我的目标是使用C#(CreateRemoteThread)中的P / Invoke调用远程进程中的函数。 问题是该函数需要多个参数。有没有办法将多个参数传递给函数?
答案 0 :(得分:1)
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
uint dwSize, AllocationType flAllocationType, MemoryProtection flProtect);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);
[Flags]
public enum AllocationType
{
Commit = 0x1000,
Reserve = 0x2000,
Decommit = 0x4000,
Release = 0x8000,
Reset = 0x80000,
Physical = 0x400000,
TopDown = 0x100000,
WriteWatch = 0x200000,
LargePages = 0x20000000
}
[Flags]
public enum MemoryProtection
{
Execute = 0x10,
ExecuteRead = 0x20,
ExecuteReadWrite = 0x40,
ExecuteWriteCopy = 0x80,
NoAccess = 0x01,
ReadOnly = 0x02,
ReadWrite = 0x04,
WriteCopy = 0x08,
GuardModifierflag = 0x100,
NoCacheModifierflag = 0x200,
WriteCombineModifierflag = 0x400
}
[StructLayout(LayoutKind.Sequential, Pack=1]
public struct RemoteThreadParams
{
[MarshalAs(UnmanagedType.U1)]
public byte Param1;
[MarshalAs(UnmanagedType.I4)]
public int Param2;
...
}
[DllImport("kernel32")]
public static extern IntPtr CreateRemoteThread(
IntPtr hProcess,
IntPtr lpThreadAttributes,
uint dwStackSize,
IntPtr lpStartAddress,
IntPtr lpParameter,
uint dwCreationFlags,
out uint lpThreadId
);
RemoteThreadParams params = new RemoteThreadParams();
parms.Param1 = 10;
parms.Param2 = 200;
// Allocate some native heap memory in your process big enough to store the
// parameter data
IntPtr iptrtoparams = Marshal.AllocHGlobal(Marshal.SizeOf(RemoteThreadParams));
// Copies the data in your structure into the native heap memory just allocated
Marshal.StructureToPtr(params, iptrtoparams, false);
// Use to get a handle to the process you intend to create a thread in.
OpenProcess(...,...,...);
// Use to alloc "committed" memory that is addressable by other process
IntPtr iptrremoteallocatedmemory = VirtualAllocEx()...
// Copy from your process memory to the memory the remoteprocess will be accessing
WriteProcessMemory(...,iptrremoteallocatedmemory,iptrtoparams,...,...);
Marshal.FreeHGlobal(iptrtoparams); // safe to free, as you have done the copy
CreateRemoteThread(...,...,...,...,iptrremoteallocatedmemory,...,...);
// Free the memory that was allocated for the other process...but be
// careful of its lifetime.
//
// Only free when the thread will no longer be accessing the allocated native
// memory i.e. when it's finished.
VirtualFreeEx(...,...,...,...);
在您的C / C ++代码中有:
#pragma pack(push,1)
struct tagRemoteThreadParams
{
BYTE Param1;
int Param2;
} RemoteThreadParams, *PRemoteThreadParams;
#pragma pack(pop)
将线程函数收到的LPVOID
投放到PRemoteThreadParams
(即*RemoteThreadParams
)。
如果你想要一些“字符串”作为你的参数之一,那么你将不得不做更多的工作来整理它们。如需更多帮助,请参阅:
其他一些参考文献:
答案 1 :(得分:0)
如果函数具有多个参数,则不使用shellcode就无法将它们传递给CreateRemoteThread()
所调用的函数。
将指针传递给结构或参数数组将不起作用。
第一个参数将正确传递,其他参数也将存在于您编写它们的内存中,但是它们不会被放置到调用约定正确访问它们所需的寄存器或堆栈中。
如果函数接受2个参数,并且您将指针传递给结构(如我在其他答案中所提到的),则第一个参数将正确放置在堆栈或寄存器中,但是当函数尝试访问随后的参数,它将只提取之前在堆栈上或寄存器内的所有数据。
基本上,它将把这些垃圾数据作为参数。
正确获取所需参数的唯一方法是在执行对目标函数的调用或jmp之前,将shellcode写入将参数加载到适当寄存器并进行堆栈的过程中。
您可以通过尝试使用CreateRemoteThread之一来轻松地对此进行测试:
MessageBoxA(0,0,0,0);
Beep(500, 500);
您可以自己跟踪程序集并轻松查看问题,程序集决不会尝试触摸第一个参数之后的地址。取而代之的是,它仅在参数应该位于的位置上触摸数据(在堆栈和寄存器中,而不是在您写入内存的结构中)。
如果您的函数采用了指向结构的指针,则其他答案中提供的方法将起作用。