当我尝试将C ++ dll注入进程时,我最终得到以下错误
"运行时检查失败#0 - ESP的值未在函数调用中正确保存。这通常是调用使用不同调用约定声明的函数指针的结果。"
我确定错误的原因是因为DLLMain我很可能是错的。
BOOL WINAPI DllMain (HMODULE hDll, DWORD dwReason, LPVOID lpReserved )
{
switch( dwReason )
{
case DLL_PROCESS_ATTACH:
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Inject, 0, 0, 0);
break;
}
return TRUE;
}
这是注入功能
VOID Inject() {
QWORD time;
DWORD id, pid;
HANDLE hSs, hThread;
HMODULE hMono;
THREADENTRY32 t;
FILETIME CreationTime, ExitTime, KernelTime, UserTime;
CONTEXT context = { CONTEXT_CONTROL };
// poll for mono
while ((hMono = GetModuleHandle("mono.dll")) == NULL) Sleep(10);
mono_security_get_mode = (DWORD (__cdecl *)(void))GetProcAddress(hMono, "mono_security_get_mode");
mono_security_set_mode = (void (__cdecl *)(DWORD))GetProcAddress(hMono, "mono_security_set_mode");
mono_domain_get = (PVOID (__cdecl *)(void))GetProcAddress(hMono, "mono_domain_get");
mono_domain_assembly_open = (PVOID (__cdecl *)(PVOID,PCHAR))GetProcAddress(hMono, "mono_domain_assembly_open");
mono_assembly_get_image = (PVOID (__cdecl *)(PVOID))GetProcAddress(hMono, "mono_assembly_get_image");
mono_class_from_name = (PVOID (__cdecl *)(PVOID,PCHAR,PCHAR))GetProcAddress(hMono, "mono_class_from_name");
mono_class_get_method_from_name = (PVOID (__cdecl *)(PVOID,PCHAR,DWORD))GetProcAddress(hMono, "mono_class_get_method_from_name");
mono_runtime_invoke = (PVOID (__cdecl *)(PVOID,PVOID,PVOID *,PVOID))GetProcAddress(hMono, "mono_runtime_invoke");
// mono executes with thread local data, get the main thread.
id = NULL;
pid = GetCurrentProcessId();
hSs = CreateToolhelp32Snapshot(TH32CS_SNAPALL, pid);
t.dwSize = sizeof(THREADENTRY32);
if (hSs) {
// set time to max value so we can find the oldest thread
time = 0xFFFFFFFFFFFFFFFF;
if (Thread32First(hSs, &t)) {
do {
if (t.th32OwnerProcessID == pid) {
hThread = OpenThread(THREAD_QUERY_INFORMATION, FALSE, t.th32ThreadID);
if (hThread) {
if (GetThreadTimes(hThread, &CreationTime, &ExitTime, &KernelTime, &UserTime)) {
// nasty casting lol
if (time > *(PQWORD)&CreationTime) {
time = *(PQWORD)&CreationTime;
id = t.th32ThreadID;
}
}
CloseHandle(hThread);
}
}
} while (Thread32Next(hSs, &t));
}
}
else {
Deject("Couldn't acquire the main thread.");
return;
}
if (id) {
// hijack the main thread and have it inject our c# code
hThread = OpenThread(THREAD_QUERY_INFORMATION | THREAD_SUSPEND_RESUME | THREAD_GET_CONTEXT | THREAD_SET_CONTEXT, FALSE, id);
if (hThread) {
SuspendThread(hThread);
if (GetThreadContext(hThread, &context)) {
dwReturn = context.Eip;
context.Eip = (DWORD)MonoInject;
SetThreadContext(hThread, &context);
}
ResumeThread(hThread);
CloseHandle(hThread);
}
else {
Deject("Couldn't hijack the main thread, BALLS!");
return;
}
}
}