-
-
[求助]关于创建远程线程的问题
-
发表于: 2013-5-16 11:28
-
我一般用CreateRemoteThread来注入DLL,因为LoadLibrary恰好需要一个参数
HANDLE WINAPI CreateRemoteThread(
_In_ HANDLE hProcess,
_In_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ SIZE_T dwStackSize,
_In_ LPTHREAD_START_ROUTINE lpStartAddress,
_In_ LPVOID lpParameter,
_In_ DWORD dwCreationFlags,
_Out_ LPDWORD lpThreadId
)
其中的 _In_ LPTHREAD_START_ROUTINE lpStartAddress 函数解释是
lpStartAddress [in]
A pointer to the application-defined function of type LPTHREAD_START_ROUTINE to be executed by the thread and represents the starting address of the thread in the remote process. The function must exist in the remote process. For more information, see ThreadProc.
也就是ThreadProc必须是
DWORD WINAPI func(LPVOID p)类型的.
我今天写了一个 void func();
然后远程创建线程, LPVOID lpParameter,填写的NULL,为什么不会崩溃?
照理说PUSH了一个lpParameter,但是我的void func没有 RETN 4,堆栈应该不平衡啊。
HANDLE WINAPI CreateRemoteThread(
_In_ HANDLE hProcess,
_In_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ SIZE_T dwStackSize,
_In_ LPTHREAD_START_ROUTINE lpStartAddress,
_In_ LPVOID lpParameter,
_In_ DWORD dwCreationFlags,
_Out_ LPDWORD lpThreadId
)
其中的 _In_ LPTHREAD_START_ROUTINE lpStartAddress 函数解释是
lpStartAddress [in]
A pointer to the application-defined function of type LPTHREAD_START_ROUTINE to be executed by the thread and represents the starting address of the thread in the remote process. The function must exist in the remote process. For more information, see ThreadProc.
也就是ThreadProc必须是
DWORD WINAPI func(LPVOID p)类型的.
我今天写了一个 void func();
然后远程创建线程, LPVOID lpParameter,填写的NULL,为什么不会崩溃?
照理说PUSH了一个lpParameter,但是我的void func没有 RETN 4,堆栈应该不平衡啊。
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
谢谢鸟~
|
