C++注入代码
C++ Injection Code
(我所指的整个代码见下文)
我正在尝试在Visual C++ 2010 Express中运行此代码(http://www.codeproject.com/Tips/740480/Code-Injection-A-Generic-Approach-for-bit-and-bit)以将代码注入资源管理器.exe,但是当我从命令行运行它时,它返回"错误!"这意味着线程返回为0。 我假设
LPVOID DataAddress = VirtualAllocEx(p, NULL, sizeof(PARAMETERS), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(p, DataAddress, &data, sizeof(PARAMETERS), NULL);
HANDLE thread = CreateRemoteThread(p, NULL, 0, (LPTHREAD_START_ROUTINE)MyFuncAddress, DataAddress, 0, NULL);
由于某种原因无法为记事本分配空间.exe或查找记事本?
我对C++知之甚少,我试图理解这一点。 我已经验证了资源管理器的正确 pid 是否有帮助(打印 pid 并通过任务列表验证)。 在 Visual C++ 中,我将其作为空白项目运行,当我生成它时,它会生成而不会出错。所以,我的总体思考过程是:代码有效,但由于某种原因无法正确分配空间或执行记事本? 我熟悉Python,我通常做的是打印出一堆调试步骤。 我应该在此代码中打印什么来帮助调试?
另外,在代码下方,我放置了调试信息。
/*
Application: Code injection into a running process.
Author: _RT
Dated: 07-March-2014
*/
#include <windows.h>
#include <fstream>
#include <stdlib.h>
#pragma comment(lib,"advapi32.lib")
#pragma comment(lib,"user32.lib")
typedef BOOL (WINAPI* CreatePrcssParam)(LPCTSTR, LPTSTR, LPSECURITY_ATTRIBUTES,
LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCTSTR, LPVOID, LPVOID);
struct PARAMETERS{
LPVOID CreateProcessInj;
char lpApplicationName[50];
char lpCommandLine[10];
LPSECURITY_ATTRIBUTES lpProcessAttributes;
LPSECURITY_ATTRIBUTES lpThreadAttributes;
BOOL bInheritHandles;
DWORD dwCreationFlags;
LPVOID lpEnvironment;
LPCTSTR lpCurrentDirectory;
LPVOID lpStartupInfo;
LPVOID lpProcessInformation;
};
int privileges();
DWORD myFunc(PARAMETERS * myparam);
DWORD Useless(); //used to calculate size of myFunc()
int main()
{
privileges();
_STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
DWORD pid;
GetWindowThreadProcessId(FindWindow(NULL, "Start Menu"), &pid);
HANDLE p;
p = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
if (p == NULL)
{
printf("ERROR");
return 1; //error
}
char * AppName = "C:\Windows\system32\notepad.exe";
char * CmdLine = "";
//Writing the structure vital for CreateProcess function
LPVOID StrtUpInfo = VirtualAllocEx(p, NULL, sizeof(si), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(p, StrtUpInfo, &si, sizeof(si), NULL);
LPVOID PrcssInfo = VirtualAllocEx(p, NULL, sizeof(si), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(p, PrcssInfo, &pi, sizeof(pi), NULL);
//=========================================================
PARAMETERS data = {0};
HMODULE Kernel32 = LoadLibrary("Kernel32.dll");
data.CreateProcessInj = GetProcAddress(Kernel32, "CreateProcessA");
strcpy_s(data.lpApplicationName,AppName);
strcpy_s(data.lpCommandLine, CmdLine);
data.lpProcessAttributes = NULL;
data.lpThreadAttributes = NULL;
data.bInheritHandles = FALSE;
data.dwCreationFlags = NULL;
data.lpEnvironment = NULL;
data.lpCurrentDirectory = NULL;
data.lpStartupInfo = StrtUpInfo;
data.lpProcessInformation = PrcssInfo;
DWORD size_myFunc = (PBYTE)Useless - (PBYTE)myFunc; //this gets myFunc's size
//Writing the code part of myFunc -- Instructions to be executed
LPVOID MyFuncAddress = VirtualAllocEx(p, NULL, size_myFunc, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(p, MyFuncAddress, (void*)myFunc, size_myFunc, NULL);
//Writing the data part of myFunc -- Parameters of the functios
LPVOID DataAddress = VirtualAllocEx(p, NULL, sizeof(PARAMETERS), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(p, DataAddress, &data, sizeof(PARAMETERS), NULL);
HANDLE thread = CreateRemoteThread(p, NULL, 0, (LPTHREAD_START_ROUTINE)MyFuncAddress, DataAddress, 0, NULL);
