CreateRemoteThread 返回成功了 但是自己的dll没有运行 还是没搞定再发一次

CreateRemoteThread 返回成功了 但是自己的dll没有运行
求高手指点,代码如下
#include <Windows.h>
#include <iostream>
#include <TlHelp32.h>
#include <stdio.h>using namespace std;int EnableDebugPriv(const char *name)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY|TOKEN_ALL_ACCESS,&hToken);
LookupPrivilegeValue(NULL,name,&luid);
tp.PrivilegeCount=1;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid=luid;bool a=AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL);
return 0;
}BOOL InjectDll(const char *DllFunPath,const WORD dwRemoteProccessId)
{
HANDLE hRemoteProccess;
SIZE_T tmp;
EnableDebugPriv(SE_DEBUG_NAME);
hRemoteProccess=OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ,FALSE,dwRemoteProccessId);
char *pszLibFileRemote;
pszLibFileRemote=(char *)VirtualAllocEx(hRemoteProccess,NULL,sizeof(DllFunPath),MEM_COMMIT,PAGE_READWRITE);
//bool a = WriteProcessMemory(hRemoteProccess,pszLibFileRemote,DllFunPath,lstrlen(DllFunPath)+1,&tmp);
int t=lstrlen(DllFunPath)+1;
bool a = WriteProcessMemory(hRemoteProccess,pszLibFileRemote,(void*)DllFunPath,sizeof(DllFunPath),&tmp);
//cout<<pszLibFileRemote<<endl;
PTHREAD_START_ROUTINE pfnStartAddr=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32.dll")),"LoadLibraryA");HANDLE hRemoteThread;
hRemoteThread=CreateRemoteThread(hRemoteProccess,NULL,0,pfnStartAddr,pszLibFileRemote,0,NULL);
if (hRemoteThread == NULL)
{
DWORD a=GetLastError();
cout<<"failed inject"<<endl;
return FALSE;
}
Sleep(100000);
::WaitForSingleObject( hRemoteThread, INFINITE );
CloseHandle(hRemoteProccess);
CloseHandle(hRemoteThread);
return TRUE;}DWORD GetProcessId()
{
DWORD Pid=-1;
HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 lPrs;
ZeroMemory(&lPrs,sizeof(lPrs));
lPrs.dwSize=sizeof(lPrs);
char *targetFile="explorer.exe";
Process32First(hSnap,&lPrs);
if (strstr(targetFile,lPrs.szExeFile))
{
Pid=lPrs.th32ProcessID;
return Pid;
}
while (1)
{
ZeroMemory(&lPrs,sizeof(lPrs));
lPrs.dwSize=(&lPrs,sizeof(lPrs));
if (!Process32Next(hSnap,&lPrs))
{
Pid = -1;
break;
}
if (strstr(targetFile,lPrs.szExeFile))
{
Pid=lPrs.th32ProcessID;
break;
}
}
return Pid;
}void main()
{
char myFILE[MAX_PATH];
GetCurrentDirectory(MAX_PATH,myFILE);
strcat(myFILE,"\\injectdll.dll");
InjectDll(myFILE,GetProcessId());
}#include "windows.h"
BOOL APIENTRY DllMain(HANDLE hModule,DWORD reason,LPVOID lpReserved)
{
char *szProcessId=(char *)malloc(10*sizeof(char));
MessageBox(NULL,szProcessId,"RemoteDLL",MB_OK);
MessageBeep(1);
switch(reason)
{
case DLL_PROCESS_ATTACH:
_itoa(GetCurrentProcessId(),szProcessId,10);
MessageBox(NULL,szProcessId,"RemoteDLL",MB_OK);
}
return TRUE;
}

解决方案 »

  1.   

    设断点调试一下吧,看着倒是没有问题
    VirtualAllocEx、WriteProcessMemory等函数都检查一下返回值
      

  2.   

    全部都成功 就是dll没运行
      

  3.   

    pszLibFileRemote=(char *)VirtualAllocEx(hRemoteProccess,NULL,sizeof(DllFunPath),MEM_COMMIT,PAGE_READWRITE);
    这句话错了 第三个参数应该是要分配的长度,而sizeof是指针大小
      

  4.   

    1.首先你要保证你的dll 可以用LoadLibraryA来正常加载。
    2. pszLibFileRemote=(char *)VirtualAllocEx(hRemoteProccess,NULL,sizeof(DllFunPath),MEM_COMMIT,PAGE_READWRITE);
    sizeof(DllFunPath) 改成 strlen(DllFunPath)+sizeof(*DllFunPath)//bool a = WriteProcessMemory(hRemoteProccess,pszLibFileRemote,DllFunPath,lstrlen(DllFunPath)+1,&tmp);
    int t=lstrlen(DllFunPath)+1;
    bool a = WriteProcessMemory(hRemoteProccess,pszLibFileRemote,(void*)DllFunPath,sizeof(DllFunPath),&tmp);sizeof(DllFunPath)改成t即可