我尝试使用QueueUserAPC实现注入。但是它等待着无限的时间。代码附在下面。首先,我获得了过程的处理权。然后获取其主线程ID并实现APC调用。我该如何调用..我正在尝试向Chrome进程中注入一些代码。 `
/* Obtain a handle the process */
hproc = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, proc32.th32ProcessID);
if (hproc == NULL) {
printf("\t[+] OpenProcess error \n");
}
printf("\n\t[+] Opened process handle: 0x%Ix\n", (SIZE_T)hproc);
shctrl->pidtab[ninj] = proc32.th32ProcessID; // store process id (if inject fails, next attempt will overwrite it)
printf("\t[+]*************Calling injectionQUAPC*************\n");
injectQUAPC(hproc, proc32.th32ProcessID);
printf("\t[+] Returned value of thread[nink] after injection is %d\n", threadid[ninj]);
我已经修改了此功能/ DWORD GetMainThreadId(DWORD dwPid) /
DWORD GetMainThreadId( DWORD dwProcessId )
{
THREADENTRY32 te32 = { sizeof( THREADENTRY32 ) };
HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, dwProcessId );
if( hSnapshot == INVALID_HANDLE_VALUE )
return NULL; if( Thread32First( hSnapshot, &te32 ) )
{
do {
if( te32.th32OwnerProcessID == dwProcessId )
{
CloseHandle( hSnapshot );
return te32.th32ThreadID;
}
} while( Thread32Next( hSnapshot, &te32 ) );
} CloseHandle( hSnapshot );
return NULL;
}
我的这个函数调用上面的函数,并验证了使用工具ProcessthreadView返回的线程ID `
void injectQUAPC( HANDLE hproc, DWORD dwProcessId ){
HANDLE hThread; // snapshot and current process handles
PROCESSENTRY32W proc32; // process entry
ushort ninj = 0; // number of injected processes so far
int skip; // internal flag
LPVOID funst, funent; // executer() entry point in current and remote process
ULONG funsz; // executer() size
LPBYTE p; // auxilary pointer
DWORD nwritten; // written bytes and thread ID
printf("\n************Inside injectQUAPC*************\n");
DWORD threadid;
/* Get thread id from process id */
printf("\t[+] Getting main thread id for proc id: %d\n", dwProcessId);
threadid = GetMainThreadId(dwProcessId);
if (hThread == NULL){
printf("\t[-] Error getting main thread. press enter to skip\n");
getch();
}
/* Getting thread hanlle from thread id */
hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, threadid);
printf("\t[+] Thread opened successfully.\n");
printf("\t[+] Thread handle: 0x%Ix\r\n", (SIZE_T)hThread);
if (!hThread){
printf("[-] Couldn't open thread: 0x%Ix, trying next one...\r\n", (SIZE_T)hThread);
// continue;
}
funst = executer;
funsz = sizeof(executer);
_tprintf(_T("\t[+] Allocating space for the path of the executor code\n"));
funent = VirtualAllocEx(hproc, NULL, funsz, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (funent == NULL) {
printf("\t[-] VirtualAllocEx error \n");
getch();
}
BOOL bStatus;
/* Write to the remote process */
printf("\t[+] Writing into the current process space at 0x%p\n", funent);
bStatus = WriteProcessMemory(hproc, funent, funst, funsz, NULL);
if (bStatus == NULL) {
printf("\t[+] WriteProcessMemory errror \n");
getch();
}
else printf("\t[+] WriteProcessMemory status %d \n", bStatus);
DWORD dResult;
/* Injection Happen here */
if (!QueueUserAPC((PAPCFUNC)hproc, hThread, (ULONG_PTR)funent)){
printf("\t[-] QueueUserAPC error, trying next thread...\r\n");
getch();
}
else {
printf("\t[+] QueueUserAPC successfully completed on thread ID %d....\n", threadid);
printf("Waiting on thread %d.\n", threadid);
WaitForSingleObject(hThread, INFINITE);
}
printf("\t[+] Closing process handle.\n");
CloseHandle(hThread);
CloseHandle( hproc );
printf("\t[+] Returning thread handle for thread ID %d....\n", threadid);
}