0

我目前正在尝试 PE 注入,并注意到一旦我使用 std::cout 或 std::string 之类的东西,我在崩溃中注入的目标进程。消息框甚至 printf() 都可以正常工作。代码编译没有错误,我读到导入表不在注入过程中的同一位置可能导致它崩溃,但我不知道该怎么做才能修复它(重新加载导入表)。在此先感谢,这是注入示例:

#include <iostream>
#include <stdio.h>
#include <Windows.h>

void ThreadProc(PVOID p)
{
    MessageBox(NULL,"Message from injected code!","Message",MB_ICONINFORMATION); //funktioniert einwandfrei
    RedirectOutput();
    std::cout << "hi"; //crashed
}

int main(int argc,char* argv[])
{
    PIMAGE_DOS_HEADER pIDH;
    PIMAGE_NT_HEADERS pINH;
    PIMAGE_BASE_RELOCATION pIBR;

    HANDLE hProcess,hThread;
    PUSHORT TypeOffset;

    PVOID ImageBase,Buffer,mem;
    ULONG i,Count,Delta,*p;

    printf("\nOpening target process\n");

    hProcess=OpenProcess(
        PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE,
        FALSE,
       13371337);

    if(!hProcess)
    {
        printf("\nError: Unable to open target process (%u)\n",GetLastError());
        return -1;
    }

    ImageBase=GetModuleHandle(NULL);
    printf("\nImage base in current process: %#x\n",ImageBase);

    pIDH=(PIMAGE_DOS_HEADER)ImageBase;
    pINH=(PIMAGE_NT_HEADERS)((PUCHAR)ImageBase+pIDH->e_lfanew);

    printf("\nAllocating memory in target process\n");
    mem=VirtualAllocEx(hProcess,NULL,pINH->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);

    if(!mem)
    {
        printf("\nError: Unable to allocate memory in target process (%u)\n",GetLastError());

        CloseHandle(hProcess);
        return 0;
    }

    printf("\nMemory allocated at %#x\n",mem);

    Buffer=VirtualAlloc(NULL,pINH->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);
    memcpy(Buffer,ImageBase,pINH->OptionalHeader.SizeOfImage);

    printf("\nRelocating image\n");

    pIBR=(PIMAGE_BASE_RELOCATION)((PUCHAR)Buffer+pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
    Delta=(ULONG)mem-(ULONG)ImageBase;

    printf("\nDelta: %#x\n",Delta);

    while(pIBR->VirtualAddress)
    {
        if(pIBR->SizeOfBlock>=sizeof(IMAGE_BASE_RELOCATION))
        {
            Count=(pIBR->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))/sizeof(USHORT);
            TypeOffset=(PUSHORT)(pIBR+1);

            for(i=0;i<Count;i++)
            {
                if(TypeOffset[i])
                {
                    p=(PULONG)((PUCHAR)Buffer+pIBR->VirtualAddress+(TypeOffset[i] & 0xFFF));
                    *p+=Delta;
                }
            }
        }

        pIBR=(PIMAGE_BASE_RELOCATION)((PUCHAR)pIBR+pIBR->SizeOfBlock);
    }

    printf("\nWriting relocated image into target process\n");

    if(!WriteProcessMemory(hProcess,mem,Buffer,pINH->OptionalHeader.SizeOfImage,NULL))
    {
        printf("\nError: Unable to write process memory (%u)\n",GetLastError());

        VirtualFreeEx(hProcess,mem,0,MEM_RELEASE);
        CloseHandle(hProcess);

        return -1;
    }

    VirtualFree(Buffer,0,MEM_RELEASE);

    printf("\nCreating thread in target process\n");
    hThread=CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)((PUCHAR)ThreadProc+Delta),NULL,0,NULL);

    if(!hThread)
    {
        printf("\nError: Unable to create thread in target process (%u)\n",GetLastError());

        VirtualFreeEx(hProcess,mem,0,MEM_RELEASE);
        CloseHandle(hProcess);

        return -1;
    }

    printf("\nWaiting for the thread to terminate\n");
    WaitForSingleObject(hThread,INFINITE);

    printf("\nThread terminated\n\nFreeing allocated memory\n");

    VirtualFreeEx(hProcess,mem,0,MEM_RELEASE);
    CloseHandle(hProcess);

    return 0;
}
4

2 回答 2

2

我认为这个答案很简单——STL 库请求对全局数据进行一些初始化。例如,通过全局对象的构造函数。但是您只需将代码复制到目标进程即可。它不调用任何初始化,通常在调用 main 函数之前执行。只需尝试 DLL 注入即可。

于 2017-04-30T15:13:12.173 回答
0

您似乎没有在目标进程中加载​​ CRT dll,所以我假设当您尝试调用 cout 函数时,您正在跳转到未分配的内存。

如果 DLL 实际上是在目标进程中加载​​的,请确保将其加载到与您自己的进程中相同的地址。否则,您必须修补导入表以匹配目标进程的导入表。

于 2017-06-29T11:57:35.563 回答