2

我正在尝试运行一个进程,等待它完成,打开可执行文件,然后写一些东西给它。所以我创建了一个小型“加载器”,它正是这样做的。这是我的代码:

;Run the executable
INVOKE GetStartupInfo,OFFSET startInfo 
INVOKE CreateProcess, ADDR SomeExecutableFile, \
    NULL, NULL, NULL, FALSE, \ 
    NORMAL_PRIORITY_CLASS,  NULL,NULL, \
    OFFSET startInfo, OFFSET processInfo 
INVOKE CloseHandle, processInfo.hThread    

;Wait for it to finish & Close handle
INVOKE WaitForSingleObjectEx, processInfo.hProcess,   INFINITE,  FALSE
INVOKE CloseHandle, processInfo.hProcess

;Try to open the same exe file  which just finished executing.
INVOKE CreateFile,  OFFSET SomeExecutableFile,GENERIC_WRITE \
    ,0, 0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL, NULL

MOV hFile, EAX

.IF hFile== INVALID_HANDLE_VALUE
    INVOKE MessageBox,NULL, OFFSET Problem, OFFSET Problem, MB_ICONWARNING
.ELSE
    INVOKE WriteFile, hFile, Buffer, 5, OFFSET BytesWritten , NULL
    INVOKE CloseHandle,hFile
.ENDIF

INVOKE ExitProcess,0

如您所见,正在运行“SomeExecutable”文件。在它停止执行后,它会用 CreateFile 打开。创建文件失败,我得到一个 INVALID_HANDLE....,最后一个错误 - 0x20 - ERROR_SHARING_VIOLATION。

为什么会这样?

想法和注意事项: 1)从“加载器”创建另一个进程,该进程打开可执行文件(等待它完成执行后)并写入它 - 它可以工作。2) 似乎该进程仍处于打开状态,即文件仍被映射,这解释了错误,但我不明白为什么要映射它。3) 使用 Olly 和 ProcessExplorer 进行调试 我看到 Olly 确实打开了这个文件的句柄,即使在进程终止之后,所有句柄都已关闭 - 我不明白为什么,我怎么能关闭它:)

欢迎任何想法!:)

4

1 回答 1

2

1-尝试使用:

invoke CreateProcess, ADDR Process, NULL, NULL, NULL, NULL, CREATE_SUSPENDED, NULL, NULL, ADDR startInfo, ADDR processInfo

CREATE_SUSPENDED 应该可以解决问题

2-您需要修改文件本身吗?加载程序通常用于修改内存中的程序。我前段时间用WriteProcessMemory写了一个加载器:

.586 
.model flat,stdcall 
option casemap:none 

include D:\masm32\include\windows.inc 
include D:\masm32\include\user32.inc 
include D:\masm32\include\kernel32.inc 
includelib D:\masm32\lib\user32.lib 
includelib D:\masm32\lib\kernel32.lib 

.data 
  Process byte "prog.exe",0 
  Error byte "Error:",0 
  ErrorMessage byte "Process not loaded",0 
  ReplaceBy byte 0Fh,82h
  ReplaceSize dword 2 
  AddressToPatch dword 01003B7Ch 
  Startup STARTUPINFO <> 
  processinfo PROCESS_INFORMATION <> 

.data? 
  byteswritten dword ?

.code 
  start: 
    invoke CreateProcess, ADDR Process, NULL, NULL, NULL, NULL, CREATE_SUSPENDED, NULL, NULL, ADDR Startup, ADDR processinfo 
    cmp eax, 0 
    jne ProcessCreated 
    push 0 
    push offset Error 
    push offset ErrorMessage 
    push 0 
    call MessageBox 
    push 0 
    call ExitProcess 

    ProcessCreated: 
        invoke WriteProcessMemory, processinfo.hProcess, AddressToPatch, ADDR ReplaceBy, ReplaceSize, byteswritten 
        invoke ResumeThread, processinfo.hThread 
    push 0 
    call ExitProcess 
  end start
于 2011-10-25T03:14:39.627 回答