使用RemoteThread后获取当前模块的路径

时间:2011-07-16 19:51:53

标签: c++

我需要获取执行代码的模块的当前路径(dll)。我已经从.NET进行了dll注入本机进程并使用了RemoteThread。

我尝试过getcwd,GetCurrentDirectory,GetModuleHandle。 也试过这个解决方案。但它也不起作用。 我得到一个长度为MAX_PATH 的空字符串。 https://stackoverflow.com/questions/6719140/get-path-of-current-module-after-using-remotethread/6719210#6719210 我已经打开了一个帖子,但我无法登录我的电子邮件来获取ID。 抱歉,但无论如何,谢谢你的回答。我这次会评价!

C#注射

public static IntPtr InjectLibrary(
    Process targetProcess,
    string libraryPath)
{
    var libaryPathBytes = Encoding.GetBytes();
    var hProc = NativeMethods.OpenProcess()
    var hMemory = NativeMethods.VirtualAllocEx()
    NativeMethods.WriteProcessMemory()
    var hLoadLib = NativeMethods.GetProcAddress()
    var hThread = NativeMethods.CreateRemoteThread()


    return hThread;
}

原生图书馆

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        {
            DWORD threadId;
            CreateThread( NULL, 0, Bootstrap, NULL, 0, &threadId);
            break;
        }
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

DWORD WINAPI Bootstrap(LPVOID arg) {

    DWORD currentProcessID = GetCurrentProcessId();
    HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, currentProcessID);
    MODULEENTRY32 entry;
    Module32First(snapshot, &entry);
    MessageBox(NULL, entry.szLibPath, L"", MB_OK);//entry.szLibPath is empty string with the length if MAX_PATH like □□□□□□□□□□□□□□□□□□□□□□□....
    HMODULE module = entry.hModule;
    wchar_t currentPath[MAX_PATH];
    GetModuleFileName(module, currentPath, MAX_PATH);
    MessageBox(NULL, currentPath, L"", MB_OK);//currentPath isempty string with the length if MAX_PATH like □□□□□□□□□□□□□□□□□□□□□□□....
    //all other options give me the same string or the executable path
    return 0;
}

1 个答案:

答案 0 :(得分:0)

有一个“隐藏”工具帮助程序库mentionned by Raymond Chen可以解决Win32 APi中的几个怪癖问题。看来你可以使用fetch the handle to the first module associated to a process(大概是原始的可执行文件)。您可以使用该句柄获取可执行文件的路径。

看起来像:

  // Get a listing of modules loaded in the process.
DWORD process = ...;
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, process);
  // Get the handle to the first module loaded by that process.
MODULEENTRY32 entry;
Module32First(snapshot, &entry);
HANDLE module = entry.hModule;
    // Get the path to the executable/DLL file containing the module.
GetModuleFileName(module, ...);

修改:我已经尝试了一个完整的示例。使用GetModuleFileName()得到一个空字符串,因为未使用LoadLibrary()函数调用加载模块句柄。

但是,似乎MODULEENTRY32结构已经在其szExePath成员中提供了模块的完整路径。以下示例适用于我:

#include <Windows.h>
#include <TlHelp32.h>
#include <iostream>
int main ( int, char ** )
{
        // Substitute `process` with appropriate process ID.
    const ::DWORD process = ::GetCurrentProcessId();
    const ::HANDLE snapshot =
        ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, process);
    if ( snapshot == INVALID_HANDLE_VALUE ) {
        std::cerr << "Couldn't get snapshot!" << std::endl;
        return (EXIT_FAILURE);
    }
        // Get 1st module info.
    ::MODULEENTRY32W module;
    ::ZeroMemory(&module, sizeof(module));
    module.dwSize = sizeof(module);
    const ::BOOL result = Module32FirstW(snapshot, &module);
    if ( result == FALSE )
    {
           // Handle errors.
        const ::DWORD error = ::GetLastError();
        std::cerr
            << "Couldn't get 1st module (" << error << ")."
            << std::endl;
        return (EXIT_FAILURE);
    }
    std::wcout
        << module.szExePath << std::endl;
       // Cleanup.
    ::CloseHandle(snapshot);
    return (EXIT_SUCCESS);
}
相关问题
最新问题