15,468
社区成员
发帖
与我相关
我的任务
分享一个线程注入 ,远程线程创建失败的问题!
如题:
根据网上的代码自己写了一个远程注入的程序, 前期的初始化准备都是可以的,偏偏在最后一步创建远程线程CreatRemoteThread 的时候,无法创建,获得无效的句柄。 我不清楚是什么问题, 是不是权限的问题呢? 我用代码更改了权限级别,还是无法创建。 希望朋友们帮忙指导一下。
以下是源代码。
..cpp
void CFourthHookAppDlg::OnBnClickedButton1()
{
// TODO: 在此添加控件通知处理程序代码
HANDLE hSnapshot=NULL;//存放进程快照句柄
HANDLE hRemoteProcess=NULL;//存放宿主句柄
HMODULE hModule=NULL ;//动态链接库函数地址句柄
HANDLE hInspectRemoteThread = NULL ;//存放远程线程句柄
CString lpName;
DWORD InspectDllNameLength;
char szInspectDllPath[128] ;
DWORD dwWritten;
hSnapshot = CreateToolhelp32Snapshot ( TH32CS_SNAPPROCESS, 0 ) ;//创建进程快照
if ( hSnapshot == INVALID_HANDLE_VALUE)
{
return ;
}
GetDlgItem(IDC_EDIT1)->GetWindowText(lpName);// 自己定义个编辑框
//设定需要监视的进程名
PROCESSENTRY32 pe; //存放快照的数据结构体
pe.dwSize = sizeof ( PROCESSENTRY32 );
for( BOOL fOk = Process32First ( hSnapshot, &pe ) ; fOk; fOk = //历遍快照查询要监视的进程
Process32Next( hSnapshot, &pe ) )
{
if ( pe.szExeFile == lpName )
{
EnableDebugPriv(); //设置权限
//取得宿主进程(EXPLORER.EXE)的句柄
hRemoteProcess = OpenProcess ( PROCESS_ALL_ACCESS,
false, pe.th32ProcessID ) ;
if(hRemoteProcess==NULL)
{
return ;
}
//取得目标DLL的当前路径(路径可自由设置)
/*GetCurrentDirectory ( 128, szInspectDllPath ) ;
strcat ( szInspectDllPath, "\\debug\\FourthHook.dll" ) ;*/
char szDllPath[MAX_PATH] = "D:\\FourthHook.dll";
//申请存放文件名的空间
LPVOID pszInspectDllRemote ;
InspectDllNameLength = sizeof (szDllPath ) + 1 ;
pszInspectDllRemote = VirtualAllocEx ( hRemoteProcess,
NULL, InspectDllNameLength, MEM_COMMIT, PAGE_READWRITE ) ;
if ( NULL ==pszInspectDllRemote )
{
CloseHandle( hRemoteProcess);
return;
// 失败处理
} ;
//把dll文件名写入申请的空间
if ( WriteProcessMemory ( hRemoteProcess, pszInspectDllRemote,
(LPVOID)szDllPath, InspectDllNameLength, &dwWritten) )
{
// 要写入字节数与实际写入字节数不相等,仍属失败
if ( dwWritten != InspectDllNameLength)
{
VirtualFreeEx( hRemoteProcess, szDllPath, InspectDllNameLength, MEM_DECOMMIT );
CloseHandle(hRemoteProcess);
return;
// 失败处理
}
}
else
{
CloseHandle( hRemoteProcess ); // 失败处理
return;
}
//获取动态链接库函数地址
hModule = GetModuleHandle ( "kernel32.DLL" ) ;
if(NULL==hModule)
{
CloseHandle( hRemoteProcess );
return;
}
LPTHREAD_START_ROUTINE fnStartAddr ;
fnStartAddr = ( LPTHREAD_START_ROUTINE ) GetProcAddress ( hModule,
"LoadLibraryA" ) ;
//创建远程线程
hInspectRemoteThread = CreateRemoteThread ( hRemoteProcess, NULL, 0,
fnStartAddr, pszInspectDllRemote, 0, NULL ) ;
if(hInspectRemoteThread ==NULL)
{
MessageBox("无法创建远程线程!","信息");
return ;
}
WaitForSingleObject( hInspectRemoteThread, INFINITE );
if( hSnapshot != NULL )
{
CloseHandle ( hSnapshot ) ;//关闭进程快照
}
CloseHandle ( hRemoteProcess ) ;
break ;
}
}
}
