CreateRemoteThread的问题
故障现象
代码远程注入执行后远程进程异常退出,见截图
远程进程代码
// Win32Console.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include "process.h"
#include <iostream>
using namespace std;
void myFunc(int p1,int p2)
{
cout<<"函数被调用,传入的参数为("<<p1<<","<<p2<<")"<<endl;
}
int _tmain(int argc, _TCHAR* argv[])
{
cout<<"进程PID:"<<getpid()<<endl;
cout<<"函数地址:"<<&myFunc<<endl;
getchar();
return 0;
}
注入者代码
// Hooker.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include "windows.h"
#include <iostream>
#include <string>
using namespace std;
int EnableDebugPriv(LPCWSTR name)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
//打开进程令牌环
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken);
//获得进程本地唯一ID
LookupPrivilegeValue(NULL, name, &luid) ;
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = luid;
//调整权限
AdjustTokenPrivileges(hToken, 0, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
return 0;
}
int const MAX_REMOTE_DATA = 1024 * 4;
void __stdcall func(int funcAddress,int p1,int p2)
{
__asm
{
push p2
push p1
mov eax, funcAddress
call eax
}
}
typedef struct DataPack
{
void* pfunCall;
int funcAddress;
int p1;
int p2;
}DataPack, *PDataPack;
typedef void(__stdcall* FUNCADD)(int,int,int);
void __stdcall remoteFunc(PDataPack pData)
{
FUNCADD func = (FUNCADD)pData->pfunCall;
func(pData->funcAddress,pData->p1,pData->p2);
}
bool remoteCall(int processId,int funcAddress,int p1,int p2)
{
EnableDebugPriv(SE_DEBUG_NAME);
//1. 打开进程
HANDLE processHandle = ::OpenProcess(PROCESS_ALL_ACCESS,
FALSE, processId);
if (NULL == processHandle)
{
MessageBox(NULL,L"",L"创建进程失败",0);
return false;
}
//2. 分配空间, 把我们要注入的函数写入这个空间
LPVOID pRemoteFun = VirtualAllocEx(processHandle, NULL,MAX_REMOTE_DATA,
MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (NULL == pRemoteFun)
{
MessageBox(NULL,L"",L"pRemoteFun alloc failed",0);
return false;
}
if (!WriteProcessMemory(processHandle,pRemoteFun,&remoteFunc,
MAX_REMOTE_DATA, 0))
{
MessageBox(NULL,L"",L"pRemoteFun write process memory failed",0);
return false;
}
//3. 分配空间, 把我们要注入的函数参数写入这个空间
LPVOID pFunc = VirtualAllocEx(processHandle, NULL,MAX_REMOTE_DATA,
MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (NULL == pFunc)
{
MessageBox(NULL,L"",L"pFunc alloc failed",0);
return false;
}
if (!WriteProcessMemory(processHandle,pFunc,&func,
MAX_REMOTE_DATA, 0))
{
MessageBox(NULL,L"",L" pFunc write process memory failed",0);
return false;
}
DataPack dataPack;
dataPack.funcAddress=funcAddress;
dataPack.pfunCall=pFunc;
dataPack.p1=p1;
dataPack.p2=p2;
LPVOID remoteParam = VirtualAllocEx(processHandle, NULL,sizeof(dataPack),
MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (NULL == remoteParam)
{
MessageBox(NULL,L"",L"remoteParam alloc failed",0);
return false;
}
if (!WriteProcessMemory(processHandle,remoteParam,&dataPack,
sizeof(dataPack), 0))
{
MessageBox(NULL,L"",L"remoteParam write process memory failed",0);
return false;
}
//创建远程线程
DWORD threadId;
HANDLE remoteHandle = CreateRemoteThread(processHandle,
NULL, 0, (LPTHREAD_START_ROUTINE)(pRemoteFun), remoteParam, 0, &threadId);
if (!remoteHandle)
{
MessageBox(NULL,L"",L"CreateRemoteThread failed",0);
return false;
}
WaitForSingleObject( remoteHandle, INFINITE );
VirtualFreeEx(processHandle, pRemoteFun, MAX_REMOTE_DATA, MEM_RELEASE);
VirtualFreeEx(processHandle, pFunc, MAX_REMOTE_DATA, MEM_RELEASE);
VirtualFreeEx(processHandle, remoteParam, sizeof(dataPack), MEM_RELEASE);
CloseHandle(remoteHandle);
return true;
}
int _tmain(int argc, _TCHAR* argv[])
{
cout<<"输入远程进程的PID:";
int processId;
cin>>processId;
cout<<"输入远程方法的地址:";
int funAddress;
cin>>hex>>funAddress;
cout<<"参数1数值:";
int p1;
cin>>dec>>p1;
cout<<"参数2数值:";
int p2;
cin>>dec>>p2;
remoteCall(processId,funAddress,p1,p2);
getchar();
return 0;
}
勉強心を持てば、生活は虚しくない!
