当前位置: 文江博客话题详情

从内存中运行进程 C/C++

发布于 2024-09-06 08:04:38 字数 3553 浏览 1 评论 0原文

我的功能:

       /*
--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_
runPE(
dosheader ptr,
ntheader ptr,
sectionheader ptr,
ptr to exebuffer,
DWORD SizeOfImage(Alignment fixed))
_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--
*/

int runPE2(IMAGE_DOS_HEADER* pDOS,IMAGE_NT_HEADERS * pNT,IMAGE_SECTION_HEADER * pSection,char* pData,DWORD szImage)
{
    STARTUPINFO si = {0};
    PROCESS_INFORMATION pi;
    CONTEXT ctx;

    if(CreateProcess(NULL,szFileName,NULL, NULL, 0, CREATE_SUSPENDED, NULL, NULL, &si,&pi))
    {
        ctx.ContextFlags = CONTEXT_FULL;
        if(!GetThreadContext(pi.hThread,&ctx))
        {
            MessageBoxA(0,"GetThreadContext Error!","Error",0);
        }
        DWORD dwImagebase = NULL;
        DWORD dwBytesRead = NULL;
        DWORD dwByteswritten = NULL;
        DWORD dwOldProtection = NULL;

        if(!ReadProcessMemory(pi.hProcess,(LPVOID)(ctx.Ebx + 8),&dwImagebase,sizeof(DWORD),&dwBytesRead))
        {
            MessageBoxA(0,"RPM Error!","Error",0);
        }
        VirtualProtect(&pNT->OptionalHeader.ImageBase,sizeof(DWORD),PAGE_READWRITE,&dwOldProtection);
        pNT->OptionalHeader.ImageBase = dwImagebase;
        VirtualProtect(&pNT->OptionalHeader.ImageBase,sizeof(DWORD),dwOldProtection,&dwOldProtection);


        UnmapViewOfSection_ pZwUnmapViewOfSection = (UnmapViewOfSection_)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwUnmapViewOfSection");

        if(pZwUnmapViewOfSection(pi.hProcess, (LPVOID)dwImagebase) != 0)
        {
            MessageBoxA(0,"Unmaping Error!","Error",0);
        }

        void* newBase = VirtualAllocEx(pi.hProcess, (LPVOID)pNT->OptionalHeader.ImageBase,szImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
        if(!newBase)
        {
            MessageBoxA(0,"Allocting Error!","Error",0);
        }

        if(!WriteProcessMemory(pi.hProcess,(LPVOID)(ctx.Ebx + 8),newBase, sizeof(DWORD), &dwByteswritten))
        {
            MessageBoxA(0,"WPM Imagebase Error!","Error",0);
        }

        if(!WriteProcessMemory(pi.hProcess,newBase,pData,pNT->OptionalHeader.SizeOfHeaders, &dwByteswritten))
        {
            MessageBoxA(0,"WPM SizeOfHeaders Error!","Error",0);
        }

        for(int i = 0; i < pNT->FileHeader.NumberOfSections; i++)
        {
            pSection = (PIMAGE_SECTION_HEADER)((char*)(pData + pDOS->e_lfanew +  sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER) * i));
            if(!WriteProcessMemory(pi.hProcess,(char*)(pNT->OptionalHeader.ImageBase + pSection->VirtualAddress),(char*)(pData + pSection->PointerToRawData),pSection->SizeOfRawData, &dwByteswritten))
            {
                MessageBoxA(0,"WPM in LOOP Error!","Error",0);
            }
        }

        ctx.Eax = (DWORD)newBase + pNT->OptionalHeader.AddressOfEntryPoint;        // eax holds new entry point

        if(!SetThreadContext(pi.hThread,&ctx))
        {
            MessageBoxA(0,"SetThreadContext Error!","Error",0);
        }

        if(!ResumeThread(pi.hThread))
        {
            MessageBoxA(0,"ResumeThread Error!","Error",0);
        }

        CloseHandle(pi.hThread);
        CloseHandle(pi.hProcess);

        TerminateProcess(pi.hProcess,0);

        return 1;
    }
    return -1;
}

ResumeThread 后出现的错误是“应用程序无法正确启动(0xc0000005)

感谢您的阅读希望有人会提供帮助

信息: 操作系统:Win7 编译器VC++2010 目标应用;简单的“Hello World”应用程序; win32控制台

原文

My function:

