C#直接在CreateRemoteThread和LoadLibrary注入中使用byte []

时间:2017-07-10 09:14:38

标签: c#

我正在使用CreateRemoteThread将dll注入目标进程并且它完美运行,目前它需要参数:

inject(string procName, string dllPath);

并将dllPath读取为字节数组:

byte[] bytes = Encoding.ASCII.GetBytes(dllPath);

我想跳过这个过程并给它字节数组直接使用,因为我从服务器下载加密字节。注意,我的目标平台是x64,这就是我没有使用jLibrary的原因。

如果我去:byte [] bytes = File.ReadAllBytes(someFile)来测试它,注入失败所以我试图将byte []从我现有的文件转换为char []然后将其编码为ascii但它也失败了。我应该怎么做呢?

课程是:

  

bool injectDLL(uint processToInject,string dllPath)           {

        IntPtr processHandle = OpenProcess(desiredAccess, 1, processToInject);

        if (processHandle == INTPTR_ZERO) return false;

        IntPtr loadLibraryAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

        if (loadLibraryAddress == INTPTR_ZERO) return false;

        IntPtr argAddress = VirtualAllocEx(processHandle, (IntPtr)null, (IntPtr)dllPath.Length, (0x1000 | 0x2000), 0X40);

        if (argAddress == INTPTR_ZERO) return false;

        byte[] bytes = Encoding.ASCII.GetBytes(dllPath);

        if (WriteProcessMemory(processHandle, argAddress, bytes, (uint)bytes.Length, 0) == 0)
            return false;

        if (CreateRemoteThread(processHandle, (IntPtr)null, INTPTR_ZERO, loadLibraryAddress, argAddress, 0, (IntPtr)null) == INTPTR_ZERO)
        {
            return false;
        }

        CloseHandle(processHandle);
        return true;
    }

1 个答案:

答案 0 :(得分:0)

不必将字符串转换为字节数组。

只需使用string :: ToCharArray()

IntPtr bytesRead = IntPtr.Zero;
WriteProcessMemory(proc.Handle, loc, dllpath.ToCharArray(), dllpath.Length, out bytesRead);
相关问题
最新问题