-
-
[求助]望各位大侠门指点下远程线程的问题,我把代码贴出来
-
发表于: 2008-4-23 22:23
-
#include "stdafx.h"
#include "windows.h"
#include <string.h>
#include <iostream.h>
#include <Tlhelp32.h>
typedef struct
{
DWORD mMessageBox;
char message[255];
}MMessageBox;
DWORD GetProcessId(char* name);
bool AdjustPrivileges();
DWORD WINAPI thread(MMessageBox *Parameter);
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
char ProcessName[255]="notepad.exe";
DWORD ProcessId=GetProcessId(ProcessName);
if(!ProcessId)
{
return 0;
}
if(!AdjustPrivileges())
{
return 0;
}
HANDLE handle=OpenProcess(PROCESS_ALL_ACCESS,true,ProcessId);
MMessageBox pmessagebox;
pmessagebox.mMessageBox=(DWORD)GetProcAddress(GetModuleHandle(TEXT("user.dll")),"MessageBoxA");
strcpy(pmessagebox.message,"hello,this is my remote thread");
void *ProcAddress=(void*)VirtualAllocEx(handle,NULL,1024*4,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(ProcAddress==NULL)
{
return 0;
}
if(!WriteProcessMemory(handle,ProcAddress,thread,1024*4,NULL))
{
return 0;
}
char *MessAddress=(char*)VirtualAllocEx(handle,NULL,sizeof(MMessageBox)+1,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(MessAddress==NULL)
{
return 0;
}
if(!WriteProcessMemory(handle,MessAddress,&pmessagebox,1024*4,NULL))
{
return 0;
}
DWORD id=0;
HANDLE remotethread=CreateRemoteThread(handle,NULL,0,(PTHREAD_START_ROUTINE)ProcAddress,MessAddress,0,&id);
WaitForSingleObject(remotethread,0);
VirtualFreeEx(handle,ProcAddress,1024*4,MEM_DECOMMIT);
VirtualFreeEx(handle,MessAddress,sizeof(MessAddress)+1,MEM_DECOMMIT);
return 0;
}
DWORD GetProcessId(char* name)
{
HANDLE snaphandle=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 pe;
bool returnbool=Process32First(snaphandle,&pe);
if(!returnbool)
{
return 0;
}
while(returnbool)
{
if(strcmp(strupr(name),strupr(pe.szExeFile))==0)
return pe.th32ProcessID;
else
{
returnbool=Process32Next(snaphandle,&pe);
}
}
return 0;
}
bool AdjustPrivileges()
{
HANDLE handle;
OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&handle);
LUID luid;
if(!LookupPrivilegeValue(NULL,"SeDebugPrivilege",&luid))
{
return false;
}
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount=1;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
if(AdjustTokenPrivileges(handle,TRUE,&tp,sizeof(tp),NULL,0))
{
return true;
}
return false;
}
DWORD WINAPI thread(MMessageBox *Parameter)
{
typedef int (WINAPI *rMessageBox)(HWND hwnd,char* text,char* caption,UINT flags);
rMessageBox IMessageBox=(rMessageBox)Parameter->mMessageBox;
IMessageBox(NULL,Parameter->message,NULL,MB_OK);
return 0;
}
问题:注入notepad.exe后,notepad.exe就运行出错,然后就退出了
自己认为是在处理远程线程中API函数的地址时出了问题,但不知道该怎么办??
#include "windows.h"
#include <string.h>
#include <iostream.h>
#include <Tlhelp32.h>
typedef struct
{
DWORD mMessageBox;
char message[255];
}MMessageBox;
DWORD GetProcessId(char* name);
bool AdjustPrivileges();
DWORD WINAPI thread(MMessageBox *Parameter);
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
char ProcessName[255]="notepad.exe";
DWORD ProcessId=GetProcessId(ProcessName);
if(!ProcessId)
{
return 0;
}
if(!AdjustPrivileges())
{
return 0;
}
HANDLE handle=OpenProcess(PROCESS_ALL_ACCESS,true,ProcessId);
MMessageBox pmessagebox;
pmessagebox.mMessageBox=(DWORD)GetProcAddress(GetModuleHandle(TEXT("user.dll")),"MessageBoxA");
strcpy(pmessagebox.message,"hello,this is my remote thread");
void *ProcAddress=(void*)VirtualAllocEx(handle,NULL,1024*4,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(ProcAddress==NULL)
{
return 0;
}
if(!WriteProcessMemory(handle,ProcAddress,thread,1024*4,NULL))
{
return 0;
}
char *MessAddress=(char*)VirtualAllocEx(handle,NULL,sizeof(MMessageBox)+1,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(MessAddress==NULL)
{
return 0;
}
if(!WriteProcessMemory(handle,MessAddress,&pmessagebox,1024*4,NULL))
{
return 0;
}
DWORD id=0;
HANDLE remotethread=CreateRemoteThread(handle,NULL,0,(PTHREAD_START_ROUTINE)ProcAddress,MessAddress,0,&id);
WaitForSingleObject(remotethread,0);
VirtualFreeEx(handle,ProcAddress,1024*4,MEM_DECOMMIT);
VirtualFreeEx(handle,MessAddress,sizeof(MessAddress)+1,MEM_DECOMMIT);
return 0;
}
DWORD GetProcessId(char* name)
{
HANDLE snaphandle=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 pe;
bool returnbool=Process32First(snaphandle,&pe);
if(!returnbool)
{
return 0;
}
while(returnbool)
{
if(strcmp(strupr(name),strupr(pe.szExeFile))==0)
return pe.th32ProcessID;
else
{
returnbool=Process32Next(snaphandle,&pe);
}
}
return 0;
}
bool AdjustPrivileges()
{
HANDLE handle;
OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&handle);
LUID luid;
if(!LookupPrivilegeValue(NULL,"SeDebugPrivilege",&luid))
{
return false;
}
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount=1;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
if(AdjustTokenPrivileges(handle,TRUE,&tp,sizeof(tp),NULL,0))
{
return true;
}
return false;
}
DWORD WINAPI thread(MMessageBox *Parameter)
{
typedef int (WINAPI *rMessageBox)(HWND hwnd,char* text,char* caption,UINT flags);
rMessageBox IMessageBox=(rMessageBox)Parameter->mMessageBox;
IMessageBox(NULL,Parameter->message,NULL,MB_OK);
return 0;
}
问题:注入notepad.exe后,notepad.exe就运行出错,然后就退出了
自己认为是在处理远程线程中API函数的地址时出了问题,但不知道该怎么办??
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
