Question

我尝试使用nativeApi编写dll注入器。出于这个原因，我写了这段代码。 NtReadFile函数读取的东西，但我看不到除了FileReadBuffer的第一个值以外的任何东西。另外，我不知道dll如何看待缓冲区。

（1）我如何比较缓冲区和dll文件？

（2）我如何确保代码运行正确。

（3）请告诉我代码中的错误。

bool Injector::initiationDll(const std::string& dllPath)
{
    if (!isDllExist(dllPath))
    {
        printf("Dll not found!\n");
        return false;
    }
    else
    {
        printf("LibraryPath: %s\n", dllPath);

        NTSTATUS status; HANDLE lFile;

        OBJECT_ATTRIBUTES objAttribs = { 0 }; UNICODE_STRING unicodeString;
        std::string dllPathWithprefix = "\\??\\" + dllPath;

        std::wstring wString = std::wstring(dllPathWithprefix.begin(), dllPathWithprefix.end()); PCWSTR toPcwstr = wString.c_str();
        RtlInitUnicodeString(&unicodeString, toPcwstr);
        InitializeObjectAttributes(&objAttribs, &unicodeString, OBJ_CASE_INSENSITIVE, NULL, NULL);
        objAttribs.Attributes = 0;

        const int allocSize = 2048;
        LARGE_INTEGER largeInteger;
        largeInteger.QuadPart = allocSize;

        IO_STATUS_BLOCK ioStatusBlock;

        status = NtCreateFile(
            &lFile,
            GENERIC_READ | FILE_READ_DATA | SYNCHRONIZE,
            &objAttribs,
            &ioStatusBlock,
            &largeInteger,
            FILE_ATTRIBUTE_NORMAL,
            FILE_SHARE_READ | FILE_SHARE_WRITE,
            FILE_OPEN,
            FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
            NULL,
            0);

        if (!NT_SUCCESS(status)) {
            printf("CreateFile failed..\n");
            return false;
        }
        else {
            printf("Library Handle : %p\n", lFile);

            DWORD fileSize = getDllSize(dllPath);

            if (fileSize == 0)
            {
                printf("File size is zero.\n");
                return false;
            }
            else
            {
                printf("File size : %d byte.\n", fileSize);

                PVOID FileReadBuffer = VirtualAlloc(NULL, fileSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

                if (!FileReadBuffer)
                {
                    printf("\nError: Unable to allocate memory(%d)\n", GetLastError());

                    status = NtClose(lFile);
                    return false;
                }
                else {
                    printf("Allocate %d byte for buffer.\n", fileSize);

                    status = NtReadFile(
                        lFile,
                        NULL,
                        NULL,
                        NULL,
                        &ioStatusBlock,
                        FileReadBuffer,
                        sizeof(FileReadBuffer),
                        0, // ByteOffset
                        NULL);

                    if (!NT_SUCCESS(status))
                    {
                        printf("Unable to read the dll...  : %d\n", GetLastError());
                        return false;
                    }
                    else {
                        status = NtClose(lFile);
                        for (int i = 0; i < sizeof(fileSize); i++)
                        {
                            //wprintf(L"%p   :   %s\n", FileReadBuffer, FileReadBuffer);
                        }
                    }
                }
            }
        }
    }
}

Answer 1

status = NtReadFile(
                        lFile,
                        NULL,
                        NULL,
                        NULL,
                        &ioStatusBlock,
                        FileReadBuffer,
                        sizeof(FileReadBuffer), // !!!!!
                        0, // ByteOffset
                        NULL);

所以你读取sizeof（FileReadBuffer） - 只有4或8个字节。我认为你使用了here

的建议

我怎样才能看到缓冲区的内容并与dll文件进行比较？

1 个答案: