问题描述
|
我正在尝试将dll注入现有进程。我正在尝试使用CreateRemoteThread LoadLibrary方法。我知道它是如何工作的,但我不知道为什么CreateRemoteThread返回null(失败)...我在Windows 7上,所以这可能是原因,但我不确定是否是这样。需要设置特权?我的代码如下:
#define DLL_NAME \"message.dll\"
void main()
{
InjectDLL(1288,DLL_NAME);
}
BOOL InjectDLL(DWORD dwProcessId,LPCSTR lpszDLLPath)
{
HANDLE hProcess,hThread;
LPVOID lpBaseAddr,lpFuncAddr;
DWORD dwMemSize,dwExitCode;
BOOL bSuccess = FALSE;
HMODULE hUserDLL;
if((hProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_QUERY_@R_138_4045@ION|PROCESS_VM_OPERATION
|PROCESS_VM_WRITE|PROCESS_VM_READ,FALSE,dwProcessId)))
{
dwMemSize = lstrlen(lpszDLLPath) + 1;
if(lpBaseAddr = VirtualAllocEx(hProcess,NULL,dwMemSize,MEM_COMMIT,PAGE_READWRITE))
{
if(WriteProcessMemory(hProcess,lpBaseAddr,lpszDLLPath,NULL))
{
if(hUserDLL = LoadLibrary(TEXT(\"kernel32.dll\")))
{
if(lpFuncAddr = GetProcAddress(hUserDLL,TEXT(\"LoadLibraryA\")))
{
if(hThread = CreateRemoteThread(hProcess,lpFuncAddr,NULL))
{
WaitForSingleObject(hThread,INFINITE);
if(GetExitCodeThread(hThread,&dwExitCode)) {
bSuccess = (dwExitCode != 0) ? TRUE : FALSE;
}
CloseHandle(hThread);
}
}
FreeLibrary(hUserDLL);
}
}
VirtualFreeEx(hProcess,MEM_RELEASE);
}
CloseHandle(hProcess);
}
return bSuccess;
}
解决方法
是的,您在打开进程之前需要特权,这是代码:
int GimmePrivileges(){
HANDLE Token;
TOKEN_PRIVILEGES tp;
if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token)
{
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(Token,&tp,sizeof(tp),NULL,NULL);
}
}