这两天在弄远程注入,发现win764位不支持,在网上找到如下代码:
typedef DWORD64 (WINAPI *PFNTCREATETHREADEX)
(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL CreateSuspended,
DWORD64 dwStackSize,
DWORD64 dw1,
DWORD64 dw2,
LPVOID Unknown
);
这里是定义一个结构体,然后下面用来格式化函数:
pFunc = GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtCreateThreadEx");
if( pFunc == NULL )
{
printf("MyCreateRemoteThread() : GetProcAddress(\"NtCreateThreadEx\") 调用失败!错误代码: [%d]/n",
GetLastError());
return FALSE;
}
((PFNTCREATETHREADEX)pFunc)(
&hThread,
0x1FFFFF,
NULL,
hProcess,
pThreadProc,
pRemoteBuf,
FALSE,
NULL,
NULL,
NULL,
NULL); if( hThread == NULL )
{
printf("MyCreateRemoteThread() : NtCreateThreadEx() 调用失败!错误代码: [%d]/n", GetLastError());
return FALSE;
}
请问这段怎么转换成dephi的,大神门帮帮忙,发下翻译后的代码哈
typedef DWORD64 (WINAPI *PFNTCREATETHREADEX)
(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL CreateSuspended,
DWORD64 dwStackSize,
DWORD64 dw1,
DWORD64 dw2,
LPVOID Unknown
);
这里是定义一个结构体,然后下面用来格式化函数:
pFunc = GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtCreateThreadEx");
if( pFunc == NULL )
{
printf("MyCreateRemoteThread() : GetProcAddress(\"NtCreateThreadEx\") 调用失败!错误代码: [%d]/n",
GetLastError());
return FALSE;
}
((PFNTCREATETHREADEX)pFunc)(
&hThread,
0x1FFFFF,
NULL,
hProcess,
pThreadProc,
pRemoteBuf,
FALSE,
NULL,
NULL,
NULL,
NULL); if( hThread == NULL )
{
printf("MyCreateRemoteThread() : NtCreateThreadEx() 调用失败!错误代码: [%d]/n", GetLastError());
return FALSE;
}
请问这段怎么转换成dephi的,大神门帮帮忙,发下翻译后的代码哈
(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL CreateSuspended,
DWORD64 dwStackSize,
DWORD64 dw1,
DWORD64 dw2,
LPVOID Unknown
);
这可不是一个结构体啊,这定义的是一个函数指针,只是带的参数比较多而已。
DesiredAccess:ACCESS_MASK;
ObjectAttributes:Pointer;
ProcessHandle:THandle;
lpStartAddress:TFNThreadStartRoutine;
lpParameter:Pointer;
CreateSuspended:BOOL;
dwStackSize:Int64;
dw1:Int64;
dw2:Int64;
Unknown:Pointer):Int64;
pFunc:= GetProcAddress(GetModuleHandle('ntdll.dll'),'NtCreateThreadEx');
if pFunc= nil then
begin
ShowMessage(IntToStr(GetLastError));
Result:=0;
end;
TNtCreateThreadEx(pFunc)(hThread,$1FFFFF,nil,hRemoteProcess,pfnStartAddr,pszLibFileRemote,False,0,0,0,nil);
if hThread=0 then
begin
ShowMessage('NtCreateThreadEx() 调用失败!错误代码:'+inttostr(GetLastError));
Result:=0;
end;都指望不上啊,求大神现身,这样吧 我自己翻译了下,哪位大神给指点下,我getlasterror返回0没问题,hthread也等于0,求指点!
TNtCreateThreadEx(pFunc)(hThread,$1FFFFF,nil,hRemoteProcess,pfnStartAddr,pszLibFileRemote,False,0,0,0,nil);
这句话可能也翻译的不对?能来个大神指点下?
我的delphi定义:
pfnStartAddr: TFNThreadStartRoutine; //lib函数地址
pfnStartAddr := TFNThreadStartRoutine(GetProcAddress(GetModuleHandle('Kernel32'), 'LoadLibraryW'));
麻烦帮分析下
ntdll.dll中没看到你所说的NtCreateThreadEx函数,vc 就直接定义的,
我的delphi定义:
pfnStartAddr: TFNThreadStartRoutine; //lib函数地址
pfnStartAddr := TFNThreadStartRoutine(GetProcAddress(GetModuleHandle('Kernel32'), 'LoadLibraryW'));
麻烦帮分析下
你使用的是宽字符函数(LoadLibraryW)你传进去的也要是宽字符哦。
我的delphi定义:
pfnStartAddr: TFNThreadStartRoutine; //lib函数地址
pfnStartAddr := TFNThreadStartRoutine(GetProcAddress(GetModuleHandle('Kernel32'), 'LoadLibraryW'));
麻烦帮分析下
你使用的是宽字符函数(LoadLibraryW)你传进去的也要是宽字符哦。不懂,应该怎么传??能贴上代码吗,谢谢!