Dll注入。带参数执行CreateRemoteThread
我写的dll注入程序运行得很好。它将 dll 加载到远程进程中并调用一些函数。现在我想将参数传递给该函数。 CreateRemoteThread 有 lpParameter 来实现这一点,但是如何在 dll 中获取传递的参数以在函数中使用它?
更新: dll 入口点很常见:
BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
Dll 只包含一个具有以下原型的函数:
void TestFunction(const char* ua);
调用该函数的代码是:
CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)((void*)codecaveExecAddr), (LPVOID)argumentAddress, 0, NULL);
如您所见,我尝试在 TestFunction 中传递“test”字符串。但后来我检查 TestFunction 中的 ua 参数,它包含一些垃圾。
以下是整个项目文件:
http://pastebin.com/gh4SnhmV
http://pastebin.com/Sq7hpSVx
http://pastebin.com/dvgXpUYz
更新 2
TestFunction 是否应该有一些特定的原型,或者我可以使用任何一个,只要它只有一个 LPVOID 类型的参数?我很困惑。任何人都可以给我一个如何使用某些参数调用注入的 dll 函数的示例吗?
I wrote dll injection program that works just fine. It loads dll into remote process and calls some function. Now i want to pass argument to that function. CreateRemoteThread has lpParameter for that, but how to get that passed argument inside dll to use it in function?
Update:
dll entry point is common:
BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
Dll contains only one function with following prototype:
void TestFunction(const char* ua);
Code that calls that function is:
CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)((void*)codecaveExecAddr), (LPVOID)argumentAddress, 0, NULL);
As you can see i try to pass "test" string inside TestFunction. But then i check ua argument inside TestFunction it contains some trash.
Here are the whole project files:
http://pastebin.com/gh4SnhmV
http://pastebin.com/Sq7hpSVx
http://pastebin.com/dvgXpUYz
UPDATE 2
Should TestFunction have some specific propotype or i can use any as long as it has only one parameter of LPVOID type? I'm confused. Can anyone give me an example of how to call injected dll's function with some argument?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您需要在其他进程的内存中分配数据。为此,请使用 VirtualAllocEx 函数,该函数将返回另一个进程内存中的地址,并将其传递给 CreateRemoteThread。
CreateRemoteThread 的工作方式与 CreateThread 完全相同,只是它在远程进程中创建线程。需要记住的一件事是,当您将指针传递给 lpParameter 中的对象时,在不同虚拟地址空间中运行的远程线程将尝试访问该地址空间中的该地址。
You need to allocate the data inside the other process' memory. For that, use the VirtualAllocEx function which will return the address in the other process memory, that you pass to CreateRemoteThread.
CreateRemoteThread works exactly the same way as CreateThread, except that it creates the thread in the remote process. One thing to keep in mind is that when you are passing a pointer to an object in lpParameter the remote thread, which is running in a different virtual address space will try to access that address in that address space.