1

嗨,我试图挂起一个远程线程,但在途中我偶然发现 DuplicateHandle 失败,错误 6, ERROR_INVALID_HANDLE 。

以下方法适用于当前进程,但如果给出了像“calc”这样的远程进程(在同一主机上),则 DuplicateHandle 失败。

该进程使用 Admin priv 运行,并且 SeDebugPriv 和 SeSecurityPriv 被授予(进程资源管理器确认),但没有用。任何想法?`

bool DbgHelpWrapper::GetThreadStartAddress( IntPtr processHandle, DWORD processId, DWORD threadID, DWORD *dwStartAddress )
{
    // Get ntdll entry points.
    HMODULE ntDLLHandle = LoadLibrary(L"ntdll.dll");
    tNtQueryInformationThread NtQueryInformationThread = (tNtQueryInformationThread)GetProcAddress(ntDLLHandle, "NtQueryInformationThread");

    // Open thread with wrong access rights.
    HANDLE hRemoteProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, processId );
    HANDLE hRemoteThread = OpenThread(THREAD_SUSPEND_RESUME, FALSE, threadID);

    if (hRemoteThread != 0 && hRemoteProcess != 0 )
    {
        try
        {
            // Duplicate handle to get correct access rights.
            HANDLE temporaryHandle = 0;
            DWORD duplicateHandleResult = DuplicateHandle(hRemoteProcess, hRemoteThread, GetCurrentProcess(),
                                                              &temporaryHandle, THREAD_QUERY_INFORMATION, FALSE, 0 );
            System::Console::WriteLine( String::Format("DuplicateHandle returned {0}", duplicateHandleResult ));
            System::Console::WriteLine( String::Format("DuplicateHandle error {0}", Marshal::GetLastWin32Error()));
            if (duplicateHandleResult != 0 )
            {
                try
                {
                    NTSTATUS ntStatus = NtQueryInformationThread(temporaryHandle, ThreadQuerySetWin32StartAddress, dwStartAddress, sizeof(DWORD), NULL);
                    System::Console::WriteLine( String::Format("NtQueryInformationThread returned {0}", ntStatus ));
                    if (ntStatus == 0)
                    {
                        System::Console::WriteLine( String::Format("StartAddress: {0:X16}", *dwStartAddress ));
                        return true;
                    }
                    else
                    {
                        System::Console::WriteLine( String::Format("NtQueryInformationThread error {0}", Marshal::GetLastWin32Error()));
                        return false;
                    }
                }
                finally
                {
                    CloseHandle(temporaryHandle);
                }
            }
            else
            {
                System::Console::WriteLine( String::Format("Cannot duplicate the thread handle to THREAD_QUERY_INFORMATION rights"));
                return false;
            }
        }
        finally
        {
            // Cleanup
            CloseHandle(hRemoteThread);
        }
    }
    else
    {
        System::Console::WriteLine( String::Format("Cannot open the thread with THREAD_SUSPEND_RESUME rights"));
        return FALSE;
    }
}

`

4

1 回答 1

2

你说DuplicateHandlehRemoteThread是一个句柄 in hRemoteProcess,但它不是。这是您当前进程中的句柄 - 您之前打开了几行。(线程是远程进程的一部分,但它的句柄不是。)

于 2012-09-02T10:45:31.593 回答