不幸的是,我在注入 svchost 时遇到了问题。代码如下所示:
#include "Injection.h"
#pragma once
#include <Windows.h>
DLLInjection::DLLInjection()
{
}
void DLLInjection::InjectDLLTosvchost(LPSTR dllPath)
{
STARTUPINFO si = {};
PROCESS_INFORMATION pi = {};
HMODULE k32 = GetModuleHandle("kernel32.dll");
CreateProcess(NULL, "svchost.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
HANDLE mem = VirtualAllocEx(pi.hProcess, NULL, 260, MEM_COMMIT | MEM_RESERVE , PAGE_READWRITE);
WriteProcessMemory(pi.hProcess, mem, dllPath, 260, NULL);
QueueUserAPC((PAPCFUNC)GetProcAddress(k32, "LoadLibraryA"), pi.hThread, (ULONG_PTR)mem);
QueueUserAPC((PAPCFUNC)GetProcAddress(k32, "ExitThread"), pi.hThread, 0);
ResumeThread(pi.hThread);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
DLLInjection::~DLLInjection()
{
}
执行的DLL看起来很像这样:
#pragma once
#define _CRT_SECURE_NO_WARNINGS
#include <stdio.h>
#include "funkcje.h"
#include <iostream>
#include <shellapi.h>
#include <windows.h>
#include <tchar.h>
using namespace std;
void Hello()
{
MessageBox(NULL, (LPCWSTR)L"poczatkowy messagebox", (LPCWSTR)L"Tytul messagebox", MB_ICONINFORMATION);
char bufor[512];
sprintf(bufor, " -add -all -c "c:\Users\Damian\Desktop\wwwtesthttpdev.crt" -s -r LocalMachine root");
wchar_t bufor2[200];
mbstowcs(bufor2, bufor, strlen(bufor) + 1);
LPWSTR ptr = bufor2;
STARTUPINFO startInfo = { 0 };
PROCESS_INFORMATION processInfo = { 0 };
BOOL bSucces = CreateProcess((LPWSTR)(L"c:\Program Files\Microsoft SDKs\Windows\v7.1A\Bin\certmgr.exe"), ptr, NULL, NULL, 0, 0, NULL, NULL, &startInfo, &processInfo);
if (bSucces)
{
cout << "Process Started" << endl
<< "Process ID: " << processInfo.dwProcessId << endl;
}
else
{
cout << "Error to start a process " << GetLastError() << endl;
}
MessageBox(NULL, (LPCWSTR)L"koncowy messagebox", (LPCWSTR)L"Tytul messagebox", MB_ICONINFORMATION);
cin.get();
}
并且 dll 加载正常,因为我确实有两个消息框(一个在执行 createProcess 命令之前,一个在执行之后),但问题是我没有成功制作 certmgr.exe 命令的权限(它返回消息 certmgr 不成功。如果我以管理员权限打开程序,一切正常。但它不应该那样工作。我正在尝试附加到应该具有管理员权限的 svchost 进程,但尽管如此,我仍然没有权限。谁能帮我回答如何让我的程序将管理员权限传递给在 Dllmain 中执行的函数的问题。提前谢谢你!!证书的错误
我也尝试过OpenProcess:
bool Process::InjectDll(char * dllName, unsigned int processID)
{
HANDLE pHandle = OpenProcess(PROCESS_ALL_ACCESS, false, processID);
if (pHandle == INVALID_HANDLE_VALUE)
return false;
void * address = VirtualAllocEx(pHandle, NULL, strlen(dllName), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (!WriteProcessMemory(pHandle, address, (LPVOID)dllName, strlen(dllName), NULL))
return false;
HMODULE hK32 = GetModuleHandle("Kernel32");
HANDLE tHandle = CreateRemoteThread(pHandle, NULL, 0,
(LPTHREAD_START_ROUTINE)GetProcAddress(hK32, "LoadLibraryA"),
address, 0, NULL);
WaitForSingleObject(tHandle, INFINITE);
DWORD dllAddress;
GetExitCodeThread(tHandle, &dllAddress);
CloseHandle(tHandle);
VirtualFreeEx(pHandle, address, 0, MEM_RELEASE);
tHandle = CreateRemoteThread(pHandle, NULL, 0,
(LPTHREAD_START_ROUTINE)GetProcAddress(hK32, "FreeLibrary"), (void*
)&dllAddress, 0, NULL);
WaitForSingleObject(tHandle, INFINITE);
CloseHandle(tHandle);
return true;
}
但它也不起作用
使用 CreateProcess 您正在使用默认安全描述符(从 MSDN)运行svchost的其他实例:
如果 lpProcessAttributes 为 NULL 或 lpSecurityDescriptor 为 NULL,则进程将获得默认的安全描述符
而且似乎这些特权不足以运行certmgr.
相反,如果您的注射器使用OpenProcess并注入已经升高的svchost,您将能够运行certmgr。