CreateRemoteThread 失败错误码 5
2016-06-08 09:55
344 查看
最近在WIN7下调试DLL注入进程的时候,32位的注入总是返回失败,错误码5。64位没问题。经过反复的检查。发现是OpenProcess打开的方式不对。添加PROCESS_ALL_ACCESS,问题解决。查了一下微软的文档,发现这个参数在XP下可能是有问题的。所以建议XP和WIN7分别处理。代码如下:
//提权 VOID EnableDebugPriv(VOID) { HANDLE hToken; TOKEN_PRIVILEGES tkp; OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken); LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid); tkp.PrivilegeCount = 1; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES)NULL, 0); CloseHandle(hToken); } 注入DLL BOOL InjectDll(TCHAR* ptszDllFile, DWORD dwProcessId) { // 参数无效 if (NULL == ptszDllFile || 0 == ::_tcslen(ptszDllFile)) { return FALSE; } // 指定 Dll 文件不存在 /**if (-1 == _access(ptszDllFile, 0)) { return FALSE; }**/ HANDLE hProcess = NULL; HANDLE hThread = NULL; DWORD dwSize = 0; LPVOID ptszRemoteBuf = NULL; LPTHREAD_START_ROUTINE lpThreadFun = NULL; SIZE_T dwWritten; HANDLE hModuleSnap = INVALID_HANDLE_VALUE; // 获取模块快照 hModuleSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId); if (INVALID_HANDLE_VALUE == hModuleSnap) { return FALSE; } MODULEENTRY32 me32; memset(&me32, 0, sizeof(MODULEENTRY32)); me32.dwSize = sizeof(MODULEENTRY32); // 开始遍历 if (FALSE == ::Module32First(hModuleSnap, &me32)) { ::CloseHandle(hModuleSnap); return FALSE; } // 遍历查找指定模块 bool isFound = FALSE; do { isFound = (0 == ::_tcsicmp(me32.szModule, ptszDllFile) || 0 == ::_tcsicmp(me32.szExePath, ptszDllFile)); if (isFound) // 找到指定模块 { break; } } while (TRUE == ::Module32Next(hModuleSnap, &me32)); ::CloseHandle(hModuleSnap); if (TRUE == isFound) { return FALSE; } hProcess = NULL; hThread = NULL; // 获取目标进程句柄 hProcess = <span style="color:#ff0000;">::OpenProcess(PROCESS_ALL_ACCESS|PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwProcessId);</span> if (NULL == hProcess) { return FALSE; } // 在目标进程中分配内存空间 dwSize = lstrlenA(ptszDllFile) + 1; ptszRemoteBuf = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE); if (NULL == ptszRemoteBuf) { ::CloseHandle(hProcess); return FALSE; } // 在目标进程的内存空间中写入所需参数(模块名) if (FALSE == WriteProcessMemory(hProcess, ptszRemoteBuf, (LPVOID)ptszDllFile, dwSize, &dwWritten)) { ::VirtualFreeEx(hProcess, ptszRemoteBuf, dwSize, MEM_DECOMMIT); ::CloseHandle(hProcess); return FALSE; } else if (dwWritten != dwSize) { return FALSE; } // 从 Kernel32.dll 中获取 LoadLibrary 函数地址 #ifdef _UNICODE lpThreadFun = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW"); #else HMODULE kernel = ::GetModuleHandle("Kernel32"); lpThreadFun = (PTHREAD_START_ROUTINE)::GetProcAddress(kernel, "LoadLibraryA"); #endif if (NULL == lpThreadFun) { ::VirtualFreeEx(hProcess, ptszRemoteBuf, dwSize, MEM_DECOMMIT); ::CloseHandle(hProcess); return FALSE; } // 创建远程线程调用 LoadLibrary hThread = ::CreateRemoteThread(hProcess, NULL, 0, lpThreadFun, ptszRemoteBuf, 0, NULL); if (NULL == hThread) { ::VirtualFreeEx(hProcess, ptszRemoteBuf, dwSize, MEM_DECOMMIT); ::CloseHandle(hProcess); return FALSE; } // 等待远程线程结束 ::WaitForSingleObject(hThread, INFINITE); // 清理 ::VirtualFreeEx(hProcess, ptszRemoteBuf, dwSize, MEM_DECOMMIT); ::CloseHandle(hThread); ::CloseHandle(hProcess); return TRUE; }
相关文章推荐
- 创建表时报错ORA-00922选项缺失或无效
- Java编程体验:线程的7种状态及相互转换(图)
- Java-线程
- MySQL数据库优化(三)——MySQL悲观锁&&乐观锁(并发控制)
- JSON 全解
- java http 请求
- C# winform 窗体控件随窗体大小改变
- 小马哥---高仿苹果6s 主板H339 6571刷机拆机主板图 低配机
- Spring学习之路
- 深入分析JavaWeb 45 -- Struts2封装请求参数与类型转换
- iOS之self.xxx与_xxx的区别
- 安全编码实践
- android 控件 简单的分层筛选控件
- MySql按周,按月,按日分组统计数据
- session机制
- xcode 出现 The file couldn’t be opened.
- 24点游戏
- 站立会议10(冲刺2)
- Alpha阶段项目总结
- 关于cookie和session