我有以下代码用于从64位进程释放库。它完成了它的工作,但问题是在恢复保存的上下文后,目标进程才会崩溃。不知道这里有什么问题。它应该为之前的所有寄存器和标志设置,对吧?我做错了什么?
#ifdef _WIN64
const static unsigned char FreeLibrary_InjectionCodeRAW_x64[] =
{
0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //mov rax, value
0x48, 0xB9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //mov rcx, value
0xFF, 0xD0, //call rax (FreeLibrary)
0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //mov rax, value
0xC7, 0x00, 0x01, 0x00, 0x00, 0x00, //mov [rax],1
0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //mov rax, value
0xB9, 0x64, 0x00, 0x00, 0x00, //mov ecx, 0x64
0xFF, 0xD0, //call Sleep
0xEB, 0xED, //jmp
0x00, 0x00, 0x00, 0x00 //status
};
#pragma pack(push, 1)
struct FreeLibrary_InjectionCode_x64
{
FreeLibrary_InjectionCode_x64()
{
memcpy(this, FreeLibrary_InjectionCodeRAW_x64, sizeof(FreeLibrary_InjectionCodeRAW_x64));
}
char code_1[2];
FARPROC lpFreeLibrary;
char code_2[2];
HMODULE hLib;
char code_3[4];
LPVOID lpStatusAddress;
char code_4[8];
FARPROC lpSleep;
char code_5[9];
int status;
};
#pragma pack(pop)
#endif
void FreeLib(const char what[], const char where[])
{
HANDLE hToken;
OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);
SetPrivilege(hToken, SE_DEBUG_NAME, TRUE);
CloseHandle(hToken);
OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &hToken);
SetPrivilege(hToken, SE_DEBUG_NAME, TRUE);
CloseHandle(hToken);
HMODULE hMod;
DWORD dwProcessId = GetProcessIdByName(where);
if ((hMod = GetModuleHandleInProcess(what, dwProcessId)) != NULL)
{
HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE | SYNCHRONIZE, FALSE, dwProcessId);
if (hProcess != NULL)
{
HMODULE hKernel = LoadLibrary("kernel32.dll");
FARPROC FLaddr = GetProcAddress(hKernel, "FreeLibrary");
FARPROC Saddr = GetProcAddress(hKernel, "Sleep");
HANDLE hThread = OpenThread(THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_QUERY_INFORMATION | THREAD_SET_INFORMATION | THREAD_SUSPEND_RESUME,
FALSE, GetValidThreadIdInProcess(dwProcessId));
if (hThread != NULL && FLaddr != NULL && Saddr != NULL)
{
LPVOID addr = VirtualAllocEx(hProcess, NULL, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
LPVOID lpStatusAddress = (PUCHAR)addr + (sizeof(FreeLibrary_InjectionCode_x64)-sizeof(int));
FreeLibrary_InjectionCode_x64 code = FreeLibrary_InjectionCode_x64();
code.hLib = hMod;
code.lpFreeLibrary = FLaddr;
code.lpSleep = Saddr;
code.lpStatusAddress = lpStatusAddress;
WriteProcessMemory(hProcess, addr, &code, sizeof(FreeLibrary_InjectionCode_x64), NULL);
CONTEXT ctx, oldCtx;
ctx.ContextFlags = CONTEXT_ALL;
SuspendThread(hThread);
GetThreadContext(hThread, &ctx);
memcpy(&oldCtx, &ctx, sizeof(CONTEXT));
ctx.Rip = (DWORD64)addr;
SetThreadContext(hThread, &ctx);
ResumeThread(hThread);
while (!code.status)
{
Sleep(15);
ReadProcessMemory(hProcess, addr, &code, sizeof(FreeLibrary_InjectionCode_x64), NULL);
}
SuspendThread(hThread);
SetThreadContext(hThread, &oldCtx);
ResumeThread(hThread);
VirtualFreeEx(hProcess, addr, 4096, MEM_DECOMMIT);
CloseHandle(hThread);
}
CloseHandle(hProcess);
}
}
}
答案 0 :(得分:1)
Windows 64位使用fastcall调用约定。在此约定中,函数的调用者负责在堆栈上保留4 * 64位(32字节)以便被调用函数保存寄存器。 这意味着您的通话应如下所示:
sub rsp, 32
call rax
add rsp, 32
在您的代码中,您对FreeLibrary或Sleep的调用会覆盖不属于其堆栈帧的堆栈,从而导致以后崩溃。
答案 1 :(得分:0)
您没有进行任何错误处理,以确保在执行内存之前实际分配并写入其他进程,或确保ReadProcessMemory()成功,或确保线程暂停/恢复和上下文交换成功。
很可能,远程线程可能会运行您注入的代码并尝试运行其原始代码(或者甚至是随机代码,这些代码恰好跟随您在内存中分配的块),然后您的注入器有机会交换回原始代码上下文信息。这可能是造成崩溃的原因。
您可能希望考虑使用CreateRemoteThread()代替在自己的专用线程中运行注入的代码,而不是在另一个进程中劫持现有线程并将其上下文交换回来。无需上下文交换。