高手看下这远程注入错在哪解决方案
日期:2014-05-17 浏览次数:20939 次
高手看下这远程注入错在哪
#include <windows.h>
#include <iostream>
using namespace std;
//事先必须先单独测试该函数的长度,还有必须static 属性才是真正的函数地址
//否则只是 jmp 真正函数地址: 这一句代码的地址而已
//release下只有加static编译器才不会优化成普通代码,而当成一函数处理
static DWORD WINAPI ThreadProc(LPVOID lpParameter);
typedef HMODULE (WINAPI *LPLoadLibrary)(LPCSTR);
typedef FARPROC (WINAPI *LPGetProcAddress)(HMODULE, LPCSTR);
typedef int (WINAPI *LPMessageBox)(HWND, LPCSTR, LPCSTR, UINT);
//....
//如上这边可以列下线程所要用的api函数指针
struct para
{
LPLoadLibrary lploadlibrary;
LPGetProcAddress lpgetprocaddress;
char dllname[10][0xff];
char funname[10][0xff];
char strname[10][0xff];
};
void ShowError();
void main()
{
HWND hwnd;
DWORD PID;
HANDLE hProcess;
hwnd = ::FindWindowEx(NULL, NULL, "CalcFrame", "计算器");
if (hwnd == NULL)
{
ShowError();
::ExitProcess(0xff);
}
::GetWindowThreadProcessId(hwnd, &PID); //不必判断返回值
hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
if (hProcess == NULL)
{
ShowError();
::ExitProcess(0xff);
}
//构造传进去的参数
struct para parabuff;
memset(¶buff, 0, sizeof(struct para));
parabuff.lploadlibrary = (LPLoadLibrary)::GetProcAddress(::GetModuleHandle("kernel32.dll"), "LoadLibraryA");
parabuff.lpgetprocaddress = (LPGetProcAddress)::GetProcAddress(::GetModuleHandle("kernel32.dll"), "GetProcAddress");
memcpy(parabuff.dllname[0], "kernel32.dll", 0xff);
memcpy(parabuff.dllname[1], "user32.dll", 0xff );
memcpy(parabuff.dllname[2], "ws2_32.dll", 0xff);
memcpy(parabuff.funname[0], "MessageBoxA", 0xff);
memcpy(parabuff.funname[1], "GetModuleHandleA", 0xff);
memcpy(parabuff.strname[0], "欢迎使用远程线程", 0xff);
memcpy(parabuff.strname[1], "远程线程:", 0xff);
//....上面还可以列出要用到的*.dll与API
//申请参数结构空间
LPVOID databuff = ::VirtualAllocEx(hProcess, NULL, sizeof(struct para), MEM_COMMIT, PAGE_READWRITE);
if (databuff == NULL)
{
ShowError();
::ExitProcess(0xff);
}
if (!::WriteProcessMemory(hProcess, databuff, ¶buff, sizeof(parabuff), NULL ))
{
ShowError();
::VirtualFreeEx(hProcess, databuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
//代码长度是查出汇编文件查看出来的
LPVOID codebuff = ::VirtualAllocEx(hProcess, NULL, 0xff, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (codebuff == NULL)
{
ShowError();
::ExitProcess(0xff);
}
if (!::WriteProcessMemory(hProcess, codebuff, ThreadProc, 0xff, NULL ))
{
ShowError();
::VirtualFreeEx(hProcess, codebuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
HANDLE hThread;
hThread = ::CreateRemoteThread(hProcess, //进程句柄
NULL, //安全属性
0, //堆栈大小
(LPTHREAD_START_ROUTINE)codebuff,
databuff, //参数
0, //创建标志
NULL); //线程ID
if (hThread == NULL)
{
ShowError();
::VirtualFreeEx(hProcess, codebuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
if (::WaitForSingleObject(hThread, INFINITE) == WAIT_FAILED)
{
ShowError();
::VirtualFreeEx(hProcess, codebuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
DWORD status;
if (!::GetExitCodeThread(hThread, &status))
{
ShowError(); //函数失败
::VirtualFreeEx(hProcess, codebuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
else
{
cout << "线程退出码:"<< hex << status << endl; //dll.dll在目标进程中的地址
}
if (!::CloseHandle(hThread))
{
ShowError();
::Virtu
#include <windows.h>
#include <iostream>
using namespace std;
//事先必须先单独测试该函数的长度,还有必须static 属性才是真正的函数地址
//否则只是 jmp 真正函数地址: 这一句代码的地址而已
//release下只有加static编译器才不会优化成普通代码,而当成一函数处理
static DWORD WINAPI ThreadProc(LPVOID lpParameter);
typedef HMODULE (WINAPI *LPLoadLibrary)(LPCSTR);
typedef FARPROC (WINAPI *LPGetProcAddress)(HMODULE, LPCSTR);
typedef int (WINAPI *LPMessageBox)(HWND, LPCSTR, LPCSTR, UINT);
//....
