IE8关于注入DLL
我用网上的例子写了一个注入DLL文件的c++控制台程序,这个注入系统进程都没有问题(防火墙均给予提示),但是注入IE却返回错误5(GetlastError 拒绝访问)。请问这是怎么回事儿?IE8是什么机制?
注入时 OpenProcess 返回错误 5 代码如下
- C/C++ code
// host.cpp : 定义控制台应用程序的入口点。//#include "stdafx.h"#include <windows.h>#include <stdlib.h>#include <stdio.h>#include <Tlhelp32.h>void CheckError ( int, int, char *); //出错处理函数PDWORD pdwThreadId; HANDLE hRemoteThread, hRemoteProcess;DWORD fdwCreate, dwStackSize, dwRemoteProcessId;PWSTR pszLibFileRemote=NULL;//提升权限bool EnableDebugPriv() { HANDLE hToken; LUID sedebugnameValue; TOKEN_PRIVILEGES tkp; if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) return false; if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) { CloseHandle(hToken); return false; } tkp.PrivilegeCount = 1; tkp.Privileges[0].Luid = sedebugnameValue; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL)) { CloseHandle(hToken); return false; } return true;}//获得PIDDWORD GetProcessID(WCHAR FileName[260]){ HANDLE myhProcess; PROCESSENTRY32 mype; BOOL mybRet; //进行进程快照 mype.dwSize =sizeof(mype); myhProcess=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); //TH32CS_SNAPPROCESS快照所有进程 mybRet=Process32First(myhProcess,&mype); //循环比较,得出ProcessID while(mybRet) { if(wcscmp(FileName,mype.szExeFile)==0) return mype.th32ProcessID; else mybRet=Process32Next(myhProcess,&mype); } return 0;}int _tmain(int argc, _TCHAR* argv[]){ if(!EnableDebugPriv()) system("pause");int iReturnCode;char lpDllFullPathName[MAX_PATH];WCHAR pszLibFileName[MAX_PATH]={0}; const char *pFilePathName = "iexplore.exe"; int nLen = strlen(pFilePathName) + 1; int nwLen = MultiByteToWideChar(CP_ACP, 0, pFilePathName, nLen, NULL, 0); TCHAR lpszFile[260]; MultiByteToWideChar(CP_ACP, 0, pFilePathName, nLen, lpszFile, nwLen);dwRemoteProcessId = GetProcessID(lpszFile);strcpy(lpDllFullPathName, "C:\\Windows\\VeryNB.dll");//将DLL文件全路径的ANSI码转换成UNICODE码iReturnCode = MultiByteToWideChar(CP_ACP, MB_ERR_INVALID_CHARS,lpDllFullPathName, strlen(lpDllFullPathName),pszLibFileName, MAX_PATH);CheckError(iReturnCode, 0, "MultByteToWideChar");//打开远程进程hRemoteProcess = OpenProcess(/*PROCESS_CREATE_THREAD | //允许创建线程 PROCESS_VM_OPERATION | //允许VM操作PROCESS_VM_WRITE, //允许VM写*/PROCESS_ALL_ACCESS, FALSE, dwRemoteProcessId ); CheckError( (int) hRemoteProcess, NULL, "Remote Process not Exist or Access Denied!");//计算DLL路径名需要的内存空间int cb = (1 + lstrlenW(pszLibFileName)) * sizeof(WCHAR);pszLibFileRemote = (PWSTR) VirtualAllocEx( hRemoteProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);CheckError((int)pszLibFileRemote, NULL, "VirtualAllocEx");//将DLL的路径名复制到远程进程的内存空间iReturnCode = WriteProcessMemory(hRemoteProcess, pszLibFileRemote, (PVOID) pszLibFileName, cb, NULL);CheckError(iReturnCode, false, "WriteProcessMemory");//计算LoadLibraryW的入口地址 PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");CheckError((int)pfnStartAddr, NULL, "GetProcAddress");//启动远程线程,通过远程线程调用用户的DLL文件 hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0, pfnStartAddr, pszLibFileRemote, 0, NULL);CheckError((int)hRemoteThread, NULL, "Create Remote Thread");//等待远程线程退出WaitForSingleObject(hRemoteThread, INFINITE);//清场处理if (pszLibFileRemote != NULL){VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);}if (hRemoteThread != NULL) {CloseHandle(hRemoteThread );}if (hRemoteProcess!= NULL) {CloseHandle(hRemoteProcess);}}//错误处理函数CheckError()void CheckError(int iReturnCode, int iErrorCode, char *pErrorMsg){if(iReturnCode==iErrorCode){printf("%s Error:%d\n\n", pErrorMsg, GetLastError());system("pause");//清场处理if (pszLibFileRemote != NULL){VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);}if (hRemoteThread != NULL) {CloseHandle(hRemoteThread );}if (hRemoteProcess!= NULL){CloseHandle(hRemoteProcess);}exit(0);}}
结果出现 Remote Process not Exist or Access Denied! Error:5
[解决办法]
你的OpenProcess要的权限太多了,不就是注入远程线程吗,能够有创建目标线程和读写的权限就行了,建议lz降低一下打开的权限
本人怀疑微软肯定对IE8进行了更多的保护,因为现在注入IE穿透防火墙的病毒木马太多了
[解决办法]
你这样实验一下,在自己的程序中用CreateProcess中创建一个IE8的进程,创建完了之后就拥有了进程的句柄然后再注入DLL试一下,设置权限应该可以, 具体的可以看一下<<window2000编程技术内幕>>