C++新手一枚,最近在學習遠程dll注入,經過摸索,dll成功注入,但是卸載出現問題,求指教。以下是卸載dll代碼
DWORD dwHandle;
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetModuleHandleA,
lpParameter, 0, &dwTid);
WaitForSingleObject(hThread, INFINITE);
GetExitCodeThread(hThread, &dwHandle); //執行緒的結束碼即為Dll模塊兒的句柄, 詳見MSDN
https://msdn.microsoft.com/en-us/library/windows/desktop/ms683190(v=vs.85).aspx
用Process Hacker 查到 注入dll 地址是:0x7ffc6bce0000
GetExitCodeThread(hThread, &dwHandle);執行完成后 dwHandle的值是:6bce0000,前面的高位7ffc丟掉了,我查了下0x7ffc6bce0000已經超出DWORD的范圍了,所以前面的高位丟掉了。但是GetExitCodeThread方法的引數就是LPDWORD,如何破?
我是WIN10 64位系統 4G記憶體
2.還想到另一種辦法獲取注入dll地址,就是用MODULEENTRY32 遍歷被注入dll的行程,但是呼叫Module32First時就出錯了,debug發現MODULEENTRY32 的modBaseAddr出現“讀寫字串字符錯誤”,結構體其他欄位正常,CreateToolhelp32Snapshot 呼叫的時候TH32CS_SNAPMODULE 和TH32CS_SNAPMODULE32試過,同樣的錯誤,跪求指教
uj5u.com熱心網友回復:
參考WinAPIOverride32源代碼片斷。uj5u.com熱心網友回復:
EXPORT BOOL EnablePrivilege (PCTSTR szDebugName) {
HANDLE hToken = NULL ;
__try {
if (szDebugName == NULL)
__leave ;
TOKEN_PRIVILEGES priv = {1 ,{{{0 ,0} ,SE_PRIVILEGE_ENABLED}}} ;
LookupPrivilegeValue (0 ,szDebugName ,&priv.Privileges[0].Luid) ;
OpenProcessToken (GetCurrentProcess () ,TOKEN_ADJUST_PRIVILEGES ,&hToken) ;
if (hToken == NULL)
__leave ;
if (!AdjustTokenPrivileges (hToken ,FALSE ,&priv ,sizeof (priv) ,0 ,0))
__leave ;
return TRUE ;
} __finally {
if (hToken != NULL)
CloseHandle (hToken) ;
}
return FALSE ;
}
EXPORT DWORD GetProcessIdByName (PCTSTR szProcessName) {
HANDLE hSnapshot = NULL ;
__try {
if (szProcessName == NULL)
__leave ;
if ((hSnapshot = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS ,0)) == NULL)
__leave ;
PROCESSENTRY32 ps = {sizeof (ps)} ;
if (Process32First (hSnapshot ,&ps)) {
do {
if (lstrcmp (ps.szExeFile ,szProcessName) == 0)
return ps.th32ProcessID ;
} while (Process32Next (hSnapshot ,&ps)) ;
}
} __finally {
if (hSnapshot != NULL)
CloseHandle (hSnapshot) ;
}
return 0 ;
}
EXPORT HMODULE GetModuleHandleByName (DWORD dwPID ,PCTSTR szDllName) {
HANDLE hSnapshot = NULL ;
__try {
if (szDllName == NULL)
__leave ;
if ((hSnapshot = CreateToolhelp32Snapshot (TH32CS_SNAPMODULE ,dwPID)) == NULL)
__leave ;
MODULEENTRY32 md = {sizeof (md)} ;
if (Module32First (hSnapshot ,&md)) {
do {
if (lstrcmp (md.szModule ,szDllName) == 0 || lstrcmp (md.szExePath ,szDllName) == 0)
return md.hModule ;
} while (Module32Next (hSnapshot ,&md)) ;
}
} __finally {
if (hSnapshot != NULL)
CloseHandle (hSnapshot) ;
}
return NULL ;
}
EXPORT BOOL LoadRemoteDll (DWORD dwPID ,PCTSTR szDllName) {
HANDLE hProcess = NULL ;
PVOID szRemoteDllName = NULL ;
HANDLE hThread = NULL ;
__try {
if (szDllName == NULL)
__leave ;
if ((hProcess = OpenProcess (PROCESS_ALL_ACCESS ,FALSE ,dwPID)) == NULL)
__leave ;
const SIZE_T ch = (lstrlen (szDllName) + 1) * sizeof (TCHAR) ;
if ((szRemoteDllName = VirtualAllocEx (hProcess ,NULL ,ch ,MEM_COMMIT ,PAGE_READWRITE)) == NULL)
__leave ;
if (!WriteProcessMemory (hProcess ,szRemoteDllName ,szDllName ,ch ,NULL))
__leave ;
const PTHREAD_START_ROUTINE pfnLoadLibrary = PTHREAD_START_ROUTINE (GetProcAddress (GetModuleHandle (TEXT ("Kernel32")) ,_STR_ (LoadLibrary))) ;
if (pfnLoadLibrary == NULL)
__leave ;
if ((hThread = CreateRemoteThread (hProcess ,NULL ,0 ,pfnLoadLibrary ,szRemoteDllName ,0 ,NULL)) = NULL)
__leave ;
WaitForSingleObject (hThread ,INFINITE) ;
return TRUE ;
} __finally {
if (hThread != NULL)
CloseHandle (hThread) ;
if (szRemoteDllName != NULL)
VirtualFreeEx (hProcess ,szRemoteDllName ,0 ,MEM_RELEASE) ;
if (hProcess != NULL)
CloseHandle (hProcess) ;
}
return FALSE ;
}
EXPORT BOOL FreeRemoteDll (DWORD dwPID ,PCTSTR szDllName) {
HANDLE hProcess = NULL ;
HANDLE hThread = NULL ;
__try {
if (szDllName == NULL)
__leave ;
if ((hProcess = OpenProcess (PROCESS_ALL_ACCESS ,FALSE ,dwPID)) == NULL)
__leave ;
const PTHREAD_START_ROUTINE pfnFreeLibrary = PTHREAD_START_ROUTINE (GetProcAddress (GetModuleHandle (TEXT ("Kernel32")) ,"FreeLibrary")) ;
if (pfnFreeLibrary == NULL)
__leave ;
if ((hThread = CreateRemoteThread (hProcess ,NULL ,0 ,pfnFreeLibrary ,GetModuleHandleByName (dwPID ,szDllName) ,0 ,NULL)) = NULL)
__leave ;
WaitForSingleObject (hThread ,INFINITE) ;
return TRUE ;
} __finally {
if (hThread != NULL)
CloseHandle (hThread) ;
if (hProcess != NULL)
CloseHandle (hProcess) ;
}
return FALSE ;
}GetExitCodeThread不是必須的,而且沒什么用
如果你的dll打開了執行緒,把FreeLibrary換成FreeLibraryAndExitThread沒用,FreeLibraryAndExitThread只對自身執行緒有效
64位和32位差不多,只是不能用GetModuleHandle取得以加載dll的句柄
uj5u.com熱心網友回復:
共享記憶體。dll注入后自己在注入行程中取自己的地址,然后寫入共享記憶體,主行程取即可。uj5u.com熱心網友回復:
The exit value specified in the ExitThread or TerminateThread function.The return value from the thread function.
The exit value of the thread's process.
轉載請註明出處,本文鏈接:https://www.uj5u.com/gongcheng/125151.html
標籤:進程/線程/DLL
下一篇:關于eigen開源矩陣的問題