CreateRemoteThread 返回成功了 但是自己的dll没有运行
求高手指点,代码如下
#include <Windows.h>
#include <iostream>
#include <TlHelp32.h>
#include <stdio.h>using namespace std;int EnableDebugPriv(const char *name)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY|TOKEN_ALL_ACCESS,&hToken);
LookupPrivilegeValue(NULL,name,&luid);
tp.PrivilegeCount=1;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid=luid;bool a=AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL);
return 0;
}BOOL InjectDll(const char *DllFunPath,const WORD dwRemoteProccessId)
{
HANDLE hRemoteProccess;
SIZE_T tmp;
EnableDebugPriv(SE_DEBUG_NAME);
hRemoteProccess=OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ,FALSE,dwRemoteProccessId);
char *pszLibFileRemote;
pszLibFileRemote=(char *)VirtualAllocEx(hRemoteProccess,NULL,sizeof(DllFunPath),MEM_COMMIT,PAGE_READWRITE);
//bool a = WriteProcessMemory(hRemoteProccess,pszLibFileRemote,DllFunPath,lstrlen(DllFunPath)+1,&tmp);
int t=lstrlen(DllFunPath)+1;
bool a = WriteProcessMemory(hRemoteProccess,pszLibFileRemote,(void*)DllFunPath,sizeof(DllFunPath),&tmp);
//cout<<pszLibFileRemote<<endl;
PTHREAD_START_ROUTINE pfnStartAddr=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32.dll")),"LoadLibraryA");HANDLE hRemoteThread;
hRemoteThread=CreateRemoteThread(hRemoteProccess,NULL,0,pfnStartAddr,pszLibFileRemote,0,NULL);
if (hRemoteThread == NULL)
{
DWORD a=GetLastError();
cout<<"failed inject"<<endl;
return FALSE;
}
Sleep(100000);
::WaitForSingleObject( hRemoteThread, INFINITE );
CloseHandle(hRemoteProccess);
CloseHandle(hRemoteThread);
return TRUE;}DWORD GetProcessId()
{
DWORD Pid=-1;
HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 lPrs;
ZeroMemory(&lPrs,sizeof(lPrs));
lPrs.dwSize=sizeof(lPrs);
char *targetFile="explorer.exe";
Process32First(hSnap,&lPrs);
if (strstr(targetFile,lPrs.szExeFile))
{
Pid=lPrs.th32ProcessID;
return Pid;
}
while (1)
{
ZeroMemory(&lPrs,sizeof(lPrs));
lPrs.dwSize=(&lPrs,sizeof(lPrs));
if (!Process32Next(hSnap,&lPrs))
{
Pid = -1;
break;
}
if (strstr(targetFile,lPrs.szExeFile))
{
Pid=lPrs.th32ProcessID;
break;
}
}
return Pid;
}void main()
{
char myFILE[MAX_PATH];
GetCurrentDirectory(MAX_PATH,myFILE);
strcat(myFILE,"\\injectdll.dll");
InjectDll(myFILE,GetProcessId());
}#include "windows.h"
BOOL APIENTRY DllMain(HANDLE hModule,DWORD reason,LPVOID lpReserved)
{
char *szProcessId=(char *)malloc(10*sizeof(char));
MessageBox(NULL,szProcessId,"RemoteDLL",MB_OK);
MessageBeep(1);
switch(reason)
{
case DLL_PROCESS_ATTACH:
_itoa(GetCurrentProcessId(),szProcessId,10);
MessageBox(NULL,szProcessId,"RemoteDLL",MB_OK);
}
return TRUE;
}
求高手指点,代码如下
#include <Windows.h>
#include <iostream>
#include <TlHelp32.h>
#include <stdio.h>using namespace std;int EnableDebugPriv(const char *name)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY|TOKEN_ALL_ACCESS,&hToken);
LookupPrivilegeValue(NULL,name,&luid);
tp.PrivilegeCount=1;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid=luid;bool a=AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL);