       /*
--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_
runPE(
dosheader ptr,
ntheader ptr,
sectionheader ptr,
ptr to exebuffer,
DWORD SizeOfImage(Alignment fixed))
_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--_--
*/

int runPE2(IMAGE_DOS_HEADER* pDOS,IMAGE_NT_HEADERS * pNT,IMAGE_SECTION_HEADER * pSection,char* pData,DWORD szImage)
{
    STARTUPINFO si = {0};
    PROCESS_INFORMATION pi;
    CONTEXT ctx;

    if(CreateProcess(NULL,szFileName,NULL, NULL, 0, CREATE_SUSPENDED, NULL, NULL, &si,&pi))
    {
        ctx.ContextFlags = CONTEXT_FULL;
        if(!GetThreadContext(pi.hThread,&ctx))
        {
            MessageBoxA(0,"GetThreadContext Error!","Error",0);
        }
        DWORD dwImagebase = NULL;
        DWORD dwBytesRead = NULL;
        DWORD dwByteswritten = NULL;
        DWORD dwOldProtection = NULL;

        if(!ReadProcessMemory(pi.hProcess,(LPVOID)(ctx.Ebx + 8),&dwImagebase,sizeof(DWORD),&dwBytesRead))
        {
            MessageBoxA(0,"RPM Error!","Error",0);
        }
        VirtualProtect(&pNT->OptionalHeader.ImageBase,sizeof(DWORD),PAGE_READWRITE,&dwOldProtection);
        pNT->OptionalHeader.ImageBase = dwImagebase;
        VirtualProtect(&pNT->OptionalHeader.ImageBase,sizeof(DWORD),dwOldProtection,&dwOldProtection);


        UnmapViewOfSection_ pZwUnmapViewOfSection = (UnmapViewOfSection_)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwUnmapViewOfSection");

        if(pZwUnmapViewOfSection(pi.hProcess, (LPVOID)dwImagebase) != 0)
        {
            MessageBoxA(0,"Unmaping Error!","Error",0);
        }

        void* newBase = VirtualAllocEx(pi.hProcess, (LPVOID)pNT->OptionalHeader.ImageBase,szImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
        if(!newBase)
        {
            MessageBoxA(0,"Allocting Error!","Error",0);
        }

        if(!WriteProcessMemory(pi.hProcess,(LPVOID)(ctx.Ebx + 8),newBase, sizeof(DWORD), &dwByteswritten))
        {
            MessageBoxA(0,"WPM Imagebase Error!","Error",0);
        }

        if(!WriteProcessMemory(pi.hProcess,newBase,pData,pNT->OptionalHeader.SizeOfHeaders, &dwByteswritten))
        {
            MessageBoxA(0,"WPM SizeOfHeaders Error!","Error",0);
        }

        for(int i = 0; i < pNT->FileHeader.NumberOfSections; i++)
        {
            pSection = (PIMAGE_SECTION_HEADER)((char*)(pData + pDOS->e_lfanew +  sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER) * i));
            if(!WriteProcessMemory(pi.hProcess,(char*)(pNT->OptionalHeader.ImageBase + pSection->VirtualAddress),(char*)(pData + pSection->PointerToRawData),pSection->SizeOfRawData, &dwByteswritten))
            {
                MessageBoxA(0,"WPM in LOOP Error!","Error",0);
            }
        }

        ctx.Eax = (DWORD)newBase + pNT->OptionalHeader.AddressOfEntryPoint;        // eax holds new entry point

        if(!SetThreadContext(pi.hThread,&ctx))
        {
            MessageBoxA(0,"SetThreadContext Error!","Error",0);
        }

        if(!ResumeThread(pi.hThread))
        {
            MessageBoxA(0,"ResumeThread Error!","Error",0);
        }

        CloseHandle(pi.hThread);
        CloseHandle(pi.hProcess);

        TerminateProcess(pi.hProcess,0);

        return 1;
    }
    return -1;
}

The error i get after ResumeThread is "The application was unable to start correctly (0xc0000005)

Thanks for reading Hope someone will help

Information:
OS: Win7
compiler VC++ 2010
target application; Simple "Hello World" App; win32 console

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

〃安静 2024-09-13 08:04:39

检查VirtualProtect功能。看来已经失败了。调用 GetLastError()。我认为应该是值0x1e7。检查您的基地址和“.text”部分中的地址。我是通过手动处理导入表来完成此操作的。只是一个简单的 PE 解析器和 GetProcAddress 函数。之后,您需要计算进程基地址并应用存储在“.reloc”部分中的重定位。

Check the VirtualProtect function. Seems that it has been failed. An call the GetLastError(). I think that should be value 0x1e7. Check your base address and addresses in the ".text" section. I have done this by manual processing of import table. Just a simple PE parser and GetProcAddress function. After that you need to calculate your process base address and apply relocation stored in ".reloc" section.

回复 原文
~没有更多了~

关于作者

宣告ˉ结束

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

淡笑忘祈一世凡恋

文章 0 评论 0

我们的影子

文章 0 评论 0

素年丶

文章 0 评论 0

南笙

文章 0 评论 0

18215568913

文章 0 评论 0

qq_xk7Ean

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文