我一直试图解决这个问题好几天,但仍然无法让它发挥作用。 我已成功将非托管dll注入远程进程。在我正试图通过CreateRemoteThread调用的dll中有一个名为testfunction的函数。
我有进程中注入的dll的地址(0x6B610000)和函数的偏移量(0x70802),这意味着dll中的函数位于(0x6B680802)。
我也在dll中导出了这个函数:
LIBRARY test
EXPORTS
testfunction
这就是我试图调用该函数的方法:
public uint CallFunction()
{
IntPtr _functionPtr = IntPtr.Add(this.modulePtr, 0x70802); //this.modulePtr = 0x6B610000
uint threadID;
IntPtr hThread = CreateRemoteThread(this.processHandle, IntPtr.Zero, IntPtr.Zero, _functionPtr, IntPtr.Zero, 0, out threadID);
// wait for thread to exit
WaitForSingleObject(hThread, 0xFFFFFFFF);
// get the thread exit code
uint exitCode = 0;
GetExitCodeThread(hThread, out exitCode);
// close thread handle
CloseHandle(hThread);
return exitCode;
}
这是我的DLL源:
#include "stdafx.h"
#include <iostream>
#include <fstream>
#include <string>
DWORD WINAPI testfunction(LPVOID *param); //<--- the test function im trying to call
DWORD WINAPI T_HkThread(LPVOID);
void WriteToLog(std::string _message);
void WriteToLog(std::string _message)
{
std::ofstream out;
// std::ios::app is the open mode "append" meaning
// new data will be written to the end of the file.
out.open("C:/test/log.txt", std::ios::app);
std::string str = _message + "\n";
out << str;
}
DWORD WINAPI testfunction(LPVOID *param)
{
WriteToLog("YES YOU CALLED THE FUNCTION");
return 0;
}
DWORD WINAPI T_HkThread(LPVOID)
{
//Loading CLR INTO PROCESS
WriteToLog("Thread created...");
return 0;
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
WriteToLog("Injection done: Creating Thread...");
CreateThread( NULL, NULL, T_HkThread, NULL, NULL, NULL );
}
case DLL_THREAD_ATTACH:
{
}
case DLL_THREAD_DETACH:
{
}
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
这个示例中的远程应用程序(winamp)加载了dll(我可以在进程黑客中看到相同的地址)但是当我尝试在dll中调用函数“testfunction”时会立即崩溃。
winamp caused an Access Violation (0xc0000005) in module winamp.exe at 0023:64bc0802.
我做错了什么?
提前致谢
答案 0 :(得分:0)
如果您打算稍后使用它,最好不要关闭上一个函数中的ProcessHandle:)
同时添加0x69772而不是69772并不是一个好主意。该函数现在被调用而没有错误。