使用C#在Windows 10的记事本中注入C ++ DLL
[英]Injecting C++ DLLs into notepad on windows 10 using C#
问题描述
bool bInject(uint pToBeInjected, string sDllPath)
{
IntPtr hndProc = OpenProcess((0x2 | 0x8 | 0x10 | 0x20 | 0x400), 1, pToBeInjected);
if (hndProc == INTPTR_ZERO)
{
return false;
}
IntPtr lpLLAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
if (lpLLAddress == INTPTR_ZERO)
{
return false;
}
IntPtr lpAddress = VirtualAllocEx(hndProc, (IntPtr)null, (IntPtr)sDllPath.Length, (0x1000 | 0x2000), 0X40);
byte[] bytes = Encoding.ASCII.GetBytes(sDllPath);
WriteProcessMemory(hndProc, lpAddress, bytes, (uint)bytes.Length, 0);
// This next one is the one that doesn't seem to work.
CreateRemoteThread(hndProc, (IntPtr)null, INTPTR_ZERO, lpLLAddress, lpAddress, 0, (IntPtr)null);
CloseHandle(hndProc);
return true;
}
I am using C#(obviously) in .NET 4.6.1 compiled for x86. 
我在为x86编译的.NET 4.6.1中使用C#(显然)。 In the code above I commented the command that doesn't seem to be working. 在上面的代码中,我注释了似乎无效的命令。 The CreateRemoteThread call. CreateRemoteThread调用。 No errors are returned, the the victim process (Notepad) does not show any sign of the following DLL (I pulled from an example project because I was lazy.) being injected. 没有错误返回,受害进程(记事本)不显示任何注入了以下DLL的迹象(我是从一个示例项目中拉出的,因为我很懒。)。
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
extern "C" __declspec(dllexport)
DWORD WINAPI MessageBoxThread(LPVOID lpParam) {
MessageBox(NULL, "Hello world!", "Hello World!", NULL);
return 0;
}
extern "C" __declspec(dllexport)
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved) {
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
CreateThread(NULL, NULL, MessageBoxThread, NULL, NULL, NULL);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
Remember I am using windows 10. I thought maybe there were additional security checks to prevent me from injecting said DLL. 记住,我使用的是Windows10。我想可能还有其他安全检查,以防止我注入所说的DLL。 After this, I plan on making a bootstrap DLL to load CLR, and another C# DLL. 之后,我计划制作一个引导DLL来加载CLR和另一个C#DLL。
Thanks so much for any help you can provide! 非常感谢您提供的任何帮助!
1 个解决方案
解决方案1
1 已采纳 2017-02-26 09:28:15
You should use the preprocessor definitions as flags to your API calls, its more clear. 您应该将预处理器定义用作API调用的标志,这更加清楚。
I believe for VirtualAllocEx you attempted to pass PAGE_READWRITE as a flag, however you passed 0x40 instead, and it's defined as #define PAGE_READWRITE 0x04 . 我相信对于VirtualAllocEx您尝试将PAGE_READWRITE作为标志传递,但是您改为传递0x40 ,它的定义为#define PAGE_READWRITE 0x04 。 So either use PAGE_READWRITE directly or if you want to be "cool" use 0x04 . 因此,或者直接使用PAGE_READWRITE ,或者如果您想“酷”使用0x04 。
Also, I never used the string class, but you should do sDllPath.Length + 1 , as it might not add the null terminator to your path as well! 另外,我从未使用过字符串类,但是您应该执行sDllPath.Length + 1 ,因为它可能也不会将null终止符添加到您的路径中!
To be more precise (in future questions), you can add the error code to the question! 为了更精确(在以后的问题中),您可以将错误代码添加到问题中! You can use: 您可以使用:
CHAR Error[MAX_PATH]; // MAX_PATH is used for system paths, it's still big enough
wsprintfA(Error, "Error: %lu", GetLastError());
MessageBoxA(0, Error, 0, 0);
Right after your CreateRemoteThread to get the system error code - it can help shed some light on the errors in your application, at any time! 在您的CreateRemoteThread立即获取系统错误代码 -它可以随时帮助您了解应用程序中的错误!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.