L
landy2005t
Unregistered / Unconfirmed
GUEST, unregistred user!
远程注入CreateRemoteThread和loadlibrary,不知道哪里出错望高手帮忙看下,在线等全身家档脆求大侠,脆求~~~~~~~! ( 积分: 50 )<br />大侠们你们好。
我copy了一段远程注入代码,但好像执行不成功帮忙看下。
我的dll文件很简单只有一个showmessage显一个对话框,如果这个dll加载成功的话会显了个对话框。
远程注入代码如下。我点了注入始终有错。源代我已放网上大侠帮忙下载看一下哪里出错肯定是没有加载成功因为我用自己建一个用exe用loadlibrary('a.dll')dll就会执行的。
代码地址为:www.gameupup.com/landy/a.rar
unit Unit1;
interface
uses
Windows, Messages,tlhelp32,SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls;
type
TForm1 = class(TForm)
Button1: TButton;
Edit1: TEdit;
Label1: TLabel;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
{ 列举进程 }
procedure GetMyProcessID(const AFilename: string; const PathMatch: Boolean; var ProcessID: DWORD);
var
lppe: TProcessEntry32;
SsHandle: Thandle;
FoundAProc, FoundOK: boolean;
begin
ProcessID :=0;
{ 创建系统快照 }
SsHandle := CreateToolHelp32SnapShot(TH32CS_SnapProcess, 0);
{ 取得快照中的第一个进程 }
{ 一定要设置结构的大小,否则将返回False }
lppe.dwSize := sizeof(TProcessEntry32);
FoundAProc := Process32First(Sshandle, lppe);
while FoundAProc do
begin
{ 进行匹配 }
if PathMatch then
FoundOK := AnsiStricomp(lppe.szExefile, PChar(AFilename)) = 0
else
FoundOK := AnsiStricomp(PChar(ExtractFilename(lppe.szExefile)), PChar(ExtractFilename(AFilename))) = 0;
if FoundOK then
begin
ProcessID := lppe.th32ProcessID;
break;
end;
{ 未找到,继续下一个进程 }
FoundAProc := Process32Next(SsHandle, lppe);
end;
CloseHandle(SsHandle);
end;
{ 设置权限 }
function EnabledDebugPrivilege(const Enabled : Boolean) : Boolean;
var
hTk : THandle; { 打开令牌句柄 }
rtnTemp : Dword; { 调整权限时返回的值 }
TokenPri : TOKEN_PRIVILEGES;
const
SE_DEBUG = 'SeDebugPrivilege'; { 查询值 }
begin
Result := False;
{ 获取进程令牌句柄,设置权限 }
if (OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,hTk)) then
begin
TokenPri.PrivilegeCount := 1;
{ 获取Luid值 }
LookupPrivilegeValue(nil,SE_DEBUG,TokenPri.Privileges[0].Luid);
if Enabled then
TokenPri.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED
else
TokenPri.Privileges[0].Attributes := 0;
rtnTemp := 0;
{ 设置新的权限 }
AdjustTokenPrivileges(hTk,False,TokenPri,sizeof(TokenPri),nil,rtnTemp);
Result := GetLastError = ERROR_SUCCESS;
CloseHandle(hTk);
end;
end;
{ 调试函数 }
procedure OutPutText(var CH
Char);
var
FileHandle: TextFile;
Begin
AssignFile(FileHandle,'zztest.txt');
Append(FileHandle);
Writeln(FileHandle,CH);
Flush(FileHandle);
CloseFile(FileHandle);
END;
{ 注入远程进程 }
function InjectTo(const Host, Guest: string; const PID: DWORD = 0): DWORD;
var
{ 被注入的进程句柄,进程ID}
hRemoteProcess: THandle;
dwRemoteProcessId: DWORD;
{ 写入远程进程的内容大小 }
memSize: DWORD;
{ 写入到远程进程后的地址 }
pszLibFileRemote: Pointer;
