110,539
社区成员
发帖
与我相关
我的任务
分享C# GetProcAddress 返回126错误
我先说一下我的目的:做一个CS1.6的方框自瞄外挂,单机版。
实现的代码其实很简单。
1、找到进程句柄
2、分配内存空间
3、写入参数
4、获取LoadLibrady函数地址
5、远程调用函数
下面是Log
我很好奇为什么会返回错误。
难道是字符的问题?
class API
{
[DllImport("kernel32.dll")]
public static extern int OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll")]
public static extern int VirtualAllocEx(IntPtr hwnd, int lpaddress, int size, int type, int tect);
[DllImport("kernel32.dll")]
public static extern int WriteProcessMemory(IntPtr hwnd, int baseaddress, string buffer, int nsize, int filewriten);
[DllImport("kernel32.dll")]
public static extern int GetProcAddress(int hwnd, string lpname);
[DllImport("kernel32.dll")]
public static extern int GetModuleHandleA(string name);
[DllImport("kernel32.dll")]
public static extern int CreateRemoteThread(IntPtr hwnd, int attrib, int size, int address, int par, int flags, int threadid);
[System.Runtime.InteropServices.DllImport("Kernel32.dll")]
public extern static int FormatMessage(int flag, ref IntPtr source, int msgid, int langid, ref string buf, int size, ref IntPtr args);
public static string GetSysErrMsg(int errCode)
{
IntPtr tempptr = IntPtr.Zero;
string msg = null;
FormatMessage(0x1300, ref tempptr, errCode, 0, ref msg, 255, ref tempptr);
return msg;
}
[DllImport("kernel32.dll")]
public static extern int GetLastError();
}
public static bool Execute(string DllName,string ProcessName)
{
int DllLength = DllName.Length + 1;
//
Process[] Pros = Process.GetProcesses();
Process AimProc = null;
foreach(Process i in Pros)
{
if (i.ProcessName.ToLower().IndexOf(ProcessName.ToLower()) != -1)
{
AimProc = i;
Log.Add("Process Name",i.ProcessName);
Log.Add("Process Path",i.StartInfo.WorkingDirectory);
Log.Add("Process Handle", (int)(i.Handle));
break;
}
}
if(AimProc == null)
{
Log.Add("Process","null");
return false;
}
int BaseAddress = API.VirtualAllocEx(AimProc.Handle, 0, DllLength, 4096, 4);
Log.Add_("BaseAddress",BaseAddress,16);
if (BaseAddress == 0)
{
Log.Add("VirtualAllocEx","False");
return false;
}
int Tmp=0;
int ResultOfWrite = API.WriteProcessMemory(AimProc.Handle, BaseAddress, DllName, DllLength, Tmp);
Log.Add("ResultOfWrite", ResultOfWrite);
if (ResultOfWrite == 0)
{
Log.Add("Error Code", Marshal.GetLastWin32Error());
Log.Add("WriteProcessMemory","False");
return false;
}
int ModuleHandle = API.GetModuleHandleA("Kernel32.dll");
Log.Add_("ModuleHandle", ModuleHandle,16);
if (ModuleHandle == 0)
{
Log.Add("Error Code", Marshal.GetLastWin32Error());
Log.Add("GetModuleHandleA","False");
return false;
}
int FuncAddress = API.GetProcAddress(ModuleHandle, "LoadLibrary");
Log.Add("FuncAddress", FuncAddress);
if (FuncAddress == 0)
{
int ErrorCode = API.GetLastError();
Log.Add("Error Code", ErrorCode);
Log.Add("Error Info",API.GetSysErrMsg(ErrorCode));
Log.Add("GetProcAddress","False");
return false;
}
int ResultOfThread = API.CreateRemoteThread(AimProc.Handle, 0, 0, FuncAddress, BaseAddress, 0, Tmp);
Log.Add("ResultOfThread", ResultOfThread);
if (ResultOfThread == 0)
{
Log.Add("CreateRemoteThread","Flase");
return false;
}
else
{
Log.Add("Inject","True","End");
}
return true;
}
实现的代码其实很简单。
1、找到进程句柄
2、分配内存空间
3、写入参数
4、获取LoadLibrady函数地址
5、远程调用函数
下面是Log
我很好奇为什么会返回错误。
难道是字符的问题?
...全文
请发表友善的回复…
发表回复
threenewbee 2018-08-14
- 打赏
- 举报
找不到指定模块一般是dll路径,还是32bit/64bit没搞对。
江湖评谈 2018-08-14
- 打赏
- 举报
这个很难说
A 是LoadLibrary 的 ANSI
W是 Unicode
把 LoadLibraryA 改成LoadLibraryW ,也是有返回值的。
oodlee 2018-08-14
- 打赏
- 举报
会不会是系统的原因?