if (thread != 0){
//injection completed, not we can wait for it to end and free the memory
WaitForSingleObject(thread, INFINITE); //this waits until thread thread has finished
VirtualFree(MyFuncAddress, 0, MEM_RELEASE); //free myFunc memory
VirtualFree(DataAddress, 0, MEM_RELEASE); //free data memory
CloseHandle(thread);
CloseHandle(p); //don't wait for the thread to finish, just close the handle to the process
}
else{
printf("Error!");
}
return EXIT_SUCCESS;
}
static DWORD myFunc(PARAMETERS * myparam){
CreatePrcssParam CreatePrcss = (CreatePrcssParam)myparam->CreateProcessInj;
BOOL result = CreatePrcss((LPCTSTR)myparam->lpApplicationName, NULL,
myparam->lpProcessAttributes, myparam->lpThreadAttributes,
myparam->bInheritHandles, myparam->dwCreationFlags, myparam->lpEnvironment,
myparam->lpCurrentDirectory, myparam->lpStartupInfo, myparam->lpProcessInformation);
return 0;
}
static DWORD Useless(){
return 0;
}
//this function is needed to get some extra privileges so your code will be able to work without conflicts with the system
int privileges(){
HANDLE Token;
TOKEN_PRIVILEGES tp;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &Token))
{
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL) == 0){
return 1; //FAIL
}
else{
return 0; //SUCCESS
}
}
return 1;
}
调试信息:
'inj_01.exe': Loaded 'C:UsersrootDocumentsVisual Studio 2010Projectsinj_01Debuginj_01.exe', Symbols loaded.
'inj_01.exe': Loaded 'C:WindowsSysWOW64ntdll.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:WindowsSysWOW64kernel32.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:WindowsSysWOW64KernelBase.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:WindowsSysWOW64user32.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:WindowsSysWOW64gdi32.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:WindowsSysWOW64lpk.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:WindowsSysWOW64usp10.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:WindowsSysWOW64msvcrt.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:WindowsSysWOW64advapi32.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:WindowsSysWOW64sechost.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:WindowsSysWOW64rpcrt4.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:WindowsSysWOW64sspicli.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:WindowsSysWOW64cryptbase.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:WindowsSysWOW64msvcr100d.dll', Symbols loaded.
'inj_01.exe': Loaded 'C:WindowsSysWOW64imm32.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:WindowsSysWOW64msctf.dll', Symbols loaded (source information stripped).
The thread 'Win32 Thread' (0x11b8) has exited with code 0 (0x0).
The program '[6244] inj_01.exe: Native' has exited with code 0 (0x0).
提前感谢任何帮助/指示
我认为你不能将代码注入资源管理器.exe
在 Windows 7 及更高版本中,不允许注入到核心 Windows进程(如资源管理器)中.exe或其他用户的进程。
相关文章:
- 如何使用可视化代码和平台IO将环境变量注入CPP文件?
- 在注入的 Dll 的 DllMain 中运行代码导致注入超时
- 通过 dll 注入在主线程中执行代码
- LLVM Clang C 代码注入
- 类型擦除代码的依赖注入单元测试
- C - 将代码注入运行过程(使用DLL)
- 该代码注入第三方Qt应用程序并执行一些方法来获取Qt应用程序信息
- 此代码是否容易受到 SQL 注入的攻击?我该如何使其安全
- 重命名 SWIGTYPE 并将代码注入生成的类
- 注入我的代码后游戏滞后
- 嵌入式系统上的C++动态代码注入
- 引脚类似工具,用于编译时注入检测代码
- Dll 注入 - 在另一个进程中编写本机代码
- 将x86代码注入x64进程
- 如何在C++中打印堆栈跟踪,并在C++中注入代码
- 是否有可能制作一个函数包装器来运行注入的代码并返回与注入的函数相同的数据
- 使用代码洞穴注入64位DLL
- C++代码注入使注入的应用程序崩溃
- 使用代码注入在远程进程中执行函数
- 是否有可能在编译之前立即将代码注入翻译单元?