iReturnCode: Boolean;
TempVar: DWORD;
{ 指向函数LoadLibraryW的地址 }
pfnStartAddr: TFNThreadStartRoutine;
{ dll全路径,需要写到远程进程的内存中去 }
pszLibAFilename: PwideChar;
begin
Result := 0;
{ 设置权限 }
EnabledDebugPrivilege(True);
{ 为注入的dll文件路径分配内存大小,由于为WideChar,故要乘2 }
Getmem(pszLibAFilename, Length(Guest) * 2 + 1);
StringToWideChar(Guest, pszLibAFilename, Length(Guest) * 2 + 1);
{ 获取进程ID }
if PID > 0 then
dwRemoteProcessID := PID
else
GetMyProcessID(Host, False, dwRemoteProcessID);
{ 取得远程进程句柄,具有写入权限}
hRemoteProcess := OpenProcess(PROCESS_CREATE_THREAD + {允许远程创建线程}
PROCESS_VM_OPERATION + {允许远程VM操作}
PROCESS_VM_WRITE, {允许远程VM写}
FALSE, dwRemoteProcessId);
{ 用函数VirtualAllocex在远程进程分配空间,并用WriteProcessMemory中写入dll路径 }
memSize := (1 + lstrlenW(pszLibAFilename)) * sizeof(WCHAR);
pszLibFileRemote := PWIDESTRING(VirtualAllocEx(hRemoteProcess, nil, memSize, MEM_COMMIT, PAGE_READWRITE));
TempVar := 0;
iReturnCode := WriteProcessMemory(hRemoteProcess, pszLibFileRemote, pszLibAFilename, memSize, TempVar);
if iReturnCode then
begin
pfnStartAddr := GetProcAddress(GetModuleHandle('Kernel32'), 'LoadLibraryW');
TempVar := 0;
{ 在远程进程中启动dll }
Result := CreateRemoteThread(hRemoteProcess, nil, 0, pfnStartAddr, pszLibFileRemote, 0, TempVar);
end;
{ 释放内存空间 }
Freemem(pszLibAFilename);
end;
procedure TForm1.Button1Click(Sender: TObject);
begin
InjectTo('qq.exe','c:/windows/desktop/a.dll');
end;
end.
我copy了一段远程注入代码,但好像执行不成功帮忙看下。
我的dll文件很简单只有一个showmessage显一个对话框,如果这个dll加载成功的话会显了个对话框。
远程注入代码如下。我点了注入始终有错。源代我已放网上大侠帮忙下载看一下哪里出错肯定是没有加载成功因为我用自己建一个用exe用loadlibrary('a.dll')dll就会执行的。
代码地址为:www.gameupup.com/landy/a.rar
unit Unit1;
interface
uses
Windows, Messages,tlhelp32,SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls;
type
TForm1 = class(TForm)
Button1: TButton;
Edit1: TEdit;
Label1: TLabel;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
{ 列举进程 }
procedure GetMyProcessID(const AFilename: string; const PathMatch: Boolean; var ProcessID: DWORD);
var
lppe: TProcessEntry32;
SsHandle: Thandle;
FoundAProc, FoundOK: boolean;
begin
ProcessID :=0;
{ 创建系统快照 }
SsHandle := CreateToolHelp32SnapShot(TH32CS_SnapProcess, 0);
{ 取得快照中的第一个进程 }
{ 一定要设置结构的大小,否则将返回False }
lppe.dwSize := sizeof(TProcessEntry32);
FoundAProc := Process32First(Sshandle, lppe);
while FoundAProc do
begin
{ 进行匹配 }
if PathMatch then
FoundOK := AnsiStricomp(lppe.szExefile, PChar(AFilename)) = 0
else
FoundOK := AnsiStricomp(PChar(ExtractFilename(lppe.szExefile)), PChar(ExtractFilename(AFilename))) = 0;
if FoundOK then
begin
ProcessID := lppe.th32ProcessID;
break;
end;
{ 未找到,继续下一个进程 }
FoundAProc := Process32Next(SsHandle, lppe);
