CreateRemoteThread |
尚未結案
|
nnn0918k
一般會員 發表:12 回覆:33 積分:14 註冊:2003-05-12 發送簡訊給我 |
|
nnn0918k
一般會員 發表:12 回覆:33 積分:14 註冊:2003-05-12 發送簡訊給我 |
|
nnn0918k
一般會員 發表:12 回覆:33 積分:14 註冊:2003-05-12 發送簡訊給我 |
|
jest0024
高階會員 發表:11 回覆:310 積分:224 註冊:2002-11-24 發送簡訊給我 |
引言: 當我使用CreateRemoteThread在另一Process裡執行一個ThreadFunc時 在ThreadFunc裡無法使用API函數 有人能給個示範嗎 網路上都沒有Delphi的範例 用C 的改過來一直會出錯 或許要貼出來,大伙兒才知道要解些什麼吧!? CreateRemoteThread建立遠端性執行緒!? 這樣會牽扯到其他行程問題,所以一定得使用DLL將程式碼注入到其他行 程吧!?因為每個程式跟每個程式之間,相同的位址不相同的實體位址!? 以上純屬個人觀念,如有不對請指正..3Q" 先在這謝謝囉~ 「限 DELPHI」 火舞精靈 - 蘇學而時習之不亦樂乎! |
nnn0918k
一般會員 發表:12 回覆:33 積分:14 註冊:2003-05-12 發送簡訊給我 |
請各位幫忙試一下吧..
只要在ThreadFunc呼叫API就會出錯
program Project1; {$APPTYPE CONSOLE} uses Windows,SysUtils; type TFNGetLastError = function: DWORD stdcall; RParams = packed record fnGetLastError: TFNGetLastError; end; PParams = ^RParams; function ThreadFunc(Params: RParams): Cardinal stdcall; begin result := Params.fnGetLastError; end; procedure EnableDebugPriv; var hToken,dwRet: Cardinal; seDebugValue: Int64; tkp,p: TTokenPrivileges; begin if not OpenProcessToken(GetCurrentProcess,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,hToken)then WriteLn('Can''t open process token'); if not LookupPrivilegeValue(nil,'SeDebugPrivilege',seDebugValue) then WriteLn('Can''t look up privilege value'); tkp.PrivilegeCount := 1; tkp.Privileges[0].Luid := seDebugValue; tkp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED; if not AdjustTokenPrivileges(hToken,False,tkp,SizeOf(tkp),p,dwRet) then WriteLn('Can''t adjust token privileges'); CloseHandle(hToken); WriteLn('Enable Debug Privilege.'); end; const MAXINJECTSIZE = 4096; var dwProcessId,hProcess,dwRead: Cardinal; dwThreadId,hThread: Cardinal; hKernel: Cardinal; p: Pointer; c: PParams; lc: RParams; begin EnableDebugPriv; dwProcessId := GetCurrentProcessId; WriteLn('Process Id = ' IntToStr(dwProcessId)); hProcess := OpenProcess(PROCESS_ALL_ACCESS,False,dwProcessId); WriteLn('Process Handle = ' IntToStr(hProcess)); p := VirtualAllocEx(hProcess,nil,MAXINJECTSIZE,MEM_COMMIT,PAGE_EXECUTE_READWRITE); WriteLn('p = ' IntToStr(Cardinal(p))); c := PParams(VirtualAllocEx(hProcess,nil,SizeOf(RParams),MEM_COMMIT,PAGE_READWRITE)); WriteLn('c = ' IntToStr(Cardinal(c))); WriteProcessMemory(hProcess,p,@ThreadFunc,MAXINJECTSIZE,dwRead); WriteLn('Write @ThreadFunc to p = ' IntToStr(dwRead) ' bytes'); hKernel := LoadLibrary(kernel32); WriteLn('Kernel Handle = ' IntToStr(hKernel)); lc.fnGetLastError := GetProcAddress(hKernel,'GetLastError'); WriteLn('GetLastError = ' IntToStr(Cardinal(@lc.fnGetLastError))); FreeLibrary(hKernel); WriteProcessMemory(hProcess,c,@lc,SizeOf(RParams),dwRead); WriteLn('Write lc to c = ' IntToStr(dwRead) ' bytes'); hThread := CreateRemoteThread(hProcess,nil,0,p,c,0,dwThreadId); WriteLn('Thread Id = ' IntToStr(dwThreadId)); WriteLn('Thread Handle = ' IntToStr(hThread)); case WaitForSingleObject(hThread,3000) of WAIT_TIMEOUT: WriteLn('Wait time out'); WAIT_FAILED: WriteLn('Wait failed'); WAIT_OBJECT_0: WriteLn('Wait OK'); end; CloseHandle(hThread); VirtualFreeEx(hProcess,c,0,MEM_RELEASE); VirtualFreeEx(hProcess,p,0,MEM_RELEASE); CloseHandle(hProcess); end.火舞精靈 - 蘇 |
nnn0918k
一般會員 發表:12 回覆:33 積分:14 註冊:2003-05-12 發送簡訊給我 |
範例一(Delphi)
This sample shows how to use the CreateRemoteThread() function to load a DLL to another process memory.
