//己取得外部进程中DLL模块的基址hLibModule
//用远程线程启动"GetProcAddress"获取DLL模块中"InjectDll"函数的地址(hFuncName)
//听说GetProcAddress是对调用进程有效的,所以只能用远程线程获取外部进程中DLL中的函数地址了
//下面代码有什么问题?GetProcAddress(hKernel32,"GetProcAddress")返回值了,但是
//hThread返回值为0,为什么?
gpap p;
p.hModule = (HMODULE)hLibModule;
p.lpProcName ="substract"; void *pFuncName;
pFuncName = VirtualAllocEx(pi.hProcess,NULL,sizeof(p),MEM_COMMIT,PAGE_READWRITE);
WriteProcessMemory(pi.hProcess,pFuncName,&p,sizeof(p),NULL);
hThread = CreateRemoteThread(
pi.hProcess,NULL,0,
(LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32,"GetProcAddress"),
pFuncName,0,NULL);
WaitForSingleObject(hThread,INFINITE);
DWORD hFuncName;
GetExitCodeThread(hThread,&hFuncName);
CloseHandle(hThread);
//用远程线程启动"GetProcAddress"获取DLL模块中"InjectDll"函数的地址(hFuncName)
//听说GetProcAddress是对调用进程有效的,所以只能用远程线程获取外部进程中DLL中的函数地址了
//下面代码有什么问题?GetProcAddress(hKernel32,"GetProcAddress")返回值了,但是
//hThread返回值为0,为什么?
gpap p;
p.hModule = (HMODULE)hLibModule;
p.lpProcName ="substract"; void *pFuncName;
pFuncName = VirtualAllocEx(pi.hProcess,NULL,sizeof(p),MEM_COMMIT,PAGE_READWRITE);
WriteProcessMemory(pi.hProcess,pFuncName,&p,sizeof(p),NULL);
hThread = CreateRemoteThread(
pi.hProcess,NULL,0,
(LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32,"GetProcAddress"),
pFuncName,0,NULL);
WaitForSingleObject(hThread,INFINITE);
DWORD hFuncName;
GetExitCodeThread(hThread,&hFuncName);
CloseHandle(hThread);
那个hThread有返回值不为0, 但是hFuncName返回值为0(实际上是远程线程执行GetProcAddress的返回值为0)
请写出修正的代码.该怎么写?
BOOL RemoteLoadLibrary(DWORD dwProcessID, LPCTSTR lpszDll) //远线程插入DLL
{
DWORD dwSize, dwWritten,dwID;
HANDLE handle;
LPVOID virMemory;
dwSize=_tcslen(lpszDll)*sizeof(TCHAR)+1;
EnablePrivilege(SE_DEBUG_NAME);
handle=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessID);
if (handle!=INVALID_HANDLE_VALUE)
{
virMemory=VirtualAllocEx(handle,NULL,dwSize,MEM_COMMIT,PAGE_READWRITE);
if (virMemory!=NULL)
{
if (!WriteProcessMemory(handle,virMemory,LPCVOID(lpszDll),dwSize,&dwWritten))
{
AfxMessageBox(_T("WriteProcessMemory Failed"));
CloseHandle(handle);
return FALSE;
}
LPVOID pFunc = LoadLibrary;
HANDLE hthread=CreateRemoteThread(handle,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,virMemory,0,&dwID);
WaitForSingleObject(hthread,INFINITE);
VirtualFreeEx(handle,virMemory,dwSize,MEM_COMMIT);
CloseHandle(hthread);
CloseHandle(handle);
return TRUE;
}
else
{
AfxMessageBox(_T("VirtualAllocEx Failed"));
CloseHandle(handle);
return FALSE;
}
}
else
{
AfxMessageBox(_T("OpenProcess Failed"));
return FALSE;
}
return TRUE;
}
http://topic.csdn.net/u/20090427/16/3147cd76-4d00-4298-86ed-c4b47c4bb76c.html
1 p.lpProcName ="substract"; 这行代码中,lpProcName指向本exe加载为pe后的数据段某个空间,
在目标进程中几乎肯定会引起错误。应该这样写strcpy(p.lpProcName, "substract");
2 根本没有必要自己写一个远程函数来注入,只需要调用LoadLibraryA就可以了。