end;
CloseHandle(SsHandle);
end;
{ 设置权限 }
function EnabledDebugPrivilege(const Enabled : Boolean) : Boolean;
var
hTk : THandle; { 打开令牌句柄 }
rtnTemp : Dword; { 调整权限时返回的值 }
TokenPri : TOKEN_PRIVILEGES;
const
SE_DEBUG = 'SeDebugPrivilege'; { 查询值 }
begin
Result := False;
{ 获取进程令牌句柄,设置权限 }
if (OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,hTk)) then
begin
TokenPri.PrivilegeCount := 1;
{ 获取Luid值 }
LookupPrivilegeValue(nil,SE_DEBUG,TokenPri.Privileges[0].Luid);
if Enabled then
TokenPri.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED
else
TokenPri.Privileges[0].Attributes := 0;
rtnTemp := 0;
{ 设置新的权限 }
AdjustTokenPrivileges(hTk,False,TokenPri,sizeof(TokenPri),nil,rtnTemp);
Result := GetLastError = ERROR_SUCCESS;
CloseHandle(hTk);
end;
end;
{ 调试函数 }
procedure OutPutText(var CH
Char);var
FileHandle: TextFile;
Begin
AssignFile(FileHandle,'zztest.txt');
Append(FileHandle);
Writeln(FileHandle,CH);
Flush(FileHandle);
CloseFile(FileHandle);
END;
{ 注入远程进程 }
function InjectTo(const Host, Guest: string; const PID: DWORD = 0): DWORD;
var
{ 被注入的进程句柄,进程ID}
hRemoteProcess: THandle;
dwRemoteProcessId: DWORD;
{ 写入远程进程的内容大小 }
memSize: DWORD;
{ 写入到远程进程后的地址 }
pszLibFileRemote: Pointer;
iReturnCode: Boolean;
TempVar: DWORD;
{ 指向函数LoadLibraryW的地址 }
pfnStartAddr: TFNThreadStartRoutine;
{ dll全路径,需要写到远程进程的内存中去 }
pszLibAFilename: PwideChar;
begin
Result := 0;
{ 设置权限 }
EnabledDebugPrivilege(True);
{ 为注入的dll文件路径分配内存大小,由于为WideChar,故要乘2 }
Getmem(pszLibAFilename, Length(Guest) * 2 + 1);
StringToWideChar(Guest, pszLibAFilename, Length(Guest) * 2 + 1);
{ 获取进程ID }
if PID > 0 then
dwRemoteProcessID := PID
else
GetMyProcessID(Host, False, dwRemoteProcessID);
{ 取得远程进程句柄,具有写入权限}
hRemoteProcess := OpenProcess(PROCESS_CREATE_THREAD + {允许远程创建线程}
PROCESS_VM_OPERATION + {允许远程VM操作}
PROCESS_VM_WRITE, {允许远程VM写}
FALSE, dwRemoteProcessId);
{ 用函数VirtualAllocex在远程进程分配空间,并用WriteProcessMemory中写入dll路径 }
memSize := (1 + lstrlenW(pszLibAFilename)) * sizeof(WCHAR);
pszLibFileRemote := PWIDESTRING(VirtualAllocEx(hRemoteProcess, nil, memSize, MEM_COMMIT, PAGE_READWRITE));
TempVar := 0;
iReturnCode := WriteProcessMemory(hRemoteProcess, pszLibFileRemote, pszLibAFilename, memSize, TempVar);
if iReturnCode then
begin
pfnStartAddr := GetProcAddress(GetModuleHandle('Kernel32'), 'LoadLibraryW');
TempVar := 0;
{ 在远程进程中启动dll }
Result := CreateRemoteThread(hRemoteProcess, nil, 0, pfnStartAddr, pszLibFileRemote, 0, TempVar);
end;
{ 释放内存空间 }
Freemem(pszLibAFilename);
end;
procedure TForm1.Button1Click(Sender: TObject);
begin
InjectTo('qq.exe','c:/windows/desktop/a.dll');
end;
end.