问题描述
我尝试用Go进行DLL注入,但是失败了。
我正在准备要用C ++注入的DLL文件。那是问题吗?
使用C ++编写的DLL:
我很累像这样用Go注入DLL文件:
但是当CreateRemoteThread()函数起作用时,Notepad ++已关闭。
为什么我失败了?我哪里出错了?
TestD.dll代码:
#include "pch.h"
BOOL APIENTRY DllMain(HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
MessageBox(NULL,L"DLL_PROCESS_ATTACH STARTED",L"DLL_PROCESS_ATTACH TITLE",MB_RETRYCANCEL);
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
转到InjectApp代码:
var dllPath = "C:\\Users\\RecaiCingoz\\go\\src\\TestD.dll"
className := syscall.StringToUTF16Ptr("Notepad++")
hwnd := win32services.FindWindowW(className,nil)
fmt.Println("Process HWND",hwnd)
_,processID := win32services.GetwindowThreadProcessId(hwnd)
hProcess,_ := win32services.OpenProcess(win32services.PROCESS_ALL_ACCESS,false,uint32(processID))
baseAddress,_ := win32services.VirtualAllocEx(hProcess,len(dllPath),win32services.MEM_COMMIT,win32services.PAGE_READWRITE)
err := win32services.WriteProcessMemory(hProcess,uint32(baseAddress),[]byte(dllPath),0)
if err != nil {
fmt.Println(err)
}
modLib,_ := syscall.LoadLibrary("kernel32.dll")
loadLib,err := syscall.GetProcAddress(modLib,"LoadLibraryA")
if err != nil {
fmt.Println(err)
}
hRemoteThread,_,err := win32services.CreateRemoteThread(hProcess,nil,loadLib,baseAddress,0)
fmt.Println(hRemoteThread)
}
CreateRemoteProccess函数:
func CreateRemoteThread(hprocess HANDLE,sa *syscall.SecurityAttributes,stackSize uint32,startAddress uintptr,parameter uintptr,creationFlags uint32) (HANDLE,uint32,error) {
var threadId uint32
r1,e1 := procCreateRemoteThread.Call(
uintptr(hprocess),uintptr(unsafe.Pointer(sa)),uintptr(stackSize),startAddress,parameter,uintptr(creationFlags),uintptr(unsafe.Pointer(&threadId)))
if int(r1) == 0 {
return INVALID_HANDLE,e1
}
return HANDLE(r1),threadId,e1
}
如何在Go中进行DLL注入?谁能帮我吗?
应用程序崩溃继续。 (记事本++)
package main
import (
"github.com/JamesHovIoUs/w32"
"syscall"
)
func main() {
dllPath,_ := syscall.FullPath("DTest.dll")
className,_ := syscall.UTF16PtrFromString("Notepad++")
hwnd := w32.FindWindowW(className,nil)
_,processId := w32.GetwindowThreadProcessId(hwnd)
var dwMemSize int
var hProc w32.HANDLE
var err error
var lpRemoteRem,lpLoadLibrary uintptr
hProc,err = w32.OpenProcess(w32.PROCESS_ALL_ACCESS,uint32(processId))
if err == nil {
dwMemSize = len(dllPath) + 1
lpRemoteRem,err = w32.VirtualAllocEx(hProc,dwMemSize,w32.MEM_RESERVE|w32.MEM_COMMIT,w32.PAGE_READWRITE)
if err == nil {
err = w32.WriteProcessMemory(hProc,uint32(lpRemoteRem),uint(dwMemSize))
if err == nil {
modulKernel,_ := syscall.LoadLibrary("kernel32.dll")
lpLoadLibrary,err = syscall.GetProcAddress(modulKernel,"LoadLibraryA")
if err == nil {
hTread,err := w32.CreateRemoteThread(hProc,uint32(lpLoadLibrary),lpRemoteRem,0)
if err == nil {
w32.ResumeThread(hTread)
w32.WaitForSingleObject(hTread,syscall.INFINITE)
_,err := w32.GetExitCodeProcess(hProc)
if err == nil {
w32.CloseHandle(hTread)
} else {
panic(err)
}
} else {
}
} else {
panic(err)
}
} else {
panic(err)
}
} else {
w32.VirtualFreeEx(hProc,w32.MEM_RELEASE)
panic(err)
}
} else {
panic(err)
}
w32.CloseHandle(hProc)
}
Error message i see when i llok at the event log
解决方法
LoadLibrary返回类型:syscall.Handle-类型Handle uintptr。返回 值:140715276042240 GetProcAddress返回类型uintptr。返回 值:140715276174480
140715276042240和140715276174480被截断的x64地址。 x86的最大地址为0xFFFFFFFF,转换为十进制后变为4294967295。
您使用GO(x64版本)编译程序,并使用uint32将地址转换为x86地址。最后,您得到一个无效的地址。这就是为什么notepad ++崩溃的原因。
解决方案:使用GO(x86)编译程序。