void CFourthHookAppDlg::EnableDebugPriv()
{
HANDLE hToken; // 进程访问令牌的句柄
LUID luid; // 用于存储调试权对应的局local unique identifier
TOKEN_PRIVILEGES tkp; // 要设置的权限
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
// 获取访问令牌
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid); // 获得调试权的luid
tkp.PrivilegeCount = 1; // 设置调试权
tkp.Privileges[0].Luid = luid;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL); // 使进程拥有调试权
CloseHandle(hToken);
}
根据网上的代码自己写了一个远程注入的程序, 前期的初始化准备都是可以的,偏偏在最后一步创建远程线程CreatRemoteThread 的时候,无法创建,获得无效的句柄。 我不清楚是什么问题, 是不是权限的问题呢? 我用代码更改了权限级别,还是无法创建。 希望朋友们帮忙指导一下。
以下是源代码。
..cpp
void CFourthHookAppDlg::OnBnClickedButton1()
{
// TODO: 在此添加控件通知处理程序代码
HANDLE hSnapshot=NULL;//存放进程快照句柄
HANDLE hRemoteProcess=NULL;//存放宿主句柄
HMODULE hModule=NULL ;//动态链接库函数地址句柄
HANDLE hInspectRemoteThread = NULL ;//存放远程线程句柄
CString lpName;
DWORD InspectDllNameLength;
char szInspectDllPath[128] ;
DWORD dwWritten;
hSnapshot = CreateToolhelp32Snapshot ( TH32CS_SNAPPROCESS, 0 ) ;//创建进程快照
if ( hSnapshot == INVALID_HANDLE_VALUE)
{
return ;
}
GetDlgItem(IDC_EDIT1)->GetWindowText(lpName);// 自己定义个编辑框
//设定需要监视的进程名
PROCESSENTRY32 pe; //存放快照的数据结构体
pe.dwSize = sizeof ( PROCESSENTRY32 );
for( BOOL fOk = Process32First ( hSnapshot, &pe ) ; fOk; fOk = //历遍快照查询要监视的进程
Process32Next( hSnapshot, &pe ) )
{
if ( pe.szExeFile == lpName )
{
EnableDebugPriv(); //设置权限
//取得宿主进程(EXPLORER.EXE)的句柄
hRemoteProcess = OpenProcess ( PROCESS_ALL_ACCESS,
false, pe.th32ProcessID ) ;
if(hRemoteProcess==NULL)
{
return ;
}
//取得目标DLL的当前路径(路径可自由设置)
/*GetCurrentDirectory ( 128, szInspectDllPath ) ;
strcat ( szInspectDllPath, "\\debug\\FourthHook.dll" ) ;*/
char szDllPath[MAX_PATH] = "D:\\FourthHook.dll";
//申请存放文件名的空间
LPVOID pszInspectDllRemote ;
InspectDllNameLength = sizeof (szDllPath ) + 1 ;
pszInspectDllRemote = VirtualAllocEx ( hRemoteProcess,
NULL, InspectDllNameLength, MEM_COMMIT, PAGE_READWRITE ) ;
if ( NULL ==pszInspectDllRemote )
{
CloseHandle( hRemoteProcess);
return;
// 失败处理
} ;
//把dll文件名写入申请的空间
if ( WriteProcessMemory ( hRemoteProcess, pszInspectDllRemote,
(LPVOID)szDllPath, InspectDllNameLength, &dwWritten) )
{
// 要写入字节数与实际写入字节数不相等,仍属失败
if ( dwWritten != InspectDllNameLength)
{
VirtualFreeEx( hRemoteProcess, szDllPath, InspectDllNameLength, MEM_DECOMMIT );
CloseHandle(hRemoteProcess);
return;
// 失败处理
}
}
else
{
CloseHandle( hRemoteProcess ); // 失败处理
return;
}
//获取动态链接库函数地址
hModule = GetModuleHandle ( "kernel32.DLL" ) ;
if(NULL==hModule)
{
CloseHandle( hRemoteProcess );
return;
}
LPTHREAD_START_ROUTINE fnStartAddr ;
fnStartAddr = ( LPTHREAD_START_ROUTINE ) GetProcAddress ( hModule,
"LoadLibraryA" ) ;
//创建远程线程