演示了如何使用 CreateRemoteThread() 函数来加载一个DLL到另一个进程的内存空间中。 下載點: http://www.programmersheaven.com/d/click.aspx?ID=F2117 --------------------------------------------------------------------------------
範例二(C)
This sample demonstrates how to get the command line another process was started with. To this end, it performs the following steps: opens the target process
allocates two chunks of memory in the target process' address space; one is executable, the other one for data
copies a function from the local address space to the first piece of memory in the target
initializes the allocated data area in the target
calls CreateRemoteThread() to get the copied code going
waits on the thread handle until the newly created thread is done
copies the (now filled-in) data area back into the local address space 下載點: http://win32.mvps.org/processes/remthread/remthread.zip 火舞精靈 - 蘇
|
nnn0918k
一般會員 發表:12 回覆:33 積分:14 註冊:2003-05-12 發送簡訊給我 |
|
jest0024
高階會員 發表:11 回覆:310 積分:224 註冊:2002-11-24 發送簡訊給我 |
|
jest0024
高階會員 發表:11 回覆:310 積分:224 註冊:2002-11-24 發送簡訊給我 |
procedure ThreadFunc
這是屬於注入的函數...(塞到其他行程的)
begin
GetDC(0);
//呼叫API..
但你可曾想過GetDC(0)經過編譯後會變成什麼!?Call 004xxxxx
他是呼叫你程式Import內的API函數位址,在別的程序內可能不據內何意義,
會造成記憶違法使用吧!!要使用應該也是經過GetAddress讀取實際位置!
end; 塞Dll並不是指把程序寫到Dll即是.以CreateRemoteThread來講..
CreateRemoteThread(hPrs,nil,0,LoadLibrary,"C:\Test.dll",0,dwThread);
建立遠方執行緒,並執行LoadLibrary函式,將C:\Test.Dll載入到另一個行程
中!! 學而時習之不亦樂乎! 發表人 - jest0024 於 2004/05/29 09:03:51
|
nnn0918k
一般會員 發表:12 回覆:33 積分:14 註冊:2003-05-12 發送簡訊給我 |
一樣會出錯
var hKernel: Cardinal; fnLoadLibrary: TFNLoadLibrary; hWindow,dwProcessId,hProcess: Cardinal; dwThreadId,hThread: Cardinal; pPara: Pointer; szPara: Array[0..23] of Char; dwRead: Cardinal; begin hKernel := LoadLibrary(kernel32); fnLoadLibrary := GetProcAddress(hKernel,'LoadLibrary'); hWindow := FindWindow(nil,'about:blank - Microsoft Internet Explorer'); GetWindowThreadProcessId(hWindow,dwProcessId); hProcess := OpenProcess(PROCESS_ALL_ACCESS,False,dwProcessId); // Self.Caption := IntToStr(hWindow) ',' IntToStr(dwProcessId) ',' IntToStr(hProcess); if ((hWindow = 0) or (dwProcessId = 0) or (hProcess = 0)) then Exit; szPara := user32; pPara := VirtualAllocEx(hProcess,nil,24,MEM_COMMIT,PAGE_READWRITE); WriteProcessMemory(hProcess,pPara,@szPara,24,dwRead); hThread := CreateRemoteThread(hProcess,nil,0,@fnLoadLibrary,pPara,0,dwThreadId); case WaitForSingleObject(hThread,5000) of WAIT_TIMEOUT: ; WAIT_FAILED: ; WAIT_OBJECT_0: ; end; CloseHandle(hThread); VirtualFreeEx(hProcess,pPara,0,MEM_RELEASE); CloseHandle(hProcess); FreeLibrary(hKernel);火舞精靈 - 蘇 |
