最近我在搞逆向,修改pe注入dll(dll已经注入成功了,可以使用MessageBOX弹窗),但是我还是不满足,希望可以在dll里面使用汇编来控制一些细节。我在dllmain函数的DLL_PROCESS_ATTACH这个部分实现我的代码,创建远程调用。结果就出错了,错误消息如下:TextView.exe 中的 0x10081280 (myhack3.dll) 处有未经处理的异常: 0xC0000005: Access violation
我贴一下我的源码大家看看什么问题:
#include "windows.h"
#ifdef __cplusplus
extern "C" {
#endif
__declspec(dllexport) void dummy()
{
return;
}
#ifdef __cplusplus
}
#endif//dll对外提供的函数
BYTE g_InjectionCode[] =
{
0x55,0x8b,0xec,0x8b,0x45,0x08,0x6a,0x00,0xe8,0x0c,0x00,0x00,0x00,
0x52,0x65,0x76,0x65,0x72,0x73,0x65,0x43,0x6f,0x72,0x65,0x00,0xe8,
0x14,0x00,0x00,0x00,0x77,0x77,0x77,0x2e,0x72,0x65,0x76,0x65,0x72,
0x73,0x65,0x63,0x6f,0x72,0x65,0x2e,0x63,0x6f,0x6d,0x00,0x6a,0x00,
0xff,0xd0,0x33,0xc0,0x8b,0xe5,0x5d,0xc3,0x33
};//汇编代码,先创建栈帧,然后把参数压栈,然后最后callMessageBox函数
/*
004010ED 55 PUSH EBP
004010EE 8BEC MOV EBP,ESP
004010F0 8B75 08 MOV EAX,DWORD PTR SS:[EBP+8] ; EAX = pParam
004011F3 6A 00 PUSH 0 ; - MB_OK (0)
004011F5 E8 0C000000 CALL 0040112C
004011FA <ASCII> ; - "ReverseCore", 0
00401201 E8 14000000 CALL 00401145
00401206 <ASCII> ; - "www.reversecore.com", 0
00401215 6A 00 PUSH 0 ; - hWnd (0)
00401217 FFD0 CALL EAX ; MessageBoxA(0, "www.reversecore.com", "ReverseCore", 0)
00401219 33C0 XOR EAX,EAX
0040121B 8BE5 MOV ESP,EBP
0040121D 5D POP EBP
0040121E C3 RETN
*/
BOOL APIENTRY DllMain(HANDLE hMoudle,DWORD reason,LPVOID lpReserved) //dllmain函数
{
HANDLE hThread = NULL;
HMODULE hMod = NULL;
FARPROC pFunc;
hMod = LoadLibraryA("user32.dll");
pFunc = GetProcAddress(hMod,"MessageBoxA");
switch(reason)
{
case DLL_PROCESS_ATTACH: //<span style="font-family: Arial, Helvetica, sans-serif;">在dll第一次加载时自动执行,以后加载则只增加引用数,不会执行</span>
hThread = CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)&g_InjectionCode,(LPVOID)&pFunc,0,NULL);
return TRUE;
default:
return TRUE;
}
}
在dllmain里面创建了线程,线程回调函数的地址是g_InjectionCode,参数就是messageBox的函数的地址。(这个地址存在上面汇编中的EAX,最后call EAX就是调用这段汇编)
我用vs跟了一下,vs在 g_InjectionCode的第一个byte停了下来,报0xC0000005: Access violation。这个问题该怎么解决?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
