3,882
社区成员
发帖
与我相关
我的任务
分享请教CreateRemoteThread远程注入进程的问题
我在控制台程序里用代码在宿主进程里注入一个MessageBox函数,能够成功运行,宿主进程显示对话框后一切正常,可是我用相同的代码在MFC创建的基于对话框程的序里,使用按钮来实现时,注入的对话框能够成功显示,但是一旦关闭注入的对话框,宿主进程就崩溃,我就纳闷了。我试过权限的问题,管理员权限运行也不行,在代码里改令牌也不行,请问到底什么原因导致的这种现象。以下是代码。
控制台程序
MFC按钮消息响应函数里的代码
控制台程序
#include <windows.h>
typedef int (__stdcall * PFN_MESSAGEBOX)(HWND, LPCTSTR, LPCTSTR, DWORD);
struct RemoteParam
{
char sShow[12];
DWORD dwMessageBox;
};
DWORD WINAPI threadProc(LPVOID lpParameter)
{
RemoteParam *rp=(RemoteParam*)lpParameter;
PFN_MESSAGEBOX pfnMessageBox=(PFN_MESSAGEBOX)(rp->dwMessageBox);
pfnMessageBox(NULL,rp->sShow,rp->sShow,0);
return 0;
}
void main()
{
DWORD proId;
const DWORD dwThreadSize=4096;
HWND windHandle=::FindWindow(NULL,"MyGame");
::GetWindowThreadProcessId(windHandle,&proId);
HANDLE proHandle=::OpenProcess(PROCESS_ALL_ACCESS,false,proId);
void* allcAddr=::VirtualAllocEx(proHandle,0,dwThreadSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
::WriteProcessMemory(proHandle,allcAddr,&threadProc,dwThreadSize,0);
HMODULE hUser32=::LoadLibrary("User32.dll");
RemoteParam RemoteData;
ZeroMemory(&RemoteData,sizeof(RemoteParam));
RemoteData.dwMessageBox=(DWORD)::GetProcAddress(hUser32,"MessageBoxA");
strcat(RemoteData.sShow,"Hello\0");
RemoteParam* paramAndFunc=(RemoteParam*)::VirtualAllocEx(proHandle,0,sizeof(RemoteData),MEM_COMMIT,PAGE_READWRITE);
::WriteProcessMemory(proHandle,paramAndFunc,&RemoteData,sizeof(RemoteData),0);
DWORD dwId;
HANDLE hRemoteHandle=::CreateRemoteThread(proHandle,NULL,0,(LPTHREAD_START_ROUTINE)allcAddr,paramAndFunc,0,&dwId);
CloseHandle(hRemoteHandle);
FreeLibrary(hUser32);
}
MFC按钮消息响应函数里的代码
typedef int (__stdcall * PFN_MESSAGEBOX)(HWND, LPCTSTR, LPCTSTR, DWORD);
struct RemoteParam
{
char sShow[12];
DWORD dwMessageBox;
};
DWORD WINAPI threadProc(LPVOID lpParameter)
{
RemoteParam *rp=(RemoteParam*)lpParameter;
PFN_MESSAGEBOX pfnMessageBox=(PFN_MESSAGEBOX)(rp->dwMessageBox);
pfnMessageBox(NULL,rp->sShow,rp->sShow,0);
return 0;
}
void CMyDlg::OnButtonPourinto()
{
//enableDebugPriv();
DWORD proId;
const DWORD dwThreadSize=4096;
HWND windHandle=::FindWindow(NULL,"MyGame");
::GetWindowThreadProcessId(windHandle,&proId);
HANDLE proHandle=::OpenProcess(PROCESS_ALL_ACCESS,false,proId);
void* allcAddr=::VirtualAllocEx(proHandle,0,dwThreadSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE
);
::WriteProcessMemory(proHandle,allcAddr,&threadProc,dwThreadSize,0);
RemoteParam RemoteData;
ZeroMemory(&RemoteData,sizeof(RemoteParam));
HINSTANCE hUser32 = LoadLibrary("User32.dll");
RemoteData.dwMessageBox=(DWORD)::GetProcAddress(hUser32,"MessageBoxA");
strcat(RemoteData.sShow,"Hello\0");
RemoteParam* paramAndFunc=(RemoteParam*)::VirtualAllocEx(proHandle,0,sizeof(RemoteData),MEM_COMMIT,PAGE_READWRITE);
::WriteProcessMemory(proHandle,paramAndFunc,&RemoteData,sizeof(RemoteData),0);
DWORD dwId;
HANDLE hRemoteHandle=::CreateRemoteThread(proHandle,NULL,0,(LPTHREAD_START_ROUTINE)allcAddr,paramAndFunc,0,&dwId);
CloseHandle(hRemoteHandle);
FreeLibrary(hUser32);
}
...全文
请发表友善的回复…
发表回复
赵4老师 2015-05-11
- 打赏
- 举报
崩溃的时候在弹出的对话框按相应按钮进入调试,按Alt+7键查看Call Stack即“调用堆栈”里面从上到下列出的对应从里层到外层的函数调用历史。双击某一行可将光标定位到此次调用的源代码或汇编指令处,看不懂时双击下一行,直到能看懂为止。
