHandle = (DWORD)GetProcAddress(kernel32, "CloseHandle");
remoteData.handle = handle;
HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, processID );
void* pRemoteThread = VirtualAllocEx(hProcess, 0, dwThreadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess, pRemoteThread, &threadProc, dwThreadSize, 0);
RemoteParam* pRemoteParam = (RemoteParam*)VirtualAllocEx( hProcess , 0, sizeof(RemoteParam), MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, pRemoteParam, &remoteData, sizeof(remoteData), 0);
HANDLE hRemoteThread = CreateRemoteThread(
hProcess,
NULL,
0,
(DWORD (__stdcall *)(void *))pRemoteThread,
pRemoteParam,
0,
0);
::WaitForSingleObject(hRemoteThread, INFINITE);
CloseHandle(hRemoteThread);
return TRUE;
}
...全文
请发表友善的回复…
发表回复
jota 2015-08-17
- 打赏
- 举报
后来找到一个方法,如果是64位的程序,开一个32位的程序去doing...
赵4老师 2015-03-23
- 打赏
- 举报
楼主懂64位汇编吗?
jota 2015-03-22
- 打赏
- 举报
还是没搞定啊jota 2015-03-22
- 打赏
- 举报
注意事项:
1.Debug版本编译的时候使用增量编译,导致每个函数都是用一个Thunk, 所以请使用Release版本。
2.目标进程非本进程时不能调用本进程内的函数或使用本进程内的变量,有时在隐式使用时可能会引起该
问题,容易引起进程崩溃。(例如WriteProcessMemory写入的函数中调用了本进程的全局变量)
3.多参数使用时请在目标进程中为函数参数分配相应的内存空间,因为CreateRemoteThread第5个参数是LPVOID型,
这意味着它只能放一个指针值,而该指针值应该指向分配的相应内存空间。
来自http://www.code06.com/software/u013025310/101539.html
jota 2015-03-21
- 打赏
- 举报
~~~~~~~~~~~~~~~~~在线等~~~~~~~~~~~~~~~~~~~~~~~
