读书人
栏目

请问一个在远程进程注入代码的有关问题

发布时间: 2012-03-16 16:34:56 作者: rapoo

请教一个在远程进程注入代码的问题
代码如下,在创建远程线程的时候就挂了...
(注入的代码不超过256字节)

#include <iostream>
#include <windows.h>
using namespace std;

BOOL SetPrivilege() //提升权限
{
TOKEN_PRIVILEGES tkp;
HANDLE hToken;

if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
return FALSE;
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken,FALSE,&tkp,0,(PTOKEN_PRIVILEGES)NULL,0);

return TRUE;
}

struct PARA
{
HMODULE hModule;
LPTSTR lpFilename;
DWORD nSize;
int fill[20];
};

void GetName(PARA* para)
{
GetModuleFileNameA(NULL, para-> lpFilename, para-> nSize);
}

int main()
{
if (!SetPrivilege())
return 1;

char * startAddress = (char*)&GetName;
char * codeAddress = startAddress + 5 + *(int*)(startAddress + 1); //计算代码地址

HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 2400);

char* remoteResult = (char*)VirtualAllocEx(
hProcess, NULL, MAX_PATH, MEM_COMMIT, PAGE_READWRITE); //分配返回值的空间

PARA* remotePara = (PARA*)VirtualAllocEx(
hProcess, NULL, sizeof(PARA), MEM_COMMIT, PAGE_READWRITE); //分配参数空间



char* remoteCode = (char*)VirtualAllocEx(
hProcess, NULL, 256, MEM_COMMIT, PAGE_READWRITE); //分配代码空间

PARA para; //在本地进程写参数
para.hModule = NULL;
para.lpFilename = remoteResult;
para.nSize = MAX_PATH;

WriteProcessMemory(hProcess, remotePara, (PVOID)&para, sizeof(PARA), NULL);//写远程参数
WriteProcessMemory(hProcess, remoteCode, (PVOID)codeAddress, 256, NULL); //写远程代码

/*
PTHREAD_START_ROUTINE fun;
fun = (PTHREAD_START_ROUTINE)GetProcAddress(
GetModuleHandle( "kernel32 "), "GetModuleFileNameA ");
*/

HANDLE hThread = CreateRemoteThread(
hProcess, NULL, 0, (PTHREAD_START_ROUTINE)remoteCode, (LPVOID)remotePara, 0, NULL);
WaitForSingleObject(hThread, INFINITE);

char result[MAX_PATH];
ReadProcessMemory(hProcess, remoteResult, (PVOID)result, MAX_PATH, NULL);
cout < < result < < endl;

VirtualFreeEx(hProcess, remoteCode, 256, MEM_RELEASE);
VirtualFreeEx(hProcess, remotePara, sizeof(PARA), MEM_RELEASE);
VirtualFreeEx(hProcess, remoteResult, MAX_PATH, MEM_RELEASE);

CloseHandle(hProcess);

return 0;
}

[解决办法]
mark一下,帮顶
我试了一下,情况和你一样,但是如果把GetName函数里的所有语句注释掉可以正常运行.
顺便问一下:
char * codeAddress = startAddress + 5 + *(int*)(startAddress + 1); //计算代码地址

这个地址的计算依据是什么?
[解决办法]
顶一下

读书人网 >VC/MFC

热点推荐

触屏版 | 电脑版

读书人网 m.reader8.net