DLLMain ESP的值未在函数调用中正确保存

时间:2015-09-09 02:16:13

标签: c++ dll

当我尝试将C ++ dll注入进程时,我最终得到以下错误

"运行时检查失败#0 - ESP的值未在函数调用中正确保存。这通常是调用使用不同调用约定声明的函数指针的结果。"

我确定错误的原因是因为DLLMain我很可能是错的。

BOOL WINAPI DllMain (HMODULE hDll, DWORD dwReason, LPVOID lpReserved )
{
    switch( dwReason )
    {
    case DLL_PROCESS_ATTACH:
        CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Inject, 0, 0, 0);
        break;
    }
    return TRUE;
}

这是注入功能

VOID Inject() {
    QWORD time;
    DWORD id, pid;
    HANDLE hSs, hThread;
    HMODULE hMono;
    THREADENTRY32 t;
    FILETIME CreationTime, ExitTime, KernelTime, UserTime;
    CONTEXT context = { CONTEXT_CONTROL };
    // poll for mono

    while ((hMono = GetModuleHandle("mono.dll")) == NULL) Sleep(10);


    mono_security_get_mode = (DWORD (__cdecl *)(void))GetProcAddress(hMono, "mono_security_get_mode");
    mono_security_set_mode = (void (__cdecl *)(DWORD))GetProcAddress(hMono, "mono_security_set_mode");
    mono_domain_get = (PVOID (__cdecl *)(void))GetProcAddress(hMono, "mono_domain_get");
    mono_domain_assembly_open = (PVOID (__cdecl *)(PVOID,PCHAR))GetProcAddress(hMono, "mono_domain_assembly_open");
    mono_assembly_get_image = (PVOID (__cdecl *)(PVOID))GetProcAddress(hMono, "mono_assembly_get_image");
    mono_class_from_name = (PVOID (__cdecl *)(PVOID,PCHAR,PCHAR))GetProcAddress(hMono, "mono_class_from_name");
    mono_class_get_method_from_name = (PVOID (__cdecl *)(PVOID,PCHAR,DWORD))GetProcAddress(hMono, "mono_class_get_method_from_name");
    mono_runtime_invoke = (PVOID (__cdecl *)(PVOID,PVOID,PVOID *,PVOID))GetProcAddress(hMono, "mono_runtime_invoke");


    // mono executes with thread local data, get the main thread.
    id = NULL;
    pid = GetCurrentProcessId();
    hSs = CreateToolhelp32Snapshot(TH32CS_SNAPALL, pid);

    t.dwSize = sizeof(THREADENTRY32);

    if (hSs) {
        // set time to max value so we can find the oldest thread
        time = 0xFFFFFFFFFFFFFFFF;
        if (Thread32First(hSs, &t)) {
            do {
                if (t.th32OwnerProcessID == pid) {
                    hThread = OpenThread(THREAD_QUERY_INFORMATION, FALSE, t.th32ThreadID);
                    if (hThread) {
                        if (GetThreadTimes(hThread, &CreationTime, &ExitTime, &KernelTime, &UserTime)) {
                            // nasty casting lol
                            if (time > *(PQWORD)&CreationTime) {
                                time = *(PQWORD)&CreationTime;
                                id = t.th32ThreadID;
                            }
                        }
                        CloseHandle(hThread);
                    }
                }
            } while (Thread32Next(hSs, &t));
        }
    }
    else {
        Deject("Couldn't acquire the main thread.");
        return;
    }

    if (id) {
        // hijack the main thread and have it inject our c# code
        hThread = OpenThread(THREAD_QUERY_INFORMATION | THREAD_SUSPEND_RESUME | THREAD_GET_CONTEXT | THREAD_SET_CONTEXT, FALSE, id);
        if (hThread) {
            SuspendThread(hThread);
            if (GetThreadContext(hThread, &context)) {
                dwReturn = context.Eip;
                context.Eip = (DWORD)MonoInject;
                SetThreadContext(hThread, &context);
            }
            ResumeThread(hThread);
            CloseHandle(hThread);
        }
        else {
            Deject("Couldn't hijack the main thread, BALLS!");
            return;
        }
    }
}

0 个答案:

没有答案