在非托管注入的dll中调用函数

时间:2014-10-11 22:44:16

标签: c# c++ dll pinvoke createremotethread

我一直试图解决这个问题好几天,但仍然无法让它发挥作用。 我已成功将非托管dll注入远程进程。在我正试图通过CreateRemoteThread调用的dll中有一个名为testfunction的函数。

我有进程中注入的dll的地址(0x6B610000)和函数的偏移量(0x70802),这意味着dll中的函数位于(0x6B680802)。

我也在dll中导出了这个函数:

LIBRARY test
EXPORTS
testfunction

这就是我试图调用该函数的方法:

    public uint CallFunction()
    {
        IntPtr _functionPtr = IntPtr.Add(this.modulePtr, 0x70802); //this.modulePtr = 0x6B610000
        uint threadID;
        IntPtr hThread = CreateRemoteThread(this.processHandle, IntPtr.Zero, IntPtr.Zero, _functionPtr, IntPtr.Zero, 0, out threadID);
        // wait for thread to exit
        WaitForSingleObject(hThread, 0xFFFFFFFF);

        // get the thread exit code
        uint exitCode = 0;
        GetExitCodeThread(hThread, out exitCode);

        // close thread handle
        CloseHandle(hThread);

        return exitCode;
    }

这是我的DLL源:

#include "stdafx.h"
#include <iostream>
#include <fstream>
#include <string>

DWORD WINAPI testfunction(LPVOID *param); //<--- the test function im trying to call
DWORD WINAPI T_HkThread(LPVOID);
void WriteToLog(std::string _message);


void WriteToLog(std::string _message)
{
    std::ofstream out;
     // std::ios::app is the open mode "append" meaning
     // new data will be written to the end of the file.
     out.open("C:/test/log.txt", std::ios::app);

     std::string str = _message + "\n";
     out << str;
}

DWORD WINAPI testfunction(LPVOID *param)
{
    WriteToLog("YES YOU CALLED THE FUNCTION");
    return 0;
}


DWORD WINAPI T_HkThread(LPVOID)
{
    //Loading CLR INTO PROCESS
    WriteToLog("Thread created...");
    return 0;
} 

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
    switch (ul_reason_for_call)
    {
        case DLL_PROCESS_ATTACH:
            {
                WriteToLog("Injection done: Creating Thread...");
                CreateThread( NULL, NULL, T_HkThread, NULL, NULL, NULL );
            }
        case DLL_THREAD_ATTACH:
            {

            }
        case DLL_THREAD_DETACH:
            {

            }
        case DLL_PROCESS_DETACH:
            break;
        }
    return TRUE;
}

这个示例中的远程应用程序(winamp)加载了dll(我可以在进程黑客中看到相同的地址)但是当我尝试在dll中调用函数“testfunction”时会立即崩溃。

winamp caused an Access Violation (0xc0000005) in module winamp.exe at 0023:64bc0802.

我做错了什么?

提前致谢

1 个答案:

答案 0 :(得分:0)

如果您打算稍后使用它,最好不要关闭上一个函数中的ProcessHandle:)

同时添加0x69772而不是69772并不是一个好主意。该函数现在被调用而没有错误。