jest0024
高階會員 發表:11 回覆:310 積分:224 註冊:2002-11-24 發送簡訊給我 |
引言: 一樣會出錯紅色地方可能有誤..不過這方法是使用CreateRemoteThread注入DLL的,指派 User32就沒意義了!! ABCD分開看的懂,連起來像鬼劃符~~!!! 發表人 - jest0024 於 2004/05/29 18:02:30var hKernel: Cardinal; fnLoadLibrary: TFNLoadLibrary; hWindow,dwProcessId,hProcess: Cardinal; dwThreadId,hThread: Cardinal; pPara: Pointer; szPara: Array[0..23] of Char; dwRead: Cardinal; begin hKernel := LoadLibrary(kernel32); fnLoadLibrary := GetProcAddress(hKernel,'LoadLibrary'); hWindow := FindWindow(nil,'about:blank - Microsoft Internet Explorer'); GetWindowThreadProcessId(hWindow,dwProcessId); hProcess := OpenProcess(PROCESS_ALL_ACCESS,False,dwProcessId); // Self.Caption := IntToStr(hWindow) ',' IntToStr(dwProcessId) ',' IntToStr(hProcess); if ((hWindow = 0) or (dwProcessId = 0) or (hProcess = 0)) then Exit; szPara := user32; pPara := VirtualAllocEx(hProcess,nil,24,MEM_COMMIT,PAGE_READWRITE); WriteProcessMemory(hProcess,pPara,@szPara,24,dwRead); hThread := CreateRemoteThread(hProcess,nil,0,@fnLoadLibrary,pPara,0,dwThreadId); case WaitForSingleObject(hThread,5000) of WAIT_TIMEOUT: ; WAIT_FAILED: ; WAIT_OBJECT_0: ; end; CloseHandle(hThread); VirtualFreeEx(hProcess,pPara,0,MEM_RELEASE); CloseHandle(hProcess); FreeLibrary(hKernel);火舞精靈 - 蘇 |
nnn0918k
一般會員 發表:12 回覆:33 積分:14 註冊:2003-05-12 發送簡訊給我 |
|
nnn0918k
一般會員 發表:12 回覆:33 積分:14 註冊:2003-05-12 發送簡訊給我 |
|
jest0024
高階會員 發表:11 回覆:310 積分:224 註冊:2002-11-24 發送簡訊給我 |
|
jest0024
高階會員 發表:11 回覆:310 積分:224 註冊:2002-11-24 發送簡訊給我 |
引言: 剛用BeginThread時發現ThreadFunc的原型囉.. TThreadFunc = function(Parameter: Pointer): Integer; 測試後沒出現錯誤.. stdcall加不加應該都不要緊啊,點點點圈圈圈.... 據CreateRemoteThread 參數說明.. 第4個參數,也就是你說的ThreadFunc函數..只接受及傳回32-Bit的pointer型態 第5個參數,也就是ThreadFunC的參數,必須為Pointer型態... ABCD分開看的懂,連起來像鬼劃符~~!!!function ThreadFunc(Params: PParams): Cardinal stdcall; begin result := Params.fnGetLastError; end;火舞精靈 - 蘇 |
本站聲明 |
1. 本論壇為無營利行為之開放平台,所有文章都是由網友自行張貼,如牽涉到法律糾紛一切與本站無關。 2. 假如網友發表之內容涉及侵權,而損及您的利益,請立即通知版主刪除。 3. 請勿批評中華民國元首及政府或批評各政黨,是藍是綠本站無權干涉,但這裡不是政治性論壇! |