hInspectRemoteThread = CreateRemoteThread ( hRemoteProcess, NULL, 0,
fnStartAddr, pszInspectDllRemote, 0, NULL ) ;
if(hInspectRemoteThread ==NULL)
{
MessageBox("无法创建远程线程!","信息");
return ;
}
WaitForSingleObject( hInspectRemoteThread, INFINITE );
if( hSnapshot != NULL )
{
CloseHandle ( hSnapshot ) ;//关闭进程快照
}
CloseHandle ( hRemoteProcess ) ;
break ;
}
}
}
void CFourthHookAppDlg::EnableDebugPriv()
{
HANDLE hToken; // 进程访问令牌的句柄
LUID luid; // 用于存储调试权对应的局local unique identifier
TOKEN_PRIVILEGES tkp; // 要设置的权限
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
// 获取访问令牌
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid); // 获得调试权的luid
tkp.PrivilegeCount = 1; // 设置调试权
tkp.Privileges[0].Luid = luid;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL); // 使进程拥有调试权
CloseHandle(hToken);
}
...全文
请发表友善的回复…
发表回复
ShellCold 2018-03-18
- 打赏
- 举报
感谢,我的也是这个问题,一直注入系统进程,系统是64位的,一直失败,哈哈,
xcw_pet 2015-12-25
- 打赏
- 举报
如何设置64网上有教程 , 搜 “vs2010 如何将代码从win32改成x64” 就可以 ,很简单。
xcw_pet 2015-12-25
- 打赏
- 举报
可以了,就是这个问题! 太感谢你了!!! 结贴了,非常感谢大家的帮助!
xcw_pet 2015-12-25
- 打赏
- 举报
噢,说到我没想到的点上了。 我的系统是64位的, 如何看代码是不是32位的, 这个要如何统一?
Yofoo 2015-12-25
- 打赏
- 举报
但是像word,记事本等一般系统进程就不行
如果系统进程是64位, 你的代码是32位, 这样肯定是不可以的
xcw_pet 2015-12-24
- 打赏
- 举报
程序已经是在管理员权限下调试了的。
xcw_pet 2015-12-24
- 打赏
- 举报
获得的错误码是 : 无法访问! 这是权限不够的问题吧?
我注入类似美图秀秀,爱奇艺这种的第三方软件是可以的,但是像word,记事本等一般系统进程就不行。
赵4老师 2015-12-15
- 打赏
- 举报
仅供参考:
/*
Application: Code Injection in Explorer
Author: @_RT
Compiled on: Feb 2014
URL:http://www.codeproject.com/Tips/732044/Code-Injection-2
We will see the different steps involved to perform a code injection into an already running process.
Following are the quick steps through the process of injection.
1.Get the API addresses that you will be calling from the injected code.
2.Prepare shell code of your function that you want to get executed from the injected process.
3.Get the process ID of the running process that you wish to inject into by enumerating through the
list of processes or by finding the process's window (in case it's a GUI application) by class name or title.
4.Open the process using its Pid with All Access rights.
5.Allocate different memory spaces in the process that you are going to inject to with desired access
rights for holding different segments of your shell code.
Code part (executable instructions)
Data part (strings, function parameters, etc.)
6.Write the allocated memories with the respective values (code and data).
7.Call CreateRemoteThread API and pass to it the start of allocated memory address where you have
written your shell code from the process we are injecting.
