CreateRemoteThread创建远程线程
HANDLE CreateRemoteThread(
HANDLE hProcess, 进程句柄
LPSECURITY_ATTRIBUTES lpThreadAttributes,线程安全描述字,指向SECURITY_ATTRIBUTES结构的指针
SIZE_T dwStackSize,线程栈大小,以字节表示
LPTHREAD_START_ROUTINE lpStartAddress,一个LPTHREAD_START_ROUTINE类型的指针,指向在远程进程中执行的函数地址
LPVOID lpParameter,传入参数
DWORD dwCreationFlags,创建线程的其它标志
LPDWORD lpThreadId线程身份标志,如果为NULL,则不返回
);请问如何调用自己写的DLL中函数的过程! 谢谢回复!!!
HANDLE CreateRemoteThread(
HANDLE hProcess, 进程句柄
LPSECURITY_ATTRIBUTES lpThreadAttributes,线程安全描述字,指向SECURITY_ATTRIBUTES结构的指针
SIZE_T dwStackSize,线程栈大小,以字节表示
LPTHREAD_START_ROUTINE lpStartAddress,一个LPTHREAD_START_ROUTINE类型的指针,指向在远程进程中执行的函数地址
LPVOID lpParameter,传入参数
DWORD dwCreationFlags,创建线程的其它标志
LPDWORD lpThreadId线程身份标志,如果为NULL,则不返回
);请问如何调用自己写的DLL中函数的过程! 谢谢回复!!!
解决方案 »
- form属性的类型问题
- 关于钩子中WH_DEBUG的参数问题
- dbgrid中多个表关联,post时产生冲突,怎么解决?
- delphi7能和oracle服务器端在同一XP上调试程序吗?
- 如何将SQL中的数据库中的表备份到本机的ACCESS数据库中?
- To 海天子我是调用你说的函数进行转换,但是有这样的一个问题,在画图中打开一幅图片,在不同的分辨率下,它的像素点数和英寸不变,但厘
- why???急
- 如何中断一段音乐?
- 在win2000下的access数据库怎么访问?
- Help,help,Help,help
- 把一个文件夹备份到一个指定的目录下,怎么做????????谢谢
- 最近特郁闷,散分了,散400分吧
/*
CC INT 3
E8 00000000 CALL HI.00401209
5B POP EBX
81EB 09124000 SUB EBX,HI.00401209 ; 入口地址BX,H
8D83 44124000 LEA EAX,DWORD PTR DS:[EBX+____FileName]
50 PUSH EAX
FF93 38124000 CALL DWORD PTR DS:[EBX+DataPool]
8D93 38144000 LEA EDX,DWORD PTR DS:[EBX+____Entry]
52 PUSH EDX
50 PUSH EAX
FF93 3C124000 CALL DWORD PTR DS:[EBX+____GetProcAddres>
0BC0 OR EAX,EAX
74 08 JE SHORT HI.00401237
FFB3 40124000 PUSH DWORD PTR DS:[EBX+____Window]
FFD0 CALL EAX
C3 RETN
*/BYTE lpShellCode[]=
{
#if ENABLE_REMOTE_DEBUG
0xCC, //int 3
#endif
0xE8,0x00,0x00,0x00,0x00, //CALL HI.00401209
0x5B, //POP EBX
0x81,0xEB,0x09,0x12,0x40,0x00, //SUB EBX,HI.00401209 ; 入口地址BX,H
0x8D,0x83,0x44,0x12,0x40,0x00, //LEA EAX,DWORD PTR DS:[EBX+____FileName]
0x50, //PUSH EAX
0xFF,0x93,0x38,0x12,0x40,0x00, //CALL DWORD PTR DS:[EBX+DataPool]
0x8D,0x93,0x38,0x14,0x40,0x00, //LEA EDX,DWORD PTR DS:[EBX+____Entry]
0x52, //PUSH EDX
0x50, //PUSH EAX
0xFF,0x93,0x3C,0x12,0x40,0x00, //CALL DWORD PTR DS:[EBX+____GetProcAddres>
0x0B,0xC0, //OR EAX,EAX
0x74,0x08, //JE SHORT HI.00401237
0xFF,0xB3,0x40,0x12,0x40,0x00, //PUSH DWORD PTR DS:[EBX+____Window]
0xFF,0xD0, //CALL EAX
0xC3 //RETN
};BOOL InjectWindow(HWND hWindow,LPCSTR szModule,LPCSTR szEntry)
{
InjectionStruct inject;
DWORD dwProcessID;
DWORD dwBytesWritten;
HMODULE hMod=GetModuleHandle("kernel32.dll");
HANDLE hProcess;
LPVOID lpRemoteCode;
HANDLE hThread;
DWORD dwShellCodeSize=sizeof(lpShellCode);
inject._LoadLibrary=GetProcAddress(hMod,"LoadLibraryA");
inject._GetProcAddress=GetProcAddress(hMod,"GetProcAddress");
inject.hWindow=hWindow;
strcpy(inject.szFileName,szModule);
strcpy(inject.szEntry,szEntry);
GetWindowThreadProcessId(hWindow,&dwProcessID);
hProcess=OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE,FALSE,dwProcessID);
if(hProcess)
{
lpRemoteCode=VirtualAllocEx(hProcess,NULL,dwShellCodeSize + sizeof(InjectionStruct),MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(lpRemoteCode)
{
WriteProcessMemory(hProcess,lpRemoteCode,lpShellCode,dwShellCodeSize,&dwBytesWritten);
WriteProcessMemory(hProcess,(LPBYTE)lpRemoteCode+dwShellCodeSize,&inject,sizeof(InjectionStruct),&dwBytesWritten);
hThread=CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpRemoteCode,NULL,0,0);
CloseHandle(hThread);
return TRUE;
}
}
return FALSE;
}
hWindow就是InjectWindow的第一个参数。
{
FARPROC _LoadLibrary;
FARPROC _GetProcAddress;
HWND hWindow;
char szFileName[500];
char szEntry[100];
}InjectionStruct;
pszParam, 0, TempVar);pfnStartAddr是getProcAddress之类方法获得的地址_____________________
http://lysoft.7u7.net