BOOL RemoteLoadLibrary(LPCSTR pszDllName, DWORD dwProcessId)
{
// 试图打开目标进程
char strDllName[MAX_PATH];
DWORD cbSize, dwWritten;
HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if(hProcess == NULL)
{
MessageBox(_T("打开目标进程失败."));
return FALSE;
}else MessageBox(_T("打开目标进程成功."));
// 在目标进程申请空间,存放字符串pszDllName,作为远程线程的参数
cbSize = static_cast<DWORD>(lstrlenA(strDllName) + 1) * sizeof(char);
LPVOID lpRemoteDllName = ::VirtualAllocEx(hProcess, NULL, cbSize, MEM_COMMIT, PAGE_READWRITE);
if (::WriteProcessMemory(hProcess, lpRemoteDllName, (LPVOID)strDllName, cbSize, &dwWritten))
{
if ( dwWritten != cbSize )
{
VirtualFreeEx( hProcess, lpRemoteDllName, cbSize, MEM_DECOMMIT );
CloseHandle( hProcess );
MessageBox(_T("在目标进程中存放字符串失败."));
return FALSE;
}else MessageBox(_T("在目标进程中存放字符串成功."));
}
// 取得LoadLibraryA函数的地址,我们将以它作为远程线程函数启动
HMODULE hModule=::GetModuleHandleW(_T("kernel32.dll"));
LPTHREAD_START_ROUTINE pfnStartRoutine = (LPTHREAD_START_ROUTINE)::GetProcAddress(hModule, "LoadLibraryA");
// 启动远程线程
HANDLE hRemoteThread = ::CreateRemoteThread(hProcess, NULL, 0,pfnStartRoutine, lpRemoteDllName, 0, NULL);
if(hRemoteThread == NULL)
{
::CloseHandle(hProcess);
MessageBox(_T("启动远程线程失败."));
return FALSE;
}
else
MessageBox(_T("启动远程线程成功."));
::CloseHandle(hRemoteThread);
::CloseHandle(hProcess);
return TRUE;
}
这段代码为什么只有在我的系统中能够注入成功,而到了别的系统中(没装VS2005)系统中就失败呢?注:所有提示都是成功,但在目标进程中没有注入的DLL。
[课程]Linux pwn 探索篇!