-
-
[求助]为什么远程线程注入的时候 DllMain启动的thread不运行呢??
-
发表于:
2012-6-30 20:12
8269
-
[求助]为什么远程线程注入的时候 DllMain启动的thread不运行呢??
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved)
{
if (fdwReason == DLL_PROCESS_ATTACH) {
_TRACE(_T("00\n"));
_beginthread(ThreadProc,0,NULL);
_TRACE(_T("11\n"));
while (1) {}
_TRACE(_T("22\n"));
}
return TRUE;
}
//结束进程的函数
void ThreadProc(void *param)
{
//------------hook api----------------
_TRACE(_T("TR 00\n"));
hMod = GetModuleHandle(NULL);
_TRACE(_T("TR 11\n"));
pDosHeader = (PIMAGE_DOS_HEADER)hMod;
pNTHeaders = (PIMAGE_NT_HEADERS)((BYTE *)hMod + pDosHeader->e_lfanew);
pOptHeader = (PIMAGE_OPTIONAL_HEADER)&(pNTHeaders->OptionalHeader);
pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((BYTE *)hMod + pOptHeader->DataDirectory[1].VirtualAddress);
_TRACE(_T("TR 22\n"));
while (pImportDescriptor->FirstThunk) {
char * dllname = (char *)((BYTE *)hMod + pImportDescriptor->Name);
pThunkData = (PIMAGE_THUNK_DATA)((BYTE *)hMod + pImportDescriptor->OriginalFirstThunk);
int no = 1;
while (pThunkData->u1.Function) {
char * funname = (char *)((BYTE *)hMod + (DWORD)pThunkData->u1.AddressOfData + 2);
PDWORD lpAddr = (DWORD *)((BYTE *)hMod + (DWORD)pImportDescriptor->FirstThunk) +(no-1);
//修改内存的部分
if ((*lpAddr) == (int)addr) {
//修改内存页的属性
DWORD dwOLD;
MEMORY_BASIC_INFORMATION mbi;
VirtualQuery(lpAddr,&mbi,sizeof(mbi));
VirtualProtect(lpAddr,sizeof(DWORD),PAGE_READWRITE,&dwOLD);
WriteProcessMemory(GetCurrentProcess(),
lpAddr, &myaddr, sizeof(DWORD), NULL);
//恢复内存页的属性
VirtualProtect(lpAddr,sizeof(DWORD),dwOLD,0);
}
//---------
no++;
pThunkData++;
}
pImportDescriptor++;
}
//-------------------HOOK END-----------------
}
//new messagebox function
int WINAPI MessageBoxProxy(IN HWND hWnd, IN LPCSTR lpText, IN LPCSTR lpCaption, IN UINT uType)
{
return ((PFNMESSAGEBOX)addr)(NULL, "gxter_test", "gxter_title", 0);
//这个地方可以写出对这个API函数的处理代码
}
这是代码。也是网上的。。
注入部分我是用《Windows核心编程》上面的InjLib做的。。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
