我一直在试图弄清楚这是什么问题。 我见过一些人分配:
GetProcAddress(GetModuleHandle("KERNEL32.dll"), "LoadLibraryA")
我想知道这是否是我必须做的,但我只是不明白这行代码到底是做什么的。它与MY dll功能无关,那么为什么要加载呢?
Main(控制台应用程序A.K.A注射器):
#include <iostream>
#include <windows.h>
#include <TlHelp32.h>
char* dllPath = "C:\\Users\\Kalist\\Desktop\\Projects\\DLL\\bin\\Debug\\DLL.dll";
typedef DWORD (WINAPI *pThreadFunc)();
char* ProcToInject = "calc.exe";
int main(){
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
HANDLE procSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
DWORD procID;
if(procSnap){
if(Process32First(procSnap, &pe32)){
do{
if(!strcmp(pe32.szExeFile, ProcToInject)){
procID = pe32.th32ProcessID;
break;
}
}while(Process32Next(procSnap, &pe32));
}
CloseHandle(procSnap);
}
HANDLE procAccess = OpenProcess(PROCESS_ALL_ACCESS, false, procID);
void* memSpace = VirtualAllocEx(procAccess, NULL, strlen(dllPath)+1, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
WriteProcessMemory(procAccess, memSpace, dllPath, strlen(dllPath)+1, NULL);
HINSTANCE getLibadd = LoadLibrary(dllPath);
pThreadFunc pThreadFuncVar = (pThreadFunc)GetProcAddress(getLibadd, "threadFunc");
CreateRemoteThread(procAccess, NULL, 0, (LPTHREAD_START_ROUTINE)pThreadFuncVar, memSpace, 0, NULL);
CloseHandle(procAccess);
}
DLL远程进程:
#include <iostream>
#include <windows.h>
extern "C" DWORD WINAPI threadFunc(){
MessageBox(0, "Injection worked!", "Injection message", MB_OK);
return 0;
}
答案 0 :(得分:3)
代码的问题是pThreadFuncVar包含注入过程中threadFunc的地址。但是,您的Dll.dll甚至没有在目标进程中加载。即使您的dll已加载,也可能无法在同一地址加载,因此pThreadFuncVar地址在目标进程中仍然毫无意义。
在每个进程中,只有少数必需品模块(如KERNEL32)加载到同一地址。因此,如果您将LoadLibraryA的地址用于CreateRemoteThread,它将从您复制到目标进程内存的路径中加载dll。这将依次调用你的dll的dll附加过程,这是你想要放置MessageBox的地方。