- 主题
- 0
- 积分
- 0
- 贝壳
- 0 个
- 注册时间
- 2007-3-10
- 最后登录
- 2007-3-11
|
关于进程注入的问题,望高手指点
下面是小弟写的一个程序,程序的作用是通过CreateRemoteThread()函数向notepad.exe进程注入一个线程, 该线程的作用是将c:\aaa.txt拷贝到c:\bbb.txt。
程序的作用可以实现,但问题是拷贝完成后,宿主进程notepad.exe会崩溃。
我还试过将注入线程中对CopyFile()的调用改成MessageBox(),但是显示消息框之后宿主进程还是照样崩溃。 好像只要在注入线程中调用了API,宿主进程就会崩溃。不知道这是什么原因?望有高手指点
我的环境是windows xp sp2, visual studio.net 2003.
以下是代码:
#include "stdafx.h"
#include "windows.h"
#include <conio.h>
#include <Psapi.h>
#pragma comment(lib, "Psapi.lib")
// ========== 传给注入线程的参数结构 ============
struct MyData
{
char srcfile[64]; //源文件地址
char destfile[64];//目标文件地址
DWORD dwCopyFile; // CopyFileA()的地址
};
// ========== 远程线程的函数 ==============================
DWORD __stdcall RMTFunc(MyData *pData)
{
typedef int(__stdcall*_tCopyFile)(LPCSTR, LPCSTR, bool);
_tCopyFile copyfile = (_tCopyFile)pData->dwCopyFile;
copyfile(pData->srcfile, pData->destfile, true);
return 0;
}
//============空函数,其作用是方便获取注入线程函数的体积======
static void AfterMyFunc (void) {
}
//根据进程名获取进程id
DWORD processtopid(char *processname)
{
DWORD lpidprocesses[1024],cbneeded,cprocesses;
HANDLE hprocess;
HMODULE hmodule;
UINT i;
char normalname[MAX_PATH]=_T("UnknownProcess");
if(!EnumProcesses(lpidprocesses,sizeof(lpidprocesses),&cbneeded))
{
OutputDebugString(_T("EnumProcesses Error\n"));
return -1;
}
cprocesses=cbneeded/sizeof(DWORD);
for(i=0;i<cprocesses;i++)
{
hprocess=OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE,lpidprocesses);
if(hprocess)
{
if(EnumProcessModules(hprocess,&hmodule,sizeof(hmodule),&cbneeded))
{
GetModuleBaseName(hprocess,hmodule,normalname,sizeof(normalname));
if(!strcmp(normalname,processname))
{
CloseHandle(hprocess);
return (lpidprocesses);
}
}
}
}
CloseHandle(hprocess);
return 0;
}
int _tmain(int argc, _TCHAR* argv[])
{
// ===== 获得需要创建REMOTETHREAD的进程句柄 ===============================
DWORD dwProcessId = processtopid("notepad.exe");
HANDLE hProcess = OpenProcess(
PROCESS_ALL_ACCESS,
FALSE,
dwProcessId);
// ========= 代码结构 ================================================
MyData data;
ZeroMemory(&data, sizeof (MyData));
strcpy(data.srcfile, "c:\\aaa.txt");
strcpy(data.destfile, "c:\\bbb.txt");
HINSTANCE hKernel32 = LoadLibrary("kernel32.dll");
if (! hKernel32)
{
printf("Can not load library.\n");
return 0;
}
data.dwCopyFile = (DWORD)GetProcAddress(hKernel32, "CopyFileA");
FreeLibrary(hKernel32);
if (! data.dwCopyFile)
return 0;
// ======= 为注入线程分配空间 =============================
DWORD cbCodeSize=((LPBYTE) AfterMyFunc - (LPBYTE) RMTFunc);
void *pRemoteThread = VirtualAllocEx(hProcess, 0, cbCodeSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (! pRemoteThread)
return 0;
//========将线程函数写入宿主进程===========================
if (! WriteProcessMemory(hProcess, pRemoteThread, &RMTFunc, cbCodeSize, 0))
return 0;
// ======= 为参数分配空间 =============================
MyData *pData
= (MyData*)VirtualAllocEx(hProcess, 0,
sizeof (MyData), MEM_COMMIT,
PAGE_READWRITE);
if (!pData)
return 0;
//========将参数写入宿主进程===========================
if (! WriteProcessMemory(hProcess, pData, &data, sizeof (MyData), 0))
return 0;
// =========== 创建远程线程 ===========================================
HANDLE hThread
= CreateRemoteThread(hProcess, 0,
0, (LPTHREAD_START_ROUTINE)pRemoteThread,
pData, 0, 0);
if (! hThread)
{
printf("远程线程创建失败");
return 0;
}
//===========收尾=============================
CloseHandle(hThread);
VirtualFreeEx(hProcess, pRemoteThread, 1024*3, MEM_RELEASE);
VirtualFreeEx(hProcess, pData, sizeof (MyData), MEM_RELEASE);
CloseHandle(hProcess);
printf("Hello World!\n");
return 0;
} |
|