WIN10,装的卡巴斯基。
江湖评谈 2018-08-14
- 打赏
- 举报
江湖评谈 2018-08-14
- 打赏
- 举报
你那代码测试之后的结果
oodlee 2018-08-14
- 打赏
- 举报
我把代码改成了:
public static bool Inject(string DllName, string ProcessName)
{
const int PROCESS_ALL_ACCESS = 0x001F0FFF;
int DllLength = DllName.Length + 1;
//
IntPtr handle = API.CreateToolhelp32Snapshot(0x2, 0);
IntPtr AimHandle = IntPtr.Zero;
ProcessEntry32 AimProc = new ProcessEntry32();
if ((int)handle > 0)
{
ProcessEntry32 pe32 = new ProcessEntry32();
pe32.dwSize = (uint)Marshal.SizeOf(pe32);
int bMore = API.Process32First(handle, ref pe32);
while (bMore == 1)
{
IntPtr temp = Marshal.AllocHGlobal((int)pe32.dwSize);
Marshal.StructureToPtr(pe32, temp, true);
ProcessEntry32 pe = (ProcessEntry32)Marshal.PtrToStructure(temp, typeof(ProcessEntry32));
Marshal.FreeHGlobal(temp);
if (pe.szExeFile.ToLower().IndexOf(ProcessName.ToLower()) != -1)
{
AimProc = pe;
break;
}
bMore = API.Process32Next(handle, ref pe32);
}
API.CloseHandle(handle);
}
if (AimProc.th32ProcessID != 0)
{
AimHandle = (IntPtr)(API.OpenProcess(PROCESS_ALL_ACCESS, false, Convert.ToInt32(AimProc.th32ProcessID)));
}
Log.Add("AimHandle", AimHandle);
if (AimHandle == IntPtr.Zero)
{
Log.Add("FindWindow", "Flase");
return false;
}
int BaseAddress = API.VirtualAllocEx(AimHandle, 0, DllLength, 4096, 4);
Log.Add_("BaseAddress", BaseAddress, 16);
if (BaseAddress == 0)
{
int ErrorCode = API.GetLastError();
Log.Add("Error Code", ErrorCode);
Log.Add("Error Info", API.GetSysErrMsg(ErrorCode));
Log.Add("VirtualAllocEx", "False");
return false;
}
int Tmp = 0;
int ResultOfWrite = API.WriteProcessMemory(AimHandle, BaseAddress, DllName, DllLength, Tmp);
Log.Add("ResultOfWrite", ResultOfWrite);
if (ResultOfWrite == 0)
{
int ErrorCode = API.GetLastError();
Log.Add("Error Code", ErrorCode);
Log.Add("Error Info", API.GetSysErrMsg(ErrorCode));
Log.Add("WriteProcessMemory", "False");
return false;
}
int ModuleHandle = API.GetModuleHandleA("Kernel32.dll");
Log.Add_("ModuleHandle", ModuleHandle, 16);
if (ModuleHandle == 0)
{
int ErrorCode = API.GetLastError();
Log.Add("Error Code", ErrorCode);
Log.Add("Error Info", API.GetSysErrMsg(ErrorCode));
Log.Add("GetModuleHandleA", "False");
return false;
}
int FuncAddress = API.GetProcAddress(ModuleHandle, "LoadLibraryA");
Log.Add("FuncAddress", FuncAddress);
if (FuncAddress == 0)
{
int ErrorCode = API.GetLastError();
Log.Add("Error Code", ErrorCode);
Log.Add("Error Info", API.GetSysErrMsg(ErrorCode));
Log.Add("GetProcAddress", "False");
return false;
}
int ResultOfThread = API.CreateRemoteThread(AimHandle, 0, 0, FuncAddress, BaseAddress, 0, Tmp);
Log.Add("ResultOfThread", ResultOfThread);
if (ResultOfThread == 0)
{
Log.Add("CreateRemoteThread", "Flase");
return false;
}
else
{
Log.Add("Inject", "True", "End");
}
return true;
}
下面是Log:
江湖评谈 2018-08-14
- 打赏
- 举报
补充:
这一句: int FuncAddress = API.GetProcAddress(ModuleHandle, "LoadLibrary");
改成: int FuncAddress = API.GetProcAddress(ModuleHandle, "LoadLibraryA");
FuncAddress ,就有返回值了。
这一句: int FuncAddress = API.GetProcAddress(ModuleHandle, "LoadLibrary");
改成: int FuncAddress = API.GetProcAddress(ModuleHandle, "LoadLibraryA");
FuncAddress ,就有返回值了。
江湖评谈 2018-08-14
- 打赏
- 举报
AimProc.Handle 这个handle是托管的句柄,你要获取的是非托管地址
