Anonymous
CreateRemoteThread не удалось 5
Сообщение
Anonymous 07 дек 2024, 10:34
CreateRemoteThread завершился с ошибкой 5 при вызове «inject_param->allocate((HANDLE)-1, &memory_address, 0, &size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);» в функции "inject_begin" 。прокомментируйте, что CreateRemoteThread в порядке。