我正试图在另一个进程("主机"(中执行一个简单的函数。为此,我调用WriteProcessMemory将函数复制到主机,然后使用CreateRemoteThread执行该函数。主机进程只是崩溃,没有错误代码。
我使用Notepad++(32位(作为示例主机。我还将程序编译为x86(显然是在Windows上(。我在这里做错了什么?
#include <iostream>
#include <Windows.h>
#include <psapi.h>
// the function to be executed inside the host
DWORD __stdcall func(LPVOID pParam)
{
// this is the end goal, but
// just return 1 for now to help
// solve one problem at a time
/*
AllocConsole(); FILE* consoleFile;
freopen_s(&consoleFile, "CONOUT$", "w", stdout);
int parameter = *(int*)pParam;
std::cout << "param: " << parameter << std::endl;
*/
return 1;
}
// exists only to help calculate the size of func()
DWORD __stdcall after()
{
return 0;
}
int main() {
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 30512); // PID found via task manager
char procName[MAX_PATH + 1];
GetModuleFileNameEx(process, NULL, procName, MAX_PATH);
std::cout << "got process: " << procName << std::endl;
size_t functionSize = (DWORD)after - (DWORD)func;
void* functionMemory = VirtualAllocEx(process, NULL, functionSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
std::cout << "function address: " << (DWORD)functionMemory << std::endl;
bool functionWPM = WriteProcessMemory(process, functionMemory, func, functionSize, NULL);
std::cout << "function wpm: " << (functionWPM ? "true" : "false") << std::endl;
int parameter = 1234;
size_t parameterSize = sizeof(int);
void* parameterMemory = VirtualAllocEx(process, NULL, parameterSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
std::cout << "parameter address: " << (DWORD)parameterMemory << std::endl;
bool parameterWPM = WriteProcessMemory(process, parameterMemory, ¶meter, parameterSize, NULL);
std::cout << "parameter wpm: " << (parameterWPM ? "true" : "false") << std::endl;
HANDLE hThread = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)functionMemory, parameterMemory, 0, NULL);
WaitForSingleObject(hThread, INFINITE);
std::cout << "thread 0x" << std::hex << hThread << std::dec << " completed" << std::endl;
std::cout << "errno: " << GetLastError() << std::endl;
CloseHandle(hThread);
CloseHandle(process);
return 0;
}
这是输出,并不表示出了什么问题:
got process: C:Program Files (x86)Notepad++notepad++.exe
function address: 55115776
function wpm: true
parameter address: 55181312
parameter wpm: true
(there is a noticable ~0.5 second delay here)
thread 0x000000E0 completed
errno: 0
直接问题的解决方案是在发布模式下编译。我不太清楚为什么,所以如果有人有想法,我很乐意在评论中听到。
正如@RaymodChen所提到的,这个过程比我以前想象的要复杂,而且我无法在主机过程中运行任何大量的代码。
如果有人提出这个问题试图做同样的事情,我的建议是记住func()的地址空间与您的注入器程序完全不同。这意味着,如果你想调用AllocConsole(),那么你必须确定它在主机程序中的地址,然后在该地址调用它,而不是像我在问题中那样只使用AllocConsole()。