首页
社区
课程
招聘
[求助]为什么dll inject没反应
发表于: 2022-7-5 10:43 6783

[求助]为什么dll inject没反应

2022-7-5 10:43
6783
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
插入代码
```// doInject.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//
 
#include <iostream>
 
#include <windows.h>
#include <TlHelp32.h>
#include <tchar.h>
 
DWORD getTargetProcessID ( const char *targetProcName ) {
    // PROCESSENTRY32 is used to open and get information about a running process..
    PROCESSENTRY32 entry;
    entry.dwSize = sizeof ( PROCESSENTRY32 );
 
    // We use a th32snapprocess to iterate through all running processes.
    HANDLE hSnap = CreateToolhelp32Snapshot ( TH32CS_SNAPPROCESS, NULL );
 
    // Success check oon the snapshot tool.
    if( !hSnap ) {
        printf ( "Snapshot tool failed to open\n" );
    }
 
    // If a first process exist (there are running processes), iterate through
    // all running processes.
    DWORD ProcID = NULL;
    if( Process32First ( hSnap, &entry ) ) {
        do {
            // If the current process entry is the target process, store its ID.
            if( !strcmp ( entry.szExeFile, targetProcName ) ) {
                ProcID = entry.th32ProcessID;
            }
        } while( Process32Next ( hSnap, &entry ) && !ProcID );        // Move on to the next running process.
    } else {
        // If there was no first process, notify the user.
        printf ( "No running processes found" );
    }
 
    return ProcID;
}
 
#if 0
 
bool inject ( const char *targetProcName, const wchar_t *dllName ) {
    try {
        // Get the process id of the target process.
        DWORD targetProcID = getTargetProcessID ( targetProcName );
        if( !targetProcID ) {
            throw "Target process Was not found";
        }
 
        // Get a static address of the LoadLibrary function as a thread-start-routine function.
        LPTHREAD_START_ROUTINE funcLoadLibrary = ( LPTHREAD_START_ROUTINE ) GetProcAddress ( GetModuleHandleA ( "Kernel32.dll" ), "LoadLibraryW" );
        if( !funcLoadLibrary ) {
            printf( "Failed to retrieve a static function pointer to `LoadLbraryA\n`" );
        }
 
        // Open the target process.
        HANDLE hProcess = OpenProcess ( PROCESS_QUERY_INFORMATION |
            PROCESS_CREATE_THREAD |
            PROCESS_VM_OPERATION |
            PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, targetProcID );
        if( hProcess == INVALID_HANDLE_VALUE ) {
            printf("Failed to open target process" );
        }
 
        DWORD dwSize = ( lstrlenW ( dllName ) + 1 ) * sizeof ( wchar_t );
 
        // Virtually allocate memory for the path of the dll in the target process.
        LPVOID pszLibFileRemote = ( PWSTR ) VirtualAllocEx ( hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE );
        if( !pszLibFileRemote ) {
            printf("Failed to allocate memory in the target process\n" );
        }
 
        // Write the dll path to the target process using WPM.
        SIZE_T writeSize_ = 0;
        DWORD n = WriteProcessMemory ( hProcess, pszLibFileRemote, ( PVOID ) dllName, dwSize, &writeSize_ );
 
        wchar_t tempBuffer_ [256] = { 0 };
        SIZE_T readSize = 0;
        ReadProcessMemory ( hProcess, pszLibFileRemote, tempBuffer_, dwSize, &readSize );
 
        // Create a remote thread in the target process with LoadLibrary to load our dll into the target process.
        HANDLE hRemoteThread = CreateRemoteThread ( hProcess, NULL, 0, funcLoadLibrary, pszLibFileRemote, 0, NULL );
        if( !hRemoteThread || hRemoteThread == INVALID_HANDLE_VALUE ) {
            printf("Failed to load dll into target process" );
        }
 
        // Wait until the remote thread is done loading the dll.
        WaitForSingleObject ( hRemoteThread, INFINITE );
    } catch( const char *err ) {
        std::cout << "An erro occurred: " << err << std::endl;
        return false;
    }
 
    return true;
}
 
int main(){
    wchar_t fullname [MAX_PATH] = { 0 };
    GetFullPathNameW ( L"InjectedDll.dll", MAX_PATH, fullname, NULL );
    bool success = inject ( ( "notepad.exe" ), fullname );
    if ( success ){
        printf ( "inject succesfully!!!" );
    }
}
#else
 
#include <Windows.h>
#include <TlHelp32.h>
#include <iostream>
 
int main ( const int argc, char *argv[ ] ) {
    char *lpDLLName;
    char *lpProcessName;
    char lpFullDLLPath [MAX_PATH];
 
    if( argc == 3 ) {
        lpDLLName = argv [1];
        lpProcessName = argv [2];
    } else {
        printf ( "[HELP] inject.exe <dll> <process>\n" );
        return -1;
    }
 
    const DWORD dwProcessID = getTargetProcessID ( lpProcessName );
    if( dwProcessID == ( DWORD ) -1 ) {
        printf ( "An error is occured when trying to find the target process.\n" );
        return -1;
    }
 
    printf ( "[DLL Injector]\n" );
    printf ( "Process : %s\n", lpProcessName );
    printf ( "Process ID : %i\n\n", ( int ) dwProcessID );
 
    const DWORD dwFullPathResult = GetFullPathNameA ( lpDLLName, MAX_PATH, lpFullDLLPath, nullptr );
    if( dwFullPathResult == 0 ) {
        printf ( "An error is occured when trying to get the full path of the DLL.\n" );
        return -1;
    }
 
    const HANDLE hTargetProcess = OpenProcess ( PROCESS_ALL_ACCESS, FALSE, dwProcessID );
    if( hTargetProcess == INVALID_HANDLE_VALUE ) {
        printf ( "An error is occured when trying to open the target process.\n" );
        return -1;
    }
 
    printf ( "[PROCESS INJECTION]\n" );
    printf ( "Process opened successfully.\n" );
 
    const LPVOID lpPathAddress = VirtualAllocEx ( hTargetProcess, nullptr, lstrlenA ( lpFullDLLPath ) + 1, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
    if( lpPathAddress == nullptr ) {
        printf ( "An error is occured when trying to allocate memory in the target process.\n" );
        return -1;
    }
 
    printf ( "Memory allocate at 0x%X\n", ( UINT ) ( uintptr_t ) lpPathAddress );
 
    const DWORD dwWriteResult = WriteProcessMemory ( hTargetProcess, lpPathAddress, lpFullDLLPath, lstrlenA ( lpFullDLLPath ) + 1, nullptr );
    if( dwWriteResult == 0 ) {
        printf ( "An error is occured when trying to write the DLL path in the target process.\n" );
        return -1;
    }
 
    printf ( "DLL path writen successfully.\n" );
 
    const HMODULE hModule = GetModuleHandleA ( "kernel32.dll" );
    if( hModule == INVALID_HANDLE_VALUE || hModule == nullptr )
        return -1;
 
    const FARPROC lpFunctionAddress = GetProcAddress ( hModule, "LoadLibraryA" );
    if( lpFunctionAddress == nullptr ) {
        printf ( "An error is occured when trying to get \"LoadLibraryA\" address.\n" );
        return -1;
    }
 
    printf ( "LoadLibraryA address at 0x%X\n", ( UINT ) ( uintptr_t ) lpFunctionAddress );
 
    const HANDLE hThreadCreationResult = CreateRemoteThread ( hTargetProcess, nullptr, 0, ( LPTHREAD_START_ROUTINE ) lpFunctionAddress, lpPathAddress, 0, nullptr );
    if( hThreadCreationResult == INVALID_HANDLE_VALUE ) {
        printf ( "An error is occured when trying to create the thread in the target process.\n" );
        return -1;
    }
 
    WaitForSingleObject ( hThreadCreationResult, INFINITE );
 
    printf ( "DLL Injected !\n" );
 
    return 0;
}
 
#endif

图片描述

 

我想用上面的代码,把一个叫做“InjectedDll.dll”的dll注入到notepad.exe中,这个是InjectedDll.dll的代码,我想在dll被注入的时候,可以弹出对话框
图片描述 但是无论我怎么弄都不成功。没有弹出messagebox,接着我用windbg来跟踪notepad, 图片描述
我发现他的参数全部为nullptr,这是为什么呢?

1
2
3
4
5
const HANDLE hThreadCreationResult = CreateRemoteThread ( hTargetProcess, nullptr, 0, ( LPTHREAD_START_ROUTINE ) lpFunctionAddress, lpPathAddress, 0, nullptr );
if( hThreadCreationResult == INVALID_HANDLE_VALUE ) {
    printf ( "An error is occured when trying to create the thread in the target process.\n" );
    return -1;
}

