-
-
[求助]为什么dll inject没反应
-
2022-7-5 10:43
-
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 | 插入代码```// doInject.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。//#include <iostream>#include <windows.h>#include <TlHelp32.h>#include <tchar.h>DWORD getTargetProcessID ( const char *targetProcName ) { // PROCESSENTRY32 is used to open and get information about a running process.. PROCESSENTRY32 entry; entry.dwSize = sizeof ( PROCESSENTRY32 ); // We use a th32snapprocess to iterate through all running processes. HANDLE hSnap = CreateToolhelp32Snapshot ( TH32CS_SNAPPROCESS, NULL ); // Success check oon the snapshot tool. if( !hSnap ) { printf ( "Snapshot tool failed to open\n" ); } // If a first process exist (there are running processes), iterate through // all running processes. DWORD ProcID = NULL; if( Process32First ( hSnap, &entry ) ) { do { // If the current process entry is the target process, store its ID. if( !strcmp ( entry.szExeFile, targetProcName ) ) { ProcID = entry.th32ProcessID; } } while( Process32Next ( hSnap, &entry ) && !ProcID ); // Move on to the next running process. } else { // If there was no first process, notify the user. printf ( "No running processes found" ); } return ProcID;}#if 0bool inject ( const char *targetProcName, const wchar_t *dllName ) { try { // Get the process id of the target process. DWORD targetProcID = getTargetProcessID ( targetProcName ); if( !targetProcID ) { throw "Target process Was not found"; } // Get a static address of the LoadLibrary function as a thread-start-routine function. LPTHREAD_START_ROUTINE funcLoadLibrary = ( LPTHREAD_START_ROUTINE ) GetProcAddress ( GetModuleHandleA ( "Kernel32.dll" ), "LoadLibraryW" ); if( !funcLoadLibrary ) { printf( "Failed to retrieve a static function pointer to `LoadLbraryA\n`" ); } // Open the target process. HANDLE hProcess = OpenProcess ( PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, targetProcID ); if( hProcess == INVALID_HANDLE_VALUE ) { printf("Failed to open target process" ); } DWORD dwSize = ( lstrlenW ( dllName ) + 1 ) * sizeof ( wchar_t ); // Virtually allocate memory for the path of the dll in the target process. LPVOID pszLibFileRemote = ( PWSTR ) VirtualAllocEx ( hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE ); if( !pszLibFileRemote ) { printf("Failed to allocate memory in the target process\n" ); } // Write the dll path to the target process using WPM. SIZE_T writeSize_ = 0; DWORD n = WriteProcessMemory ( hProcess, pszLibFileRemote, ( PVOID ) dllName, dwSize, &writeSize_ ); wchar_t tempBuffer_ [256] = { 0 }; SIZE_T readSize = 0; ReadProcessMemory ( hProcess, pszLibFileRemote, tempBuffer_, dwSize, &readSize ); // Create a remote thread in the target process with LoadLibrary to load our dll into the target process. HANDLE hRemoteThread = CreateRemoteThread ( hProcess, NULL, 0, funcLoadLibrary, pszLibFileRemote, 0, NULL ); if( !hRemoteThread || hRemoteThread == INVALID_HANDLE_VALUE ) { printf("Failed to load dll into target process" ); } // Wait until the remote thread is done loading the dll. WaitForSingleObject ( hRemoteThread, INFINITE ); } catch( const char *err ) { std::cout << "An erro occurred: " << err << std::endl; return false; } return true;}int main(){ wchar_t fullname [MAX_PATH] = { 0 }; GetFullPathNameW ( L"InjectedDll.dll", MAX_PATH, fullname, NULL ); bool success = inject ( ( "notepad.exe" ), fullname ); if ( success ){ printf ( "inject succesfully!!!" ); }}#else#include <Windows.h>#include <TlHelp32.h>#include <iostream>int main ( const int argc, char *argv[ ] ) { char *lpDLLName; char *lpProcessName; char lpFullDLLPath [MAX_PATH]; if( argc == 3 ) { lpDLLName = argv [1]; lpProcessName = argv [2]; } else { printf ( "[HELP] inject.exe <dll> <process>\n" ); return -1; } const DWORD dwProcessID = getTargetProcessID ( lpProcessName ); if( dwProcessID == ( DWORD ) -1 ) { printf ( "An error is occured when trying to find the target process.