-3

我正在尝试在进程中注入 DLL 并在我的 DLL 中调用导出的函数。

使用该代码可以正常注入 DLL:

HANDLE Proc;
char buf[50] = { 0 };
LPVOID RemoteString, LoadLibAddy;
if (!pID)
    return false;
Proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID);
if (!Proc)
{
    sprintf_s(buf, "OpenProcess() failed: %d", GetLastError());
    printf(buf);
    return false;
}

LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");
// Allocate space in the process for our DLL 
RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
// Write the string name of our DLL in the memory allocated 
WriteProcessMemory(Proc, (LPVOID)RemoteString, DLL_NAME, strlen(DLL_NAME), NULL);
// Load our DLL 
HANDLE hThread = CreateRemoteThread(Proc, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL);

我的 DLL 模块创建成功,就像您在 Process Hacker (BootstrapDLL.exe) 的图像中看到的那样:

在此处输入图像描述

我的导出函数也可以,就像您在 Process Hacker (ImplantDotNetAssembly) 上导出的函数列表中看到的那样:

在此处输入图像描述

我认为,问题发生在偏移计算上以获得“ImplantDotNetAssembly”的地址,因为上面的一切都很好,当我进行计算时,我得到了“ImplantDotNetAssembly”的地址,但是当我再次调用 CreateRemoteThread 来调用它,显示窗口的“已停止工作......”窗口并停止该过程。发生了什么事?

下面是计算偏移量的代码:

DWORD_PTR hBootstrap = GetRemoteModuleHandle(ProcId, L"BootstrapDLL.exe");
DWORD_PTR offset = GetFunctionOffset(L"C:\\Users\\Acaz\\Documents\\Visual Studio 2013\\Projects\\Contoso\\Debug\\BootstrapDLL.exe", "ImplantDotNetAssembly");
DWORD_PTR fnImplant = hBootstrap + offset;

HANDLE hThread2 = CreateRemoteThread(Proc, NULL, 0, (LPTHREAD_START_ROUTINE)fnImplant, NULL, 0, NULL);

下面是 GetRemoteModuleHandle 和 GetFunctionOffset 函数:

DWORD_PTR GetFunctionOffset(const wstring& library, const char* functionName)
{
    // load library into this process
    HMODULE hLoaded = LoadLibrary(library.c_str());

    // get address of function to invoke
    void* lpInject = GetProcAddress(hLoaded, functionName);

    // compute the distance between the base address and the function to invoke
    DWORD_PTR offset = (DWORD_PTR)lpInject - (DWORD_PTR)hLoaded;

    // unload library from this process
    FreeLibrary(hLoaded);

    // return the offset to the function
    return offset;
}

DWORD_PTR GetRemoteModuleHandle(const int processId, const wchar_t* moduleName)
{
    MODULEENTRY32 me32;
    HANDLE hSnapshot = INVALID_HANDLE_VALUE;

    // get snapshot of all modules in the remote process 
    me32.dwSize = sizeof(MODULEENTRY32);
    hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, processId);

    // can we start looking?
    if (!Module32First(hSnapshot, &me32))
    {
        CloseHandle(hSnapshot);
        return 0;
    }

    // enumerate all modules till we find the one we are looking for or until every one of them is checked
    while (wcscmp(me32.szModule, moduleName) != 0 && Module32Next(hSnapshot, &me32));

    // close the handle
    CloseHandle(hSnapshot);

    // check if module handle was found and return it
    if (wcscmp(me32.szModule, moduleName) == 0)
        return (DWORD_PTR)me32.modBaseAddr;

    return 0;
}

如果有人知道发生了什么,我将不胜感激!

我什至无法调试“已停止工作..”错误。当我点击窗口上的 DEBUG 按钮时,错误再次抛出,一切都停止了。

谢谢你。

4

1 回答 1

0

切勿注入托管程序集。如果由于某种原因您必须将代码注入另一个进程,请使用带有 NO C 库或 STATIC C 库的本机代码。

于 2014-07-14T16:53:35.360 回答