*/
#include <windows.h>
#pragma comment(lib,"user32.lib")
LPVOID addr;
LPVOID addr2;
BOOL InjectExecutable(DWORD dwPid,LPVOID si,LPVOID pi,int sisize,int pisize)
{
LPVOID hNewModule;
HANDLE hProcess;
CHAR S[] = { "C:\\Windows\\notepad.exe" };
BYTE byt[] = {0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x01, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x68};
BYTE byt2[] = {0xE8};
BYTE byt3[] = {0x68};
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
if (hProcess == NULL)
{
return FALSE;
}
LPVOID staddr = VirtualAllocEx(hProcess, NULL, sizeof(S), MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, staddr, S, sizeof(S), NULL);
LPVOID fnaddr = VirtualAllocEx(hProcess, NULL, 4, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, fnaddr, si, sisize, NULL);
LPVOID fnaddr2 = VirtualAllocEx(hProcess, NULL, 4, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, fnaddr2, pi, pisize, NULL);
hNewModule = VirtualAllocEx(hProcess, NULL, 100, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (hNewModule == NULL)
{
return FALSE;
}
LPTHREAD_START_ROUTINE strtaddr = (LPTHREAD_START_ROUTINE)hNewModule;
WriteProcessMemory(hProcess, hNewModule, byt3, sizeof(byt3), NULL);
hNewModule = (LPVOID)((int)hNewModule + sizeof(byt3));
WriteProcessMemory(hProcess, hNewModule, &fnaddr, sizeof(fnaddr), NULL);
hNewModule = (LPVOID)((int)hNewModule + sizeof(fnaddr));
WriteProcessMemory(hProcess, hNewModule, byt3, sizeof(byt3), NULL);
hNewModule = (LPVOID)((int)hNewModule + sizeof(byt3));
WriteProcessMemory(hProcess, hNewModule, &fnaddr2, sizeof(fnaddr2), NULL);
hNewModule = (LPVOID)((int)hNewModule + sizeof(fnaddr2));
WriteProcessMemory(hProcess, hNewModule, byt, sizeof(byt), NULL);
hNewModule = (LPVOID)((int)hNewModule + sizeof(byt));
WriteProcessMemory(hProcess, hNewModule, &staddr, sizeof(staddr), NULL);
hNewModule = (LPVOID)((int)hNewModule + sizeof(staddr));
WriteProcessMemory(hProcess, hNewModule, byt2, sizeof(byt2), NULL);
hNewModule = (LPVOID)((int)hNewModule + sizeof(byt2));
addr = (LPVOID)((int)addr - ((int)hNewModule + 4));
WriteProcessMemory(hProcess, hNewModule, &addr, sizeof(addr), NULL);
hNewModule = (LPVOID)((int)hNewModule + sizeof(addr));
WriteProcessMemory(hProcess, hNewModule, byt, 2, NULL);
hNewModule = (LPVOID)((int)hNewModule + 2);
WriteProcessMemory(hProcess, hNewModule, byt2, sizeof(byt2), NULL);
hNewModule = (LPVOID)((int)hNewModule + sizeof(byt2));
addr2 = (LPVOID)((int)addr2 - ((int)hNewModule + 4));
WriteProcessMemory(hProcess, hNewModule, &addr2, sizeof(addr2), NULL);
CreateRemoteThread(hProcess, 0, 0, strtaddr, NULL, 0, NULL);
return TRUE;
}
void main()
{
_STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
DWORD dwPid;
HMODULE ldlib = LoadLibraryA("Kernel32.dll");
addr = GetProcAddress(ldlib, "CreateProcessA");
addr2 = GetProcAddress(ldlib, "ExitThread");
GetWindowThreadProcessId(FindWindow(NULL, L"Start Menu"), &dwPid);
InjectExecutable(dwPid,&si,&pi,sizeof(si),sizeof(pi));
}
Saleayas 2015-12-15
- 打赏
- 举报
GetLastError 看看错误信息。
BeanJoy 2015-12-15
- 打赏
- 举报
参考如下:
线程注入、HOOK APIs(附VC6源码)
信阳毛尖 2015-12-15
- 打赏
- 举报
这个真心不懂,不懂啊
