1,486
社区成员
发帖
与我相关
我的任务
分享关于CreateRemoteThread,VirtualAllocEx .....来帮忙啊.
CreateRemoteThread
函数原型
HANDLE CreateRemoteThread(
HANDLE hProcess, // handle to process
LPSECURITY_ATTRIBUTES lpThreadAttributes, // SD
SIZE_T dwStackSize, // initial stack size
LPTHREAD_START_ROUTINE lpStartAddress, // thread function
LPVOID lpParameter, // thread argument
DWORD dwCreationFlags, // creation option
LPDWORD lpThreadId // thread identifier
);
hProcess
[输入] 进程句柄
lpThreadAttributes
[输入] 线程安全描述字,指向SECURITY_ATTRIBUTES结构的指针
dwStackSize
[输入] 线程栈大小,以字节表示
lpStartAddress
[输入] 一个LPTHREAD_START_ROUTINE类型的指针,指向在远程进程中执行的函数地址
lpParameter
[输入] 传入参数
dwCreationFlags
[输入] 创建线程的其它标志
lpThreadId
[输出] 线程身份标志,如果为NULL,则不返回
在VB调用中 hProcess参数传入的是用OpenProcess得到的进程id,lpThreadAttributes ,dwStackSize 传入0&,lpStartAddress 传入的是LoadLibrayW函数在kernel32中的地址.lpParameter 传入的是个地址,这个地址位于hProcess进程空间中,通过VirtualAllocEx 函数返回的.问题是函数调用总是不成功,lpParameter 是个long 型.在使用CopyMemory函数时如下这样就可以实现指针
dim x as long ,xaddress as long ,y as long
x=34
xaddress=VarPtr(x)
CopyMemory y , byval xaddress , 2
运行后 y=34 但是必须使用byval关键字,但在使用CreateRemoteThread时似乎不太好使
不知道哪位仁兄有好的手段........谢谢.
函数原型
HANDLE CreateRemoteThread(
HANDLE hProcess, // handle to process
LPSECURITY_ATTRIBUTES lpThreadAttributes, // SD
SIZE_T dwStackSize, // initial stack size
LPTHREAD_START_ROUTINE lpStartAddress, // thread function
LPVOID lpParameter, // thread argument
DWORD dwCreationFlags, // creation option
LPDWORD lpThreadId // thread identifier
);
hProcess
[输入] 进程句柄
lpThreadAttributes
[输入] 线程安全描述字,指向SECURITY_ATTRIBUTES结构的指针
dwStackSize
[输入] 线程栈大小,以字节表示
lpStartAddress
[输入] 一个LPTHREAD_START_ROUTINE类型的指针,指向在远程进程中执行的函数地址
lpParameter
[输入] 传入参数
dwCreationFlags
[输入] 创建线程的其它标志
lpThreadId
[输出] 线程身份标志,如果为NULL,则不返回
在VB调用中 hProcess参数传入的是用OpenProcess得到的进程id,lpThreadAttributes ,dwStackSize 传入0&,lpStartAddress 传入的是LoadLibrayW函数在kernel32中的地址.lpParameter 传入的是个地址,这个地址位于hProcess进程空间中,通过VirtualAllocEx 函数返回的.问题是函数调用总是不成功,lpParameter 是个long 型.在使用CopyMemory函数时如下这样就可以实现指针
dim x as long ,xaddress as long ,y as long
x=34
xaddress=VarPtr(x)
CopyMemory y , byval xaddress , 2
运行后 y=34 但是必须使用byval关键字,但在使用CreateRemoteThread时似乎不太好使
不知道哪位仁兄有好的手段........谢谢.
...全文
请发表友善的回复…
发表回复
bbe 2003-08-12
- 打赏
- 举报
Option Explicit
Private Const PROCESS_CREATE_THREAD = &H2
Private Const PROCESS_QUERY_INFORMATION = &H400
Private Const PROCESS_VM_WRITE = &H20
Private Const PROCESS_VM_OPERATION = &H8
Private Const MEM_COMMIT = &H1000
Private Const MEM_RELEASE = &H8000
Private Const PAGE_READWRITE = &H4
Private Const INFINITE = &HFFFFFFFF
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, _
lpAddress As Any, _
ByVal dwSize As Long, _
ByVal flAllocationType As Long, _
ByVal flProtect As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, _
lpAddress As Any, _
ByVal dwSize As Long, _
ByVal dwFreeType As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Sub InjectLibA(ByVal dwProcessId As Long, ByVal pszLibFile As String)
Dim hProcess As Long, hThread As Long
Dim pszLibFileRemote As Long
On Error GoTo errhandle
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or _
PROCESS_CREATE_THREAD Or _
PROCESS_VM_OPERATION Or _
PROCESS_VM_WRITE, _
0, dwProcessId)
If hProcess = 0 Then GoTo errhandle
Dim cch As Long, cb As Long
cch = 1 + LenB(StrConv(pszLibFile, vbFromUnicode))
cb = cch
pszLibFileRemote = VirtualAllocEx(hProcess, 0&, cb, MEM_COMMIT, PAGE_READWRITE)
If pszLibFileRemote = 0 Then GoTo errhandle
If (WriteProcessMemory(hProcess, pszLibFileRemote, ByVal pszLibFile, cb, ByVal 0&) = 0) Then GoTo errhandle
Dim pfnThreadRtn As Long
pfnThreadRtn = GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA")
If pfnThreadRtn = 0 Then GoTo errhandle
hThread = CreateRemoteThread(hProcess, ByVal 0&, 0&, ByVal pfnThreadRtn, pszLibFileRemote, 0, ByVal 0&)
If (hThread = 0) Then GoTo errhandle
