我正在尝试创建一个执行工具,DLL-Injection方法是使用 API 在正在运行的进程的内存中写入 DLL,VirtualAclloc()然后CreateRemoteThread()通过将入口点偏移量添加到函数的基地址来找到入口点的偏移量并将其传递给 API VirtualAlloc。
lpStartAddress由于在调用时我没有任何需要传递的参数,因此我将其CreateRemoteThread()初始化lpParameter为 NULL。
LPVOID lpParameter = NULL;
...
...
thread_handle = CreateRemoteThread(process_handle, NULL, 0, (LPTHREAD_START_ROUTINE)(base_address + offset), lpParameter, 0, NULL);
编译代码时出现错误:
LPVOID:未知大小”和消息“表达式必须是指向完整对象类型的指针。
有没有办法可以将值传递lpParameter为 NULL?
base_address + offsetoffset*sizeof *base_address向指针添加字节base_address。但是如果base_addressis的类型没有大小,那么这是一个错误LPVOID。*base_address看看你的 C++ 书中关于指针运算的部分。
从上下文来看,我猜你应该base_address改为 bechar*而不是LPVOID. 或者您可以添加这样的演员表(LPTHREAD_START_ROUTINE)((char*)base_address + offset)。
在这种情况下,您需要遵循以下过程:
下面是示例代码:
char* dllPath = "C:\\testdll.dll";
int procID = 16092;
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);
if (!hProcess) {
printf("Error: Process not found.\n");
}
LPVOID lpvLoadLib = (LPVOID)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA"); /*address of LoadLibraryA*/
if (!lpvLoadLib) {
printf("Error: LoadLibraryA not found.\n");
}
LPVOID lpBaseAddress = (LPVOID)VirtualAllocEx(hProcess, NULL, strlen(dllPath)+1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); /*Initialize and Allocate memory to zero in target process address space*/
if (!lpBaseAddress) {
printf("Error: Memory was not allocated.\n");
}
SIZE_T byteswritten;
int result = WriteProcessMemory(hProcess, lpBaseAddress, (LPCVOID)dllPath, strlen(dllPath)+1, &byteswritten); /*Write the path of dll to an area of memory in a specified process*/
if (result == 0) {
printf("Error: Could not write to process address space.\n");
}
HANDLE threadID = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpvLoadLib, lpBaseAddress, NULL, NULL); /*lpStartAddress = lpvLoadLib address of LoadLibraryA function*/
if (!threadID) {
printf("Error: Not able to create remote thread.\n");
}
else {
printf("Remote process created...!");
}
希望这可以帮助