-
-
[旧帖] [求助]远程进程代码注入失败,被注入的进程崩溃 0.00雪花
-
发表于: 2013-11-27 10:52
-
新人第一次发帖
自己是个业余的编程爱好者,再看了几本书之后自学的WINDOWS编程,前些天编了一个简单的远程注入程序,编译生成没问题,但是调试时一到HANDLE hThread=CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)c_injection,hAddr,0,NULL)这一步就会使得被注入进程崩溃,不知道是为什么,请各位不吝赐教,帮咱看看。
本人用的VS2010,按书上说的已经关闭了增量编译和ESP校验。
貌似可能是函数的内存地址传递出现问题,但不知道怎么改。
#include "stdafx.h"
#include "Windows.h"
static void WINAPI c_injection(LPVOID pParam) //注入的线程函数(弹个没参数消息框)
{
_asm
{ pushad
push 0
push 0
push 0
push 0
call [pParam]
popad
}
}
static void c_inj()
{} //空函数用来计算注入的线程函数大小
int _tmain(int argc, _TCHAR* argv[])
{
DWORD hprocessid=5476; //要注入的进程pid
printf("%d %d\n",c_injection,c_inj); //计算注入的函数大小以分配内存,得到线程函数大小32个字节
HMODULE Getmoduleaddr=LoadLibraryA("user32.dll");
LPVOID hAddr=GetProcAddress(Getmoduleaddr,"MessageBoxA");//获得函数的内存地址;
HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,TRUE,hprocessid);//获取进程句柄
LPVOID newbuffer=VirtualAllocEx(hProcess,NULL,32,MEM_COMMIT,PAGE_READWRITE); //申请内存 (试过申请大点的内存,依然会使进程崩溃)
printf("newbuffer=%x\n",newbuffer);
WriteProcessMemory(hProcess,newbuffer,c_injection,32,NULL);//写入被注入的函数代码;
HANDLE hThread=CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)c_injection,hAddr,0,NULL);//,创建远方线程,线程函数注入
WaitForSingleObject( hThread, INFINITE);//等待远程线程结束
VirtualFreeEx( hProcess, newbuffer,32, MEM_DECOMMIT );
CloseHandle( hThread );
CloseHandle( hProcess );
return 0;
}
在线坐等各位赐教
自己是个业余的编程爱好者,再看了几本书之后自学的WINDOWS编程,前些天编了一个简单的远程注入程序,编译生成没问题,但是调试时一到HANDLE hThread=CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)c_injection,hAddr,0,NULL)这一步就会使得被注入进程崩溃,不知道是为什么,请各位不吝赐教,帮咱看看。
本人用的VS2010,按书上说的已经关闭了增量编译和ESP校验。
貌似可能是函数的内存地址传递出现问题,但不知道怎么改。
#include "stdafx.h"
#include "Windows.h"
static void WINAPI c_injection(LPVOID pParam) //注入的线程函数(弹个没参数消息框)
{
_asm
{ pushad
push 0
push 0
push 0
push 0
call [pParam]
popad
}
}
static void c_inj()
{} //空函数用来计算注入的线程函数大小
int _tmain(int argc, _TCHAR* argv[])
{
DWORD hprocessid=5476; //要注入的进程pid
printf("%d %d\n",c_injection,c_inj); //计算注入的函数大小以分配内存,得到线程函数大小32个字节
HMODULE Getmoduleaddr=LoadLibraryA("user32.dll");
LPVOID hAddr=GetProcAddress(Getmoduleaddr,"MessageBoxA");//获得函数的内存地址;
HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,TRUE,hprocessid);//获取进程句柄
LPVOID newbuffer=VirtualAllocEx(hProcess,NULL,32,MEM_COMMIT,PAGE_READWRITE); //申请内存 (试过申请大点的内存,依然会使进程崩溃)
printf("newbuffer=%x\n",newbuffer);
WriteProcessMemory(hProcess,newbuffer,c_injection,32,NULL);//写入被注入的函数代码;
HANDLE hThread=CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)c_injection,hAddr,0,NULL);//,创建远方线程,线程函数注入
WaitForSingleObject( hThread, INFINITE);//等待远程线程结束
VirtualFreeEx( hProcess, newbuffer,32, MEM_DECOMMIT );
CloseHandle( hThread );
CloseHandle( hProcess );
return 0;
}
在线坐等各位赐教
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
hProcess = OpenProcess( dwDesiredAccess, FALSE, dwProcessId );
if ( NULL == hProcess) { .... } #ifdef UNICODE dwSize = (lstrlen(lpPluginPathName) + 1) * 2; #else dwSize = lstrlen(lpPluginPathName) + 1; #endif LPVOID lpBuffer = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE); if ( NULL != lpBuffer ) { if ( WriteProcessMemory( hProcess, lpBuffer, (LPVOID)lpPluginPathName, dwSize, &dwWritten ) ) { if ( dwWritten != dwSize ) { VirtualFreeEx( hProcess, lpBuffer, dwSize, MEM_DECOMMIT ); } else { DWORD dwID = 0; PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW"); HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pfnStartAddr, lpBuffer, 0, &dwID ); WaitForSingleObject( hThread, INFINITE ); VirtualFreeEx( hProcess, lpBuffer, dwSize, MEM_DECOMMIT ); CloseHandle( hThread ); hThread = NULL; } } else { ... } } else { ... } if ( NULL != hProcess ) { CloseHandle(hProcess); hProcess = NULL; } 
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
