win7 远程线程注入EXPLORER为什么就是EXPLORER会崩溃呢?
是ASLR的原因么?
static DWORD WINAPI RemoteCodeFunc(LPVOID lpThreadParameter)
{
}
static DWORD EndRemoteFun()
{
return 0 ;
}
int _tmain(int argc, _TCHAR* argv[])
{
//得到进程的PID
DWORD dwPid = GetPid(L"explorer.exe");
HANDLE HProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPid);
StrArgs *Args = new StrArgs ;
Args->szArg = L"C:\\Windows\\System32\\";
Args->szName = L"cmd.exe";
const BYTE * codeStartAdr = reinterpret_cast< const BYTE * >(&RemoteCodeFunc);
const BYTE * codeEndAdr = reinterpret_cast< const BYTE * >(&EndRemoteFun);
SizeFun = codeEndAdr - codeStartAdr;
//给远程线程函数和参数分配内存
LPVOID AgrsAdd = VirtualAllocEx(HProcess,NULL,sizeof(InjectArgs),MEM_COMMIT | PAGE_READWRITE,PAGE_READWRITE);
LPVOID ProcessAdd = VirtualAllocEx(HProcess,NULL,SizeFun,MEM_COMMIT | PAGE_READWRITE,PAGE_EXECUTE_READWRITE);
BOOL isWriteMemArgs = WriteProcessMemory(HProcess,AgrsAdd,Args,sizeof(InjectArgs),NULL);
BOOL isWriteMemFuns = WriteProcessMemory(HProcess,ProcessAdd,&RemoteCodeFunc,SizeFun,NULL);
DWORD dwOldProtect = 0;
isWriteMemArgs = VirtualProtectEx(HProcess,AgrsAdd,sizeof(InjectArgs), PAGE_READONLY, &dwOldProtect);
isWriteMemFuns = VirtualProtectEx(HProcess,ProcessAdd,SizeFun, PAGE_EXECUTE_READ, &dwOldProtect);
HANDLE hRemoteThread = CreateRemoteThread(HProcess,NULL,0,reinterpret_cast< LPTHREAD_START_ROUTINE >( ProcessAdd ),AgrsAdd,0,NULL);
CloseHandle(HProcess);
delete Args;
VirtualFreeEx(HProcess,ProcessAdd,SizeFun,MEM_RELEASE);
return 0;
}
删除其他代码, CreateRemoteThread后桌面进程就崩溃了
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)