```
这个地方已经给参数的呀。。。为什么不能成功注入呢?
新手求指教。


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2022-7-5 10:48 被hello,hook编辑 ,原因: 排版有问题,重新排版
收藏
免费 1
支持
分享
最新回复 (12)
雪    币: 1507
活跃值: (1850)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
直接运行的notepad.exe,在64位系统上是64位的notepad
2022-7-5 13:45
0
雪    币: 335
活跃值: (786)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
milko 直接运行的notepad.exe,在64位系统上是64位的notepad
是的,notepad确实运行的是64位的,但是我还是搞不懂为啥注入失败。。。
2022-7-5 14:17
0
雪    币: 1507
活跃值: (1850)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4


代码没问题,我直接用的你代码测试成功了。

大概率问题是你的注入器编译的是x86的

2022-7-5 16:14
0
雪    币: 3864
活跃值: (6031)
能力值: ( LV9,RANK:140 )
在线值:
发帖
回帖
粉丝
5

64位下  fastcall调用约定,看rcx寄存器,是传的第一个参数,我用你的代码可以注入64位notepad.exe

最后于 2022-7-5 16:45 被0346954编辑 ,原因:
2022-7-5 16:35
0
雪    币: 962
活跃值: (9966)
能力值: ( LV13,RANK:385 )
在线值:
发帖
回帖
粉丝
6

注意几点问题
1.注入的时候看看进程是否有区别
2.注入的时候注意工程设置, 如果你是UNICODE工程,那么你大概率用的API不会明确指出用的是W版本函数还是A版本函数. 这样就导致 你获取的DLL路径可能是A字符版本.然后写道目的内存也是A字符版本. 但是在创建远程线程的目标线程需要调用的API函数的时候直接传入的LoadLibrary 并没有指明A还是W.导致的结果就是 目标程序中调用的 "默认"就是LoadLibraryW 而你写入到目标进程的DLL路径则是A版本. 结果就是LoadLibraryW的参数接受了一个A版本的参数.导致注入失败.

3.最重要最坑的一点,复制DLL路径是 直接右键-属性-常规 里面复制的DLL路径. 如果是这样那么默认字符串前边会有一个不可见字符.

导致你得字符串路径是错误的. 所以结果会一直是错误的.而且在编辑器中并不会显示这个空白字符串. 调试的时候需要查看内存才可以.


所以如果复制DLL路径,  请按住Shift 然后右键DLL文件. 在弹出的菜单中就有一个选项 选项为 "复制为路径" 使用这个路径即可.

最后于 2022-7-5 17:42 被TkBinary编辑 ,原因: 增加第三点.
2022-7-5 17:40
0
雪    币: 335
活跃值: (786)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
milko 代码没问题,我直接用的你代码测试成功了。大概率问题是你的注入器编译的是x86的

我刚刚试了一下,又可以了。我所有的东西都没改,好奇怪。

这里编译出来的路径是在x64下的,而且我都检查了,全部是64位的。

2022-7-6 10:06
0
雪    币: 962
活跃值: (9966)
能力值: ( LV13,RANK:385 )
在线值:
发帖
回帖
粉丝
8
目测就是你复制路径的时候出的问题. 想想你复制DLL路径的时候是不是 对DLL进行右键.直接从他的常规里面复制的.
2022-7-7 15:33
0
雪    币: 335
活跃值: (786)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
TkBinary 目测就是你复制路径的时候出的问题. 想想你复制DLL路径的时候是不是 对DLL进行右键.直接从他的常规里面复制的.
真的是你说的这样的,我对比了下,那个dll的路径有问题。非常感谢
2022-7-8 10:11
0
雪    币: 14
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
10
还有以种进程权限没有更改也注入不进去
2022-7-8 10:41
0
雪    币: 2
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
11

新手求问,DLL的程序是用txt写进一个.dll后缀的文件中吗,一直提示这个图片

请问应该怎么解决?谢谢

2022-7-12 14:29
0
雪    币: 335
活跃值: (786)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
12
dll是pe,二进制的,不是txt的。
2022-7-13 08:34
1
雪    币: 2
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
13
hello,hook dll是pe,二进制的,不是txt的。
谢谢,确实是我还没有理解到位,再次感谢!
2022-7-17 18:45
0
游客
登录 | 注册 方可回帖
返回
//