return 0;
}BOOL InjectDll(const char *DllFunPath,const WORD dwRemoteProccessId)
{
HANDLE hRemoteProccess;
SIZE_T tmp;
EnableDebugPriv(SE_DEBUG_NAME);
hRemoteProccess=OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ,FALSE,dwRemoteProccessId);
char *pszLibFileRemote;
pszLibFileRemote=(char *)VirtualAllocEx(hRemoteProccess,NULL,sizeof(DllFunPath),MEM_COMMIT,PAGE_READWRITE);
//bool a = WriteProcessMemory(hRemoteProccess,pszLibFileRemote,DllFunPath,lstrlen(DllFunPath)+1,&tmp);
int t=lstrlen(DllFunPath)+1;
bool a = WriteProcessMemory(hRemoteProccess,pszLibFileRemote,(void*)DllFunPath,sizeof(DllFunPath),&tmp);
//cout<<pszLibFileRemote<<endl;
PTHREAD_START_ROUTINE pfnStartAddr=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32.dll")),"LoadLibraryA");HANDLE hRemoteThread;
hRemoteThread=CreateRemoteThread(hRemoteProccess,NULL,0,pfnStartAddr,pszLibFileRemote,0,NULL);
if (hRemoteThread == NULL)
{
DWORD a=GetLastError();
cout<<"failed inject"<<endl;
return FALSE;
}
Sleep(100000);
::WaitForSingleObject( hRemoteThread, INFINITE );
CloseHandle(hRemoteProccess);
CloseHandle(hRemoteThread);
return TRUE;}DWORD GetProcessId()
{
DWORD Pid=-1;
HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 lPrs;
ZeroMemory(&lPrs,sizeof(lPrs));
lPrs.dwSize=sizeof(lPrs);
char *targetFile="explorer.exe";
Process32First(hSnap,&lPrs);
if (strstr(targetFile,lPrs.szExeFile))
{
Pid=lPrs.th32ProcessID;
return Pid;
}
while (1)
{
ZeroMemory(&lPrs,sizeof(lPrs));
lPrs.dwSize=(&lPrs,sizeof(lPrs));
if (!Process32Next(hSnap,&lPrs))
{
Pid = -1;
break;
}
if (strstr(targetFile,lPrs.szExeFile))
{
Pid=lPrs.th32ProcessID;
break;
}
}
return Pid;
}void main()
{
char myFILE[MAX_PATH];
GetCurrentDirectory(MAX_PATH,myFILE);
strcat(myFILE,"\\injectdll.dll");
InjectDll(myFILE,GetProcessId());
}#include "windows.h"
BOOL APIENTRY DllMain(HANDLE hModule,DWORD reason,LPVOID lpReserved)
{
char *szProcessId=(char *)malloc(10*sizeof(char));
MessageBox(NULL,szProcessId,"RemoteDLL",MB_OK);
MessageBeep(1);
switch(reason)
{
case DLL_PROCESS_ATTACH:
_itoa(GetCurrentProcessId(),szProcessId,10);
MessageBox(NULL,szProcessId,"RemoteDLL",MB_OK);
}
return TRUE;
}
解决方案 »
- CString多次引用的问题,程序退出时提示错误,出错提示为:File:dbgheap.c Line:1017
- 关于实现图片的拖动
- 刚学vc,不懂资源怎么编辑,请指点::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
- createthread的问题
- vc++使用时的控件问题
- 怎么获取treectrl中的节点lParam的值?
- 获得鼠标当前所指窗口问题
- 用ATL如何开发一个带有对话框的组件?
- 100分求代理服务器
- 一个及其初级的问题
- 我的32位程序(用到了Hook技术)在64位OS下运行时遇到的问题!
- 添加ATL简单对象的问题
VirtualAllocEx、WriteProcessMemory等函数都检查一下返回值
这句话错了 第三个参数应该是要分配的长度,而sizeof是指针大小
2. pszLibFileRemote=(char *)VirtualAllocEx(hRemoteProccess,NULL,sizeof(DllFunPath),MEM_COMMIT,PAGE_READWRITE);
sizeof(DllFunPath) 改成 strlen(DllFunPath)+sizeof(*DllFunPath)//bool a = WriteProcessMemory(hRemoteProccess,pszLibFileRemote,DllFunPath,lstrlen(DllFunPath)+1,&tmp);
int t=lstrlen(DllFunPath)+1;
bool a = WriteProcessMemory(hRemoteProccess,pszLibFileRemote,(void*)DllFunPath,sizeof(DllFunPath),&tmp);sizeof(DllFunPath)改成t即可