WaitForSingleObject hThread, INFINITE
errhandle:
If pszLibFileRemote <> 0 Then _
VirtualFreeEx hProcess, pszLibFileRemote, 0, MEM_RELEASE
If hThread <> 0 Then _
CloseHandle hThread
If hProcess <> 0 Then _
CloseHandle hProcess
End Sub
Private Sub Command1_Click()
InjectLibA CLng(Text1.Text), GetAppPath & "22 ImgWalk.dll"
End Sub
Private Function GetAppPath() As String
GetAppPath = IIf(Right$(App.Path, 1) <> "\", App.Path & "\", App.Path)
End Function
Private Const PROCESS_CREATE_THREAD = &H2
Private Const PROCESS_QUERY_INFORMATION = &H400
Private Const PROCESS_VM_WRITE = &H20
Private Const PROCESS_VM_OPERATION = &H8
Private Const MEM_COMMIT = &H1000
Private Const MEM_RELEASE = &H8000
Private Const PAGE_READWRITE = &H4
Private Const INFINITE = &HFFFFFFFF
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, _
lpAddress As Any, _
ByVal dwSize As Long, _
ByVal flAllocationType As Long, _
ByVal flProtect As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, _
lpAddress As Any, _
ByVal dwSize As Long, _
ByVal dwFreeType As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Sub InjectLibA(ByVal dwProcessId As Long, ByVal pszLibFile As String)
Dim hProcess As Long, hThread As Long
Dim pszLibFileRemote As Long
On Error GoTo errhandle
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or _
PROCESS_CREATE_THREAD Or _
PROCESS_VM_OPERATION Or _
PROCESS_VM_WRITE, _
0, dwProcessId)
If hProcess = 0 Then GoTo errhandle
Dim cch As Long, cb As Long
cch = 1 + LenB(StrConv(pszLibFile, vbFromUnicode))
cb = cch
pszLibFileRemote = VirtualAllocEx(hProcess, 0&, cb, MEM_COMMIT, PAGE_READWRITE)
If pszLibFileRemote = 0 Then GoTo errhandle
If (WriteProcessMemory(hProcess, pszLibFileRemote, ByVal pszLibFile, cb, ByVal 0&) = 0) Then GoTo errhandle
Dim pfnThreadRtn As Long
pfnThreadRtn = GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA")
If pfnThreadRtn = 0 Then GoTo errhandle
hThread = CreateRemoteThread(hProcess, ByVal 0&, 0&, ByVal pfnThreadRtn, pszLibFileRemote, 0, ByVal 0&)
If (hThread = 0) Then GoTo errhandle
WaitForSingleObject hThread, INFINITE
errhandle:
If pszLibFileRemote <> 0 Then _
VirtualFreeEx hProcess, pszLibFileRemote, 0, MEM_RELEASE
If hThread <> 0 Then _
CloseHandle hThread
If hProcess <> 0 Then _
CloseHandle hProcess
End Sub
Private Sub Command1_Click()
InjectLibA CLng(Text1.Text), GetAppPath & "22 ImgWalk.dll"
End Sub
Private Function GetAppPath() As String
GetAppPath = IIf(Right$(App.Path, 1) <> "\", App.Path & "\", App.Path)
End Function
jlum99 2003-08-12
- 打赏
- 举报
我的程序大体也都是这样的,但是感觉问题总出在CreateRemoteThread上。没有用到copymemory函数,本身例子就是讲打破进程壁垒的,我说copymemory函数,只是拿来做个比较,就是关于参数传递的问题。bbe 仁兄的程序比较贴近书上写的,试试看,好用结帖。至于 zyl910(910:分儿,我又来了!) 说的,必须ThreadProc类型函数的地址好象没什么关系,因为lpStartAddress函数是通GetProcAddress函数得到的。有个问题就是C里的NULL为什么要用byval 0&代替??
jlum99 2003-08-12
- 打赏
- 举报
问题解决了,主要还是那两个参数的传入形式,整个例子还包括从目标进程里卸载DLL,方法大同小异.揭贴.
James0001 2003-08-12
- 打赏
- 举报
这个方法真是经典,利用了 LoadLibrary 和 线程入口函数 的共同点。
James0001 2003-08-12
- 打赏
- 举报
可以是 LoadLibraryW 的地址,只是你不能用 CopyMemory,要用 WriteProcessMemory 来把数据写入其它进程的内存里。
CopyMemory 只是针对当前进程的,要知道,每个进程都有自己单独的进程空间。
CopyMemory 只是针对当前进程的,要知道,每个进程都有自己单独的进程空间。
jlum99 2003-08-11
- 打赏
- 举报
没人感兴趣吗??还是没难度啊..................UP
jlum99 2003-08-11
- 打赏
- 举报
顶..............哪位仁兄还有高见啊,一并说说啊
jlum99 2003-08-11
- 打赏
- 举报
哦,不过现在的机器上不了网,就是<windows核心编程>那本书里的injectDll的例子.讲DLL注入的
zyl910 2003-08-11
- 打赏
- 举报
给我看看VC的例子
zyl910@sina.com
zyl910@sina.com
jlum99 2003-08-11
- 打赏
- 举报
VC的例子确实是这样写的啊,而且编译后工作也是正常的.为什么VB不行????
zyl910 2003-08-11
- 打赏
- 举报
lpStartAddress 传入的是LoadLibrayW函数在kernel32中的地址
===========================
lpStartAddress必须是ThreadProc类型函数的地址
而不是模块的地址
===========================
lpStartAddress必须是ThreadProc类型函数的地址
而不是模块的地址
yunfeng007 2003-08-11
- 打赏
- 举报
在帮你顶~~
jlum99 2003-08-11
- 打赏
- 举报
自己顶..........斑竹大哥哪里去了
jlum99 2003-08-11
- 打赏
- 举报
自己顶.........