\n" ); return -1; } printf ( "[DLL Injector]\n" ); printf ( "Process : %s\n", lpProcessName ); printf ( "Process ID : %i\n\n", ( int ) dwProcessID ); const DWORD dwFullPathResult = GetFullPathNameA ( lpDLLName, MAX_PATH, lpFullDLLPath, nullptr ); if( dwFullPathResult == 0 ) { printf ( "An error is occured when trying to get the full path of the DLL.\n" ); return -1; } const HANDLE hTargetProcess = OpenProcess ( PROCESS_ALL_ACCESS, FALSE, dwProcessID ); if( hTargetProcess == INVALID_HANDLE_VALUE ) { printf ( "An error is occured when trying to open the target process.\n" ); return -1; } printf ( "[PROCESS INJECTION]\n" ); printf ( "Process opened successfully.\n" ); const LPVOID lpPathAddress = VirtualAllocEx ( hTargetProcess, nullptr, lstrlenA ( lpFullDLLPath ) + 1, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE ); if( lpPathAddress == nullptr ) { printf ( "An error is occured when trying to allocate memory in the target process.\n" ); return -1; } printf ( "Memory allocate at 0x%X\n", ( UINT ) ( uintptr_t ) lpPathAddress ); const DWORD dwWriteResult = WriteProcessMemory ( hTargetProcess, lpPathAddress, lpFullDLLPath, lstrlenA ( lpFullDLLPath ) + 1, nullptr ); if( dwWriteResult == 0 ) { printf ( "An error is occured when trying to write the DLL path in the target process.\n" ); return -1; } printf ( "DLL path writen successfully.\n" ); const HMODULE hModule = GetModuleHandleA ( "kernel32.dll" ); if( hModule == INVALID_HANDLE_VALUE || hModule == nullptr ) return -1; const FARPROC lpFunctionAddress = GetProcAddress ( hModule, "LoadLibraryA" ); if( lpFunctionAddress == nullptr ) { printf ( "An error is occured when trying to get \"LoadLibraryA\" address.\n" ); return -1; } printf ( "LoadLibraryA address at 0x%X\n", ( UINT ) ( uintptr_t ) lpFunctionAddress ); const HANDLE hThreadCreationResult = CreateRemoteThread ( hTargetProcess, nullptr, 0, ( LPTHREAD_START_ROUTINE ) lpFunctionAddress, lpPathAddress, 0, nullptr ); if( hThreadCreationResult == INVALID_HANDLE_VALUE ) { printf ( "An error is occured when trying to create the thread in the target process.\n" ); return -1; } WaitForSingleObject ( hThreadCreationResult, INFINITE ); printf ( "DLL Injected !\n" ); return 0;}#endif |
我想用上面的代码,把一个叫做“InjectedDll.dll”的dll注入到notepad.exe中,这个是InjectedDll.dll的代码,我想在dll被注入的时候,可以弹出对话框
但是无论我怎么弄都不成功。没有弹出messagebox,接着我用windbg来跟踪notepad, 
我发现他的参数全部为nullptr,这是为什么呢?
1 2 3 4 5 | const HANDLE hThreadCreationResult = CreateRemoteThread ( hTargetProcess, nullptr, 0, ( LPTHREAD_START_ROUTINE ) lpFunctionAddress, lpPathAddress, 0, nullptr );if( hThreadCreationResult == INVALID_HANDLE_VALUE ) { printf ( "An error is occured when trying to create the thread in the target process.\n" ); return -1;} |
```
这个地方已经给参数的呀。。。为什么不能成功注入呢?
新手求指教。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2022-7-5 10:48
被hello,hook编辑
,原因: 排版有问题,重新排版
|
|
|---|---|
|
|
|
|
|
是的,notepad确实运行的是64位的,但是我还是搞不懂为啥注入失败。。。 |
|
|
代码没问题,我直接用的你代码测试成功了。 大概率问题是你的注入器编译的是x86的 |
|
|
|
|
|
|
|
|
我刚刚试了一下,又可以了。我所有的东西都没改,好奇怪。
这里编译出来的路径是在x64下的,而且我都检查了,全部是64位的。 |
|
|
|
|
|
真的是你说的这样的,我对比了下,那个dll的路径有问题。非常感谢 |
|
|
|
|
|
新手求问,DLL的程序是用txt写进一个.dll后缀的文件中吗,一直提示这个图片 请问应该怎么解决?谢谢 |
|
|
|
|
|
谢谢,确实是我还没有理解到位,再次感谢! 
|
milko
