小白求助,关于CreateRemoteThread远程注入代码
0
悬赏园豆:200
[待解决问题]
远程注入代码,编译没有错误
但是执行的时候弹出内存不能为read的错误
错误在目标进程弹出的,错误地址是目标进程里申请好的远程线程函数
代码看了两天了还是找不到错误在哪,头很痛
求大佬帮忙看看错在哪里了,谢谢大佬了
include "pch.h" //进程通信
include <iostream>
include <stdlib.h>
include <windows.h>
include <string.h>
include <Tlhelp32.h>
typedef struct gCreateFile {
LPVOID CreateFileAPIAddr;
LPCTSTR lpFileName;
DWORD dwDesiredAccess;
DWORD dwShareMode;
LPSECURITY_ATTRIBUTES lpSecurityAttributes;
DWORD dwCreationDisposition;
DWORD dwFlagsAndAttributes;
HANDLE hTemplateFile;
}GCREATEFILE; //结构体,Create File需要的一些参数
//声明函数指针,模仿CreateFile函数
typedef HANDLE (WINAPI * PCREATEFILE)(LPCTSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile);
DWORD __stdcall ThreadProc(LPVOID lpParameter) //线程函数,用来远程注入
{
printf("++++\n"); //表示远程线程启动
GCREATEFILE* gCreateFile = (GCREATEFILE*)lpParameter;
PCREATEFILE pCreateFile;//声明函数指针类型的变量
pCreateFile = (PCREATEFILE)gCreateFile->CreateFileAPIAddr; //为函数指针变量赋予CreateFile函数的地址
pCreateFile(gCreateFile->lpFileName, //开始执行函数
gCreateFile->dwDesiredAccess,
gCreateFile->dwShareMode,
gCreateFile->lpSecurityAttributes,
gCreateFile->dwCreationDisposition,
gCreateFile->dwFlagsAndAttributes,
gCreateFile->hTemplateFile);
printf("****\n"); //远程线程运行完成
return 0;
}
PROCESSENTRY32 p32 = { 0 };
HANDLE hProcess = NULL; //进程的句柄
using namespace std;
HANDLE handles()
{
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); //快照
p32.dwSize = sizeof(p32);
Process32First(hSnap, &p32);
do {
if (strcmp(p32.szExeFile, "TEST2.exe") == 0)
{
cout << "遍历成功" << endl;
CloseHandle(hSnap);
hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, p32.th32ProcessID);
return hProcess;
}
} while (Process32Next(hSnap, &p32));
cout << "遍历失败" << endl;
return NULL;
}
using namespace std;
void main()
{
DWORD dwFunAddr; //CreateFile函数地址
DWORD LenghOfFun = 0x78; //线程函数大小
GCREATEFILE gCreateFile; //结构体变量
HMODULE hModule;
LPVOID dwLocation_FileName; //申请的文件路径地址
LPVOID dwLocation_Fun; //申请的函数地址
LPVOID dwLocation_Struct; //申请的结构体地址
char* FileName = (char*)"E://FileTest//A.txt"; //创建文件的路径
handles(); //遍历进程
if (hProcess == NULL)
{
printf("Error hProcess %d\n",GetLastError());
return;
}
//初始化结构体
gCreateFile.dwDesiredAccess = GENERIC_READ | GENERIC_WRITE;
gCreateFile.dwShareMode = 0;
gCreateFile.lpSecurityAttributes = NULL;
gCreateFile.dwCreationDisposition = OPEN_ALWAYS;
gCreateFile.dwFlagsAndAttributes = FILE_ATTRIBUTE_NORMAL;
gCreateFile.hTemplateFile = NULL;
//远程申请空间 来存储文件名,函数,结构体参数
dwLocation_FileName = VirtualAllocEx(hProcess, NULL, strlen(FileName)+1, MEM_COMMIT, PAGE_READWRITE);//文件路径
dwLocation_Fun = VirtualAllocEx(hProcess, NULL, LenghOfFun, MEM_COMMIT, PAGE_READWRITE);//函数
dwLocation_Struct = VirtualAllocEx(hProcess, NULL, sizeof(GCREATEFILE), MEM_COMMIT, PAGE_READWRITE);//结构体
if (!dwLocation_FileName || !dwLocation_Fun || !dwLocation_Struct)
{
printf("Error VirtualAllocEx %d\n", GetLastError());
return;
}
//获取CreateFile函数地址hModule = LoadLibrary("kernel32.dll");
gCreateFile.CreateFileAPIAddr = (LPVOID)GetProcAddress(hModule, "CreateFileA");
if (!gCreateFile.CreateFileAPIAddr) printf("Error GetProcAddress %d\n",GetLastError());
gCreateFile.lpFileName = (LPCTSTR)dwLocation_FileName; //初始化CreateFile文件名
//修改线程函数起始地址
dwFunAddr = (DWORD)ThreadProc; //得到函数的起始地址
if ((BYTE)dwFunAddr == 0xE9)
{
dwFunAddr = dwFunAddr + 5 + (DWORD)(dwFunAddr + 1);
}
//开始复制
//写入结构体
BOOL bRet = WriteProcessMemory( //写入数据到指定进程的内存中
hProcess, //进程句柄
dwLocation_Struct, //指定进程内存中的指定位置
&gCreateFile, //需要写入的数据 ←LPCVOID == const void*(常量void类型指针)
sizeof(GCREATEFILE), //写多少,需要写入的长度
NULL); //填NULL就好
//写入函数
BOOL bRet2 = WriteProcessMemory( //写入数据到指定进程的内存中
hProcess, //进程句柄
dwLocation_Fun, //指定进程内存中的指定位置
ThreadProc, //需要写入的数据 ←LPCVOID == const void*(常量void类型指针)
LenghOfFun, //写多少,需要写入的长度
NULL); //填NULL就好
//写入路径
BOOL bRet3 = WriteProcessMemory( //写入数据到指定进程的内存中
hProcess, //进程句柄
dwLocation_FileName, //指定进程内存中的指定位置
FileName, //需要写入的数据 ←LPCVOID == const void*(常量void类型指针)
sizeof(GCREATEFILE), //写多少,需要写入的长度
NULL); //填NULL就好
if (!bRet2)
{
printf("Error WriteProcess %d\n", GetLastError());
return;
}
if (!bRet || !bRet2 || !bRet3)
{
printf("Error WriteProcess %d\n",GetLastError());
return;
}
//开始执行
HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)dwLocation_Fun, dwLocation_Struct, 0, NULL);
if (!hThread)
{
printf("Error CreateRemoteThread %d\n", GetLastError());
return;
}
CloseHandle(hThread);
fflush(stdin);
getchar();
return;
}
