1

我正在尝试将 dll 注入到 rust 中的特定应用程序中。我放弃了尝试在纯生锈中这样做,因为无论如何它都不起作用。因此,我使用了一个 C 注入器并对其进行了编译,它运行良好。但是,当我使用 CC crate 编译它并使用该功能时,它根本不起作用。在这种情况下,我只是试图注入我制作的 dll。

C的代码是:

// test.c
#include <windows.h>
#include <TlHelp32.h> 
#include <stdio.h> 

#pragma comment(lib, "ntdll.lib")
EXTERN_C NTSYSAPI NTSTATUS NTAPI NtCreateThreadEx(PHANDLE,
    ACCESS_MASK, LPVOID, HANDLE, LPTHREAD_START_ROUTINE, LPVOID,
    BOOL, SIZE_T, SIZE_T, SIZE_T, LPVOID);

struct NtCreateThreadExBuffer
{
    SIZE_T Size;
    SIZE_T Unknown1;
    SIZE_T Unknown2;
    PULONG Unknown3;
    SIZE_T Unknown4;
    SIZE_T Unknown5;
    SIZE_T Unknown6;
    PULONG Unknown7;
    SIZE_T Unknown8;
};


DWORD GetPid(const wchar_t *targetProcess)
{
    HANDLE snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    PROCESSENTRY32 procEntry;
    procEntry.dwSize = sizeof(procEntry);

    if (snap && snap != INVALID_HANDLE_VALUE && Process32First(snap, &procEntry))
    {
        do
        {
            if (!wcscmp(procEntry.szExeFile, targetProcess))
            {
                break;
            }
        } while (Process32Next(snap, &procEntry));
    }
    CloseHandle(snap);
    return procEntry.th32ProcessID;
}

void injectAmongUs()
{
    DWORD dwPid = GetPid(L"Among Us.exe");
    struct NtCreateThreadExBuffer ntbuffer;

    memset(&ntbuffer, 0, sizeof(struct NtCreateThreadExBuffer));
    DWORD temp1 = 0;
    DWORD temp2 = 0;

    ntbuffer.Size = sizeof(struct NtCreateThreadExBuffer);
    ntbuffer.Unknown1 = 0x10003;
    ntbuffer.Unknown2 = 0x8;
    ntbuffer.Unknown3 = (DWORD *)&temp2;
    ntbuffer.Unknown4 = 0;
    ntbuffer.Unknown5 = 0x10004;
    ntbuffer.Unknown6 = 4;
    ntbuffer.Unknown7 = &temp1;
    ntbuffer.Unknown8 = 0;

    HANDLE proc = OpenProcess(GENERIC_ALL, 0, dwPid);
    HANDLE hThread;
    wchar_t path[] = L"path/to/dll";
    LPVOID allocAddr = VirtualAllocEx(proc, 0, sizeof(path), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
    WriteProcessMemory(proc, allocAddr, path, sizeof(path), NULL);
    NTSTATUS status = NtCreateThreadEx(&hThread, GENERIC_ALL, NULL, proc,
        (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryW"), allocAddr,
        FALSE, NULL, NULL, NULL, &ntbuffer);

}

如果我完全按照它的方式编译这个文件,但添加一个 main 方法:

int main()
{
    injectAmongUs();

    return 1;
}

它按预期完美运行。但是,如果我删除 main 方法并将 CC 与此构建脚本一起使用:

// build.rs
fn main() {
    cc::Build::new()
        .file("test.c")
        .compile("injector.dll");
}

然后在 main 中调用它

//main.rs
extern "C" {
    fn injectAmongUs();
}

fn main() {
    unsafe {
        injectAmongUs();;
    }
}

这导致(exit code: 0xc0000005, STATUS_ACCESS_VIOLATION). 我怎样才能让它像我正常运行 .exe 一样成功注入?目前我只是把 .exe 和它放在一起,但这是不可取的,宁愿它被构建并用作一个库。请注意,我正在尝试在我们中间注入,因此我将其作为 32 位运行cargo run --target i686-pc-windows-msvc

4

0 回答 0