//如上这边可以列下线程所要用的api函数指针
struct para
{
LPLoadLibrary lploadlibrary;
LPGetProcAddress lpgetprocaddress;
char dllname[10][0xff];
char funname[10][0xff];
char strname[10][0xff];
};
void ShowError();
void main()
{
HWND hwnd;
DWORD PID;
HANDLE hProcess;
hwnd = ::FindWindowEx(NULL, NULL, "CalcFrame", "计算器");
if (hwnd == NULL)
{
ShowError();
::ExitProcess(0xff);
}
::GetWindowThreadProcessId(hwnd, &PID); //不必判断返回值
hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
if (hProcess == NULL)
{
ShowError();
::ExitProcess(0xff);
}
//构造传进去的参数
struct para parabuff;
memset(¶buff, 0, sizeof(struct para));
parabuff.lploadlibrary = (LPLoadLibrary)::GetProcAddress(::GetModuleHandle("kernel32.dll"), "LoadLibraryA");
parabuff.lpgetprocaddress = (LPGetProcAddress)::GetProcAddress(::GetModuleHandle("kernel32.dll"), "GetProcAddress");
memcpy(parabuff.dllname[0], "kernel32.dll", 0xff);
memcpy(parabuff.dllname[1], "user32.dll", 0xff );
memcpy(parabuff.dllname[2], "ws2_32.dll", 0xff);
memcpy(parabuff.funname[0], "MessageBoxA", 0xff);
memcpy(parabuff.funname[1], "GetModuleHandleA", 0xff);
memcpy(parabuff.strname[0], "欢迎使用远程线程", 0xff);
memcpy(parabuff.strname[1], "远程线程:", 0xff);
//....上面还可以列出要用到的*.dll与API
//申请参数结构空间
LPVOID databuff = ::VirtualAllocEx(hProcess, NULL, sizeof(struct para), MEM_COMMIT, PAGE_READWRITE);
if (databuff == NULL)
{
ShowError();
::ExitProcess(0xff);
}
if (!::WriteProcessMemory(hProcess, databuff, ¶buff, sizeof(parabuff), NULL ))
{
ShowError();
::VirtualFreeEx(hProcess, databuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
//代码长度是查出汇编文件查看出来的
LPVOID codebuff = ::VirtualAllocEx(hProcess, NULL, 0xff, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (codebuff == NULL)
{
ShowError();
::ExitProcess(0xff);
}
if (!::WriteProcessMemory(hProcess, codebuff, ThreadProc, 0xff, NULL ))
{
ShowError();
::VirtualFreeEx(hProcess, codebuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
HANDLE hThread;
hThread = ::CreateRemoteThread(hProcess, //进程句柄
NULL, //安全属性
0, //堆栈大小
(LPTHREAD_START_ROUTINE)codebuff,
databuff, //参数
0, //创建标志
NULL); //线程ID
if (hThread == NULL)
{
ShowError();
::VirtualFreeEx(hProcess, codebuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
if (::WaitForSingleObject(hThread, INFINITE) == WAIT_FAILED)
{
ShowError();
::VirtualFreeEx(hProcess, codebuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
DWORD status;
if (!::GetExitCodeThread(hThread, &status))
{
ShowError(); //函数失败
::VirtualFreeEx(hProcess, codebuff, 0, MEM_RELEASE);
::ExitProcess(0xff);
}
else
{
cout << "线程退出码:"<< hex << status << endl; //dll.dll在目标进程中的地址
}
if (!::CloseHandle(hThread))
{
ShowError();
::Virtu
免责声明: 本文仅代表作者个人观点,与爱易网无关。其原创性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容、文字的真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
