如题;
用CreateRemoteThread 和 LoadLibary 把自己写的dll注入到指定进程空间的,、,
一开的时候的没有问题,百试不爽,不知道从什么开始,莫名其妙的一旦线程注入,目标进程就不响应了,注意,不是弹出框框直接崩溃的那种! win7一会儿就提示目标进程停止工作了,但此时,目标进程仍然在继续,因为屏幕上仍在不断的输出文字。我想知道这是为什么???
用CreateRemoteThread 和 LoadLibary 把自己写的dll注入到指定进程空间的,、,
一开的时候的没有问题,百试不爽,不知道从什么开始,莫名其妙的一旦线程注入,目标进程就不响应了,注意,不是弹出框框直接崩溃的那种! win7一会儿就提示目标进程停止工作了,但此时,目标进程仍然在继续,因为屏幕上仍在不断的输出文字。我想知道这是为什么???
http://blog.csdn.net/maoxing63570/archive/2011/03/16/6254764.aspx
char sProcessID[10]={0};
GetDlgItemTextA(m_hWnd,IDC_EDIT1,sProcessID,10); HANDLE hDestProcess=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,atoi(sProcessID));
if(hDestProcess==NULL)
{
MessageBox(L"open remote process failed!");
return ;
} TCHAR pszDllFileName[MAX_PATH]=L"D:\\test\\dlltest.dll";
int cb=(lstrlen(pszDllFileName)+1)*sizeof(TCHAR);
PWSTR pszRemoteDllFileName=(PWSTR)VirtualAllocEx(hDestProcess,NULL,cb,MEM_COMMIT,PAGE_READWRITE);
if(!WriteProcessMemory(hDestProcess,pszRemoteDllFileName,(LPVOID)pszDllFileName,cb,NULL))
{
MessageBox(L"write remote process memory failed!");
return ;
} PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
HANDLE hRemoteThread=CreateRemoteThread(hDestProcess,NULL,0,pfnStartAddr,pszRemoteDllFileName,0,NULL);
if(hRemoteThread==NULL)
{
MessageBox(L"create remote thread failed!");
return ;
}
////////////////////////////////////
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
MessageBox(NULL,L"remote thread is running ",L"OK",0);
while (1)
{
HDC hDC=::GetDC(NULL);
TextOut(hDC,rand()%1366,rand()%768,L"远程线程正在执行ing",lstrlen(L"远程线程正在执行ing"));
ReleaseDC(NULL,hDC);
Sleep(1000);
}
return TRUE;
}
while (1)
{
HDC hDC=::GetDC(NULL);
TextOut(hDC,rand()%1366,rand()%768,L"远程线程正在执行ing",lstrlen(L"远程线程正在执行ing"));
ReleaseDC(NULL,hDC);
Sleep(1000);
}
再试一下,因为LoadLibrary,GetModuleHandle等和加载器有关的api是要上加载器锁的,加载器锁同一线程内可以递归上锁,但是你的线程在DllMain中不出来,LoadLibrary就不会结束,加载器锁也不会放开,一旦当前进程的其他线程调用这样的api就会一直等待解锁,导致无响应
#include<windows.h>
#include<stdio.h>
#include<Tlhelp32.h>
BOOL EnabledebugPriviledge();
DWORD GetSpecifiedProcessId(const char *pszProcessName);
char* WSTRToAnsi(WCHAR* Msg);
BOOL jiazai(DWORD processid);
BOOL main()
{
char r[]="calc.exe";
//判断是否加载了那个模块
BOOL tt=jiazai(GetSpecifiedProcessId(r));
if(tt)
{
BOOL EnabledebugPriviledge();
HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,GetSpecifiedProcessId(r));
if(hprocess==NULL)
MessageBox(0,L"",L"",MB_OK);
char dllname[]="F:\\WODE DAIMA\\createremotethread函数的应用实例\\远程线程dll1\\Debug\\注入目标进程的dll.dll";
int a=sizeof(dllname);
//将要调用的dll的名字写入目标进程空间里 LPVOID lpremotedllname=VirtualAllocEx(hprocess,NULL,a,MEM_COMMIT,PAGE_READWRITE);
BOOL o=WriteProcessMemory(hprocess,lpremotedllname,dllname,a,NULL);
//D取得loadlibrary的函数的地址
HMODULE hmodule=GetModuleHandleA("kernel32.dll");
LPTHREAD_START_ROUTINE hanshudizhi=(LPTHREAD_START_ROUTINE)GetProcAddress(hmodule,"LoadLibraryA");
//创建远程线程 HANDLE hRemoteThread=CreateRemoteThread(hprocess,0,0,hanshudizhi,lpremotedllname,0,NULL);
if(hRemoteThread==NULL)
{ CloseHandle(hprocess);
MessageBox(0,L"1111",L"",MB_OK);
}
WaitForSingleObject(hRemoteThread,INFINITE);
CloseHandle(hRemoteThread);
CloseHandle(hprocess);
return TRUE;
}
else
return FALSE;
}
BOOL EnabledebugPriviledge()
{ //调整本进程的特权级别
HANDLE htoken;
if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&htoken))
{
LUID uid;
LookupPrivilegeValue(0,SE_DEBUG_NAME,&uid);
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount=1;
tp.Privileges[0].Luid=uid;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(htoken,FALSE,&tp,sizeof(tp),0,0); CloseHandle(htoken);
}
if (GetLastError() != ERROR_SUCCESS)
return false; return true;
}
DWORD GetSpecifiedProcessId(const char *pszProcessName)
{
DWORD id=0;
HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0) ;
PROCESSENTRY32 pInfo;
pInfo.dwSize = sizeof(pInfo);
if(Process32First(hSnapShot, &pInfo))
{
do{
if(strcmp(_strdup(WSTRToAnsi(pInfo.szExeFile)), pszProcessName) == 0)
{ printf("%ws\n",pInfo.szExeFile);
id=pInfo.th32ProcessID; }
else
continue; }while(Process32Next(hSnapShot, &pInfo) != FALSE);
}
return id;
}char* WSTRToAnsi(WCHAR* Msg)//把wchar*转换称char*
{
int len = wcstombs(NULL, Msg, 0);
char* buf = new char[len+1];
wcstombs(buf, Msg, len);
buf[len] = 0;
return buf;
}
//查看目标进程是否加载了这个模块
BOOL jiazai(DWORD processid)
{ BOOL bfound=FALSE;
MODULEENTRY32 pe={0};
HANDLE hmodulesnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,processid);
pe.dwSize=sizeof(MODULEENTRY32);
if(Module32First(hmodulesnap,&pe))
{ do
{if(strcmp(WSTRToAnsi(pe.szExePath),"kernel32.dll")==0)
{ bfound=TRUE;
break;
}
}while(Module32Next(hmodulesnap,&pe));}
CloseHandle(hmodulesnap);
if(bfound)
return FALSE;
}
///////
#include <windows.h>#include <stdio.h>
#define ONE
#include"1.h"
BOOL APIENTRY DllMain(_In_ void * _HDllHandle, _In_ unsigned _Reason, _In_opt_ void * _Reserved)
{ switch(_Reason)
{ case DLL_PROCESS_ATTACH:
MessageBox(0,L"",L"你好",MB_OK);
break;
case DLL_THREAD_ATTACH:
MessageBox(0,L"",L"你好",MB_OK);
break;
}
return 0;
}
我试过可以用 注入成功后就跳出你好! 你可以对比下