1
오늘, 나는 소스 주입을 설명하는 기사 (http://www.codeproject.com/KB/threads/winspy.aspx)를 읽었으며 같은 것을하기위한 프로그램을 작성하려고합니다 . 하지만 나는 winmind에 소스를 주입하고 충돌합니다. 나는 추락의 이유를 발견 할 수 없다.소스 주입 및 프로그램 충돌
가 가내 코드 :
가코드 원격 프로세스
static int WINAPI ThreadFunc (INJDATA *pData)
{
int nXferred = 0;
nXferred = pData->fnMessageBox(pData->hwnd, (LPCWSTR)pData->pbText, (LPCWSTR)pData->pbTextCap, pData->type);
pData->pbText [63 * sizeof(TCHAR)] = __TEXT('\0');
pData->pbTextCap [63 * sizeof(TCHAR)] = __TEXT('\0');
return nXferred;
}
// This function marks the memory address after ThreadFunc.
// int cbCodeSize = (PBYTE) AfterThreadFunc - (PBYTE) ThreadFunc.
static void AfterThreadFunc (void) {
}
3.Copies ThreadFunc 및 INJDATA 주입하고되는
typedef LRESULT (WINAPI *MESSAGEBOX)(HWND, LPCWSTR, LPCWSTR, UINT);
typedef struct {
HWND hwnd;
UINT type;
MESSAGEBOX fnMessageBox; // pointer to user32!SendMessage
BYTE pbText[64 * sizeof(TCHAR)]; // text param
BYTE pbTextCap[64 * sizeof(TCHAR)]; // caption param
} INJDATA, *PINJDATA;
2. 1.describe의 분사 데이터 구조체 시작 원격 ThreadFunc의 예기치
int CallMessageBox (HANDLE hProcess, HWND hWnd, LPCWSTR pbString, LPCWSTR pbStringCap)
{
HINSTANCE hUser32;
INJDATA *pDataRemote; // the address (in the remote process) where INJDATA will be copied to;
DWORD *pCodeRemote; // the address (in the remote process) where ThreadFunc will be copied to;
HANDLE hThread = NULL; // the handle to the thread executing the remote copy of ThreadFunc;
DWORD dwThreadId = 0;
int nCharsXferred = 0; // number of chars retrieved by WM_GETTEXT in the remote thread;
DWORD dwNumBytesXferred = 0; // number of bytes written/read to/from the remote process;
__try {
hUser32 = GetModuleHandle(__TEXT("user32"));
if (hUser32 == NULL)
__leave;
// Initialize INJDATA and then
// copy it to the remote process
INJDATA DataLocal = {
hWnd,
MB_OK,
(MESSAGEBOX) GetProcAddress(hUser32, "MessageBoxW")
};
if(DataLocal.fnMessageBox == NULL)
__leave;
wcscpy((LPWSTR) DataLocal.pbText, (LPCWSTR) pbString);
wcscpy((LPWSTR) DataLocal.pbTextCap, (LPCWSTR) pbStringCap);
// 1. Allocate memory in the remote process for INJDATA
// 2. Write a copy of DataLocal to the allocated memory
pDataRemote = (INJDATA*) VirtualAllocEx(hProcess, 0, sizeof(INJDATA), MEM_COMMIT, PAGE_READWRITE);
if (pDataRemote == NULL)
__leave;
WriteProcessMemory(hProcess, pDataRemote, &DataLocal, sizeof(INJDATA), &dwNumBytesXferred);
// Calculate the number of bytes that ThreadFunc occupies
const int cbCodeSize = ((LPBYTE) AfterThreadFunc - (LPBYTE) ThreadFunc);
// 1. Allocate memory in the remote process for the injected ThreadFunc
// 2. Write a copy of ThreadFunc to the allocated memory
pCodeRemote = (PDWORD) VirtualAllocEx(hProcess, 0, cbCodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (pCodeRemote == NULL)
__leave;
WriteProcessMemory(hProcess, pCodeRemote, &ThreadFunc, cbCodeSize, &dwNumBytesXferred);
// Start execution of remote ThreadFunc
hThread = CreateRemoteThread(hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE) pCodeRemote,
pDataRemote, 0 , &dwThreadId);
if (hThread == NULL)
__leave;
WaitForSingleObject(hThread, INFINITE);
}
__finally {
if (pDataRemote != 0)
VirtualFreeEx(hProcess, pDataRemote, 0, MEM_RELEASE);
if (pCodeRemote != 0)
VirtualFreeEx(hProcess, pCodeRemote, 0, MEM_RELEASE);
if (hThread != NULL) {
GetExitCodeThread(hThread, (PDWORD) &nCharsXferred);
CloseHandle(hThread);
}
}
// Return the number of chars retrieved
return nCharsXferred;
}
예, 저는 virtul 시스템과 winXP에서 이것을 시도하지만 messageBox를 닫으면 winmine이 중단됩니다. 왜 그런지 모르겠다. – wenz
내 게시물을 편집합니다. 1 ~ 2 분 안에 확인해보십시오. –
Yob, 고마워요. :) – wenz