-
-
[讨论]跨进程GetWindowLong拿WndProc、DlgProc的问题。。。
-
发表于: 2013-1-3 01:39
-
话说基本上我搜好久都只是说直接注入代码到远程进程里面的,除了传统的CreateRemoteThread,看到MDebug能获取,满怀希望的逆了一下MDebug,结果还是远程线程。。。在GG上搜到了一个外国佬用SetWindowsHookEx注入全局Dll的奇葩方法,不过比远程线程安全多了。。。
其实我一开始都以为GetWindowLong是要切内核的,可刚才跟了下,这完全没切内核啊,就是从TEB等信息中合成一个用户区域下的指针,指针结构体是就是这个HWND的信息合集,然后直接从这个结构体里面拿数据,不管是WndProc还是DlgProc都一样,也就是说我们跨进程不注入代码获取WndProc完全是可能的。
于是,有没有这方面的相关研究啊,貌似没人研究过啊,是不是因为我是Win8的GetWindowLong改过了?太晚了不想开虚拟机了,等明天再看看XP下的。
其实我一开始都以为GetWindowLong是要切内核的,可刚才跟了下,这完全没切内核啊,就是从TEB等信息中合成一个用户区域下的指针,指针结构体是就是这个HWND的信息合集,然后直接从这个结构体里面拿数据,不管是WndProc还是DlgProc都一样,也就是说我们跨进程不注入代码获取WndProc完全是可能的。
于是,有没有这方面的相关研究啊,貌似没人研究过啊,是不是因为我是Win8的GetWindowLong改过了?太晚了不想开虚拟机了,等明天再看看XP下的。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
|
|
|
|
|
|
结果只能自己折腾。。。果然求人不如求己啊。。。
下面代码Win7及以上可用。。。 Private Declare Function GetWindowThreadProcessId& Lib "user32" (ByVal hWnd&, ByRef lpdwProcessId&)
Private Declare Function GetModuleHandleW& Lib "kernel32" (ByVal lpModuleName&)
Private Declare Function GetProcAddress& Lib "kernel32" (ByVal hModule&, ByVal lpProcName$)
Private Declare Function OpenProcess& Lib "kernel32" (ByVal dwDesiredAccess&, ByVal bInheritHandle As Boolean, ByVal dwProcessId&)
Private Declare Function OpenThread& Lib "kernel32" (ByVal dwDesiredAccess&, ByVal bInheritHandle As Boolean, ByVal dwThreadId&)
Private Declare Function ReadProcessMemory& Lib "kernel32" (ByVal hProcess&, ByVal lpBaseAddress&, ByVal lpBuffer&, ByVal nSize&, ByRef lpNumberOfBytesRead&)
Private Declare Function NtQueryInformationThread& Lib "ntdll" (ByVal ThreadHandle&, ByVal ThreadInformationClass&, ByVal ThreadInformation&, ByVal ThreadInformationLength&, ByRef ReturnLength&)
Private Declare Function CloseHandle& Lib "kernel32" (ByVal hObject&)
Private Function GetThreadTeb&(ByVal hThread&)
Dim tbi&(6)
If NtQueryInformationThread(hThread, 0, VarPtr(tbi(0)), 28, 0) = 0 Then GetThreadTeb = tbi(1)
End Function
Private Function GetHighValueForUser32&(ByVal hProcess&, ByVal hThread&)
Dim lpValue&
ReadProcessMemory hProcess, GetThreadTeb(hThread) + &H6E8, VarPtr(lpValue), 4, 0
GetHighValueForUser32 = lpValue
End Function
Private Function GetHWNDTablePointerInUser32SharedInfoEntry&(ByVal hProcess&)
Dim lpU32SharedInfo&
lpU32SharedInfo = GetProcAddress(GetModuleHandleW(StrPtr("user32.dll")), "gSharedInfo") + 4
ReadProcessMemory hProcess, lpU32SharedInfo, VarPtr(lpU32SharedInfo), 4, 0
GetHWNDTablePointerInUser32SharedInfoEntry = lpU32SharedInfo
End Function
Private Function MakeInfoPointerByRemote2UnknownForHWND&(ByVal hProcess&, ByVal hWnd&, ByVal unkHighValue&, ByVal unkPointer&)
Dim dwLowValue&, dwUnknownValue&, lpPointer&
dwLowValue = hWnd And &HFFFF&
dwLowValue = dwLowValue + dwLowValue * 2
lpPointer = unkPointer + dwLowValue * 4
ReadProcessMemory hProcess, lpPointer, VarPtr(dwUnknownValue), 4, 0
MakeInfoPointerByRemote2UnknownForHWND = dwUnknownValue - unkHighValue
End Function
Private Function GetRemoteProcessWndProc&(ByVal hProcess&, ByVal lpPointer&)
Dim lpfnWndProc&
ReadProcessMemory hProcess, lpPointer + &H60, VarPtr(lpfnWndProc), 4, 0
GetRemoteProcessWndProc = lpfnWndProc
End Function
Private Function GetRemoteProcessDlgProc&(ByVal hProcess&, ByVal lpPointer&)
Dim lpfnDlgProc&
ReadProcessMemory hProcess, lpPointer + &HCC, VarPtr(lpfnDlgProc), 4, 0 '//XP:+ &HA8
ReadProcessMemory hProcess, lpfnDlgProc, VarPtr(lpfnDlgProc), 4, 0
GetRemoteProcessDlgProc = lpfnDlgProc
End Function
Private Sub Form_Load()
Dim hProcess&, hThread&, tid&, pid&
tid = GetWindowThreadProcessId(197776, pid)
hThread = OpenThread(2032639, False, tid)
hProcess = OpenProcess(2035711, False, pid)
MsgBox Hex(GetRemoteProcessWndProc(hProcess, MakeInfoPointerByRemote2UnknownForHWND(hProcess, 197776, GetHighValueForUser32(hProcess, hThread), GetHWNDTablePointerInUser32SharedInfoEntry(hProcess))))
MsgBox Hex(GetRemoteProcessDlgProc(hProcess, MakeInfoPointerByRemote2UnknownForHWND(hProcess, 197776, GetHighValueForUser32(hProcess, hThread), GetHWNDTablePointerInUser32SharedInfoEntry(hProcess))))
CloseHandle hProcess
End Sub
|
|
|
|
|
|
|
|
|
|
