使用CreateRemoteThread將變數傳遞給函式-有解無憂

HANDLE CreateRemoteThread(
  HANDLE                 hProcess,
  LPSECURITY_ATTRIBUTES  lpThreadAttributes,
  SIZE_T                 dwStackSize,
  LPTHREAD_START_ROUTINE lpStartAddress,
  LPVOID                 lpParameter,
  DWORD                  dwCreationFlags,
  LPDWORD                lpThreadId
);

引數

指向要傳遞給執行緒函式的變數的指標。

int x = 0;
LPCWSTR foo = L"Hello World";

CreateRemoteThread(hProcess, 0, 0, pFunction, &x, 0, 0);

假設我需要將多個變數（例如xand foo）傳遞給需要兩個引數的函式example：

LPCWSTR Test(int x, LPCWSTR foo) 
{
  //....
}

會怎樣？

uj5u.com熱心網友回復：

顧名思義，CreateRemoteThread()就是在外部行程中創建一個新執行緒。因此，lpStartAddress引數必須指向目標行程中函式的記憶體地址，并且lpParameter引數必須指向目標行程中存在的記憶體地址（除非它是指標轉換的整數）。您不能將指標傳遞到呼叫CreateRemoteThread(). 您可以使用VirtualAllocEx()在另一個行程中分配記憶體，例如：

DWORD WINAPI MyThreadProc(LPVOID lpParameter)
{
    INT *x = (INT*) lpParameter;
    // use *x as needed...
    VirtualFree(x, 0, MEM_RELEASE);
    return 0;
}

...

LPTHREAD_START_ROUTINE pFunction = ...; // point to MyThreadProc() in hProcess

INT x = 0;

LPVOID param = VirtualAllocEx(hProcess, NULL, sizeof(x), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (!param) ...

SIZE_T numWritten;
if (!WriteProcessMemory(hProcess, param, &x, sizeof(x), &numWritten)) ...

if (!CreateRemoteThread(hProcess, 0, 0, pFunction, param, 0, 0)) ...

或者，您可以改用指標轉換整數，在這種情況下，您不需要分配任何內容：

DWORD WINAPI MyThreadProc(LPVOID lpParameter)
{
    INT x = INT(reinterpret_cast<INT_PTR>(lpParameter));
    // use x as needed...
    return 0;
}

...

LPTHREAD_START_ROUTINE pFunction = ...; // point to MyThreadProc() in hProcess

int x = 0;
LPVOID param = reinterpret_cast<LPVOID>(INT_PTR(x));

if (!CreateRemoteThread(hProcess, 0, 0, pFunction, param, 0, 0)) ...

如果需要將多個值傳遞給函式，則必須struct在目標行程中分配 a來保存它們，例如：

#pragma pack(push, 1)
struct MyThreadData
{
    INT x;
    LPCWSTR foo; // points to fooData...
    //WCHAR fooData[]...
}; 
#pragma pack(pop)

...

DWORD WINAPI MyThreadProc(LPVOID lpParameter)
{
    MyThreadData *params = static_cast<MyThreadData*>(lpParameter);
    // use params->x and params->foo as needed...
    VirtualFree(params, 0, MEM_RELEASE);
    return 0;
}

...

LPTHREAD_START_ROUTINE pFunction = ...; // point to MyThreadProc() in hProcess

INT x = 0;
LPCWSTR foo = L"Hello World";
int foo_numBytes = (lstrlenW(foo)   1) * sizeof(WCHAR);

MyThreadData *params = static_cast<MyThreadData*>(VirtualAllocEx(hProcess, NULL, sizeof(MyThreadData)   fooNumBytes, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE));
if (!params) ...

SIZE_T numWritten;
if (!WriteProcessMemory(hProcess, &(params->x), &x, sizeof(x), &numWritten)) ...

LPWSTR foo_data = reinterpret_cast<LPWSTR>(params   1);
if (!WriteProcessMemory(hProcess, &(params->foo), &foo_data, sizeof(foo_data), &numWritten)) ...

if (!WriteProcessMemory(hProcess, fooDataPtr, foo, foo_numBytes, &numWritten)) ...

CreateRemoteThread(hProcess, 0, 0, pFunction, params, 0, 0);

轉載請註明出處，本文鏈接：https://www.uj5u.com/qukuanlian/314755.html

標籤：C 登录

上一篇：用鉤子阻止滑鼠訊息

下一篇：檢索不同的客戶狀態