我已经尝试解决这个问题好几天了,但我仍然无法让它工作。我已成功将非托管 dll 注入远程进程。我试图通过 CreateRemoteThread 调用的 dll 中有一个名为 testfunction 的函数。
我有进程内注入 dll 的地址(0x6B610000)和函数的偏移量(0x70802),这意味着 dll 中的函数位于(0x6B680802)。
我也导出了 dll 中的函数:
LIBRARY test
EXPORTS
testfunction
这就是我试图调用该函数的方式:
public uint CallFunction()
{
IntPtr _functionPtr = IntPtr.Add(this.modulePtr, 0x70802); //this.modulePtr = 0x6B610000
uint threadID;
IntPtr hThread = CreateRemoteThread(this.processHandle, IntPtr.Zero, IntPtr.Zero, _functionPtr, IntPtr.Zero, 0, out threadID);
// wait for thread to exit
WaitForSingleObject(hThread, 0xFFFFFFFF);
// get the thread exit code
uint exitCode = 0;
GetExitCodeThread(hThread, out exitCode);
// close thread handle
CloseHandle(hThread);
return exitCode;
}
这是我的 DLL 源:
#include "stdafx.h"
#include <iostream>
#include <fstream>
#include <string>
DWORD WINAPI testfunction(LPVOID *param); //<--- the test function im trying to call
DWORD WINAPI T_HkThread(LPVOID);
void WriteToLog(std::string _message);
void WriteToLog(std::string _message)
{
std::ofstream out;
// std::ios::app is the open mode "append" meaning
// new data will be written to the end of the file.
out.open("C:/test/log.txt", std::ios::app);
std::string str = _message + "\n";
out << str;
}
DWORD WINAPI testfunction(LPVOID *param)
{
WriteToLog("YES YOU CALLED THE FUNCTION");
return 0;
}
DWORD WINAPI T_HkThread(LPVOID)
{
//Loading CLR INTO PROCESS
WriteToLog("Thread created...");
return 0;
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
WriteToLog("Injection done: Creating Thread...");
CreateThread( NULL, NULL, T_HkThread, NULL, NULL, NULL );
}
case DLL_THREAD_ATTACH:
{
}
case DLL_THREAD_DETACH:
{
}
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
此示例中的远程应用程序 (winamp) 加载了 dll(我可以在进程黑客中看到相同的地址),但是当我尝试在 dll 中调用函数“testfunction”时立即崩溃。
winamp caused an Access Violation (0xc0000005) in module winamp.exe at 0023:64bc0802.
我究竟做错了什么?
提前致谢