问题描述
最近,我研究了dll注入技术并对其进行了测试。其中之一是通过CreateRemoteThread和NtCreateThreadEx进行的dll注入。我调查了CreateRemoteThread,并发现它在内部称为NtCreateThreadEx。问题是,CreateRemoteThread可以正常工作,但NtCreateThreadEx不能正常工作。代码如下。
struct NtCreateThreadExBuffer {
ULONG Size;
ULONG Unknown1;
ULONG Unknown2;
PULONG Unknown3;
ULONG Unknown4;
ULONG Unknown5;
ULONG Unknown6;
PULONG Unknown7;
ULONG Unknown8;
};
typedef NTSTATUS(WINAPI *LPFUN_NtCreateThreadEx) (
OUT PHANDLE hThread,IN ACCESS_MASK DesiredAccess,IN LPVOID ObjectAttributes,IN HANDLE ProcessHandle,IN LPTHREAD_START_ROUTINE lpStartAddress,IN LPVOID lpParameter,IN BOOL CreateSuspended,IN ULONG StackZeroBits,IN ULONG SizeOfStackCommit,IN ULONG SizeOfStackReserve,OUT LPVOID lpBytesBuffer
);
...
HMODULE ntdll = GetModuleHandle(L"ntdll.dll");
HMODULE kernel32 = GetModuleHandle(L"kernel32.dll");
PTHREAD_START_ROUTINE ntCreateThreadExAddr = (PTHREAD_START_ROUTINE)GetProcAddress(ntdll,"NtCreateThreadEx");
lpfnLoadLibrary = GetProcAddress(kernel32,"LoadLibraryA");
NtCreateThreadExBuffer ntbuffer;
DWORD dwTmp1 = 0;
DWORD dwTmp2 = 0;
memset(&ntbuffer,sizeof(NtCreateThreadExBuffer));
if (ntCreateThreadExAddr)
{
ntbuffer.Size = sizeof(struct NtCreateThreadExBuffer);
ntbuffer.Unknown1 = 0x10003;
ntbuffer.Unknown2 = 0x8;
ntbuffer.Unknown3 = &dwTmp2;
ntbuffer.Unknown4 = 0;
ntbuffer.Unknown5 = 0x10004;
ntbuffer.Unknown6 = 4;
ntbuffer.Unknown7 = &dwTmp1;
ntbuffer.Unknown8 = 0;
LPFUN_NtCreateThreadEx funNtCreateThreadEx = (LPFUN_NtCreateThreadEx)ntCreateThreadExAddr;
NTSTATUS status = 0;
status = funNtCreateThreadEx(
&hThread,0x1FFFFF,NULL,hCurrp,(LPTHREAD_START_ROUTINE)lpfnLoadLibrary,(LPVOID)param,FALSE,&ntbuffer
);
}
此代码的有趣之处在于错误代码为31,状态为-1073741819。如果有人知道这一点,请教我。预先感谢。
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)