CreateRemoteThread成功,但是某些目标应用程序的LoadLibrary失败
我正在使用CreateRemoteThread()+ LoadLibrary()方法注入代码。 当我在Windows7 64位OS便携式计算机上运行喷油器时,一切正常,并且对于某些目标应用程序,它仍可以在Windows Server 2012 R2 64位中运行。
但是,在此Windows Server 2012环境中,对于某些目标应用程序(旧的MFC应用程序),CreateRemoteThread成功,但未调用DllMain,并且我发现LoadLibrary()似乎失败了,方法是在该应用程序上使用GetExitCodeThread()创建的远程线程。
为了在目标进程中写入内存,我计算了终止的0字节。
此外,我已经知道,使用下面的URL回答部分介绍的方法,Windows 7和Windows Server 2012的kernel32.dll地址是相同的。
下面的GetExitCodeThread()的退出代码为零。
HANDLE hThread = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)addr, arg, NULL, NULL);
if(hThread == NULL) {
OutputDebugString(_T("Error: the remote thread could not be created.\n"));
writeLog("Error: the remote thread could not be created.");
}
else {
DWORD dResult = WAIT_OBJECT_0;
dResult = WaitForSingleObject(hThread, 1000*3);// the thread may already exited, so do not wait INFINITE
DWORD dwExitCode = 0;
GetExitCodeThread(hThread, &dwExitCode);
if(dwExitCode == 0)
{
writeLog("Error: LoadLibraryA failed.");
}
else
{
OutputDebugString(_T("Success: the remote thread was successfully created.\n"));
writeLog("Success: the remote thread was successfully created.");
}
}
你知道我接下来应该怀疑什么吗?
总而言之,在下图中,您可以看到的唯一失败只有当我在Windows Server 2012上运行注入器以注入某些旧的MFC应用程序时。
在下图中,有关MFC应用程序的历史信息如下:
我正在尝试提供足够的信息,如果您需要更多信息,请告诉我。
下面是注入我的dll的完整代码:
void inject(int procID, char* pszHookDll)
{
g_nTargetProcId = procID;
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);
g_hTargetProc = process;
BOOL bInit = SymInitialize(g_hTargetProc, g_sPdbFolder, TRUE);// for analysing the information spy.dll send out
if(process == NULL) {
writeLog("Error: the specified process couldn't be found.");
}
/*
* Get address of the LoadLibrary function.
*/
LPVOID addr = (LPVOID)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
if(addr == NULL) {
writeLog("Error: the LoadLibraryA function was not found inside kernel32.dll library.");
}
//addr = getProcAddrInTargetProcess(procID, process);
/*
* Allocate new memory region inside the process's address space.
*/
int nBufSize = strlen(pszHookDll)+1;
LPVOID arg = (LPVOID)VirtualAllocEx(process, NULL, nBufSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if(arg == NULL) {
writeLog("Error: the memory could not be allocated inside the chosen process.");
}
/*
* Write the argument to LoadLibraryA to the process's newly allocated memory region.
*/
int n = WriteProcessMemory(process, arg, pszHookDll, nBufSize, NULL);
if(n == 0) {
writeLog("Error: there was no bytes written to the process's address space.");
}
/*
* Inject our DLL into the process's address space.
*/
HANDLE hThread = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)addr, arg, NULL, NULL);
if(hThread == NULL) {
writeLog("Error: the remote thread could not be created.");
}
else {
DWORD dResult = WAIT_OBJECT_0;
dResult = WaitForSingleObject(hThread, 1000*3);
DWORD dwExitCode = 0;
GetExitCodeThread(hThread, &dwExitCode);
if(dwExitCode == 0)
{
writeLog("Error: LoadLibraryA failed.");
}
else
{
OutputDebugString(_T("Success: the remote thread was successfully created.\n"));
writeLog("Success: the remote thread was successfully created.");
}
}
/*
* Close the handle to the process, becuase we've already injected the DLL.
*/
//CloseHandle(process);close after symcleanup
}
1 个答案:
答案 0 :(得分:2)
我有一个理由:这是一个依赖问题。
以下是#foreach( $item in $array )
#set($myVariable = "#customDirective('a.key.with.the.${foreach.index}')")
#end
的依赖项:
spy.dll取决于spy.dll,在Windows Server 2012环境中默认情况下不可用。
我提到的新MFC应用程序已与msvcr100d.dll一起部署在Windows Server 2012上,因此没有问题。
感谢巴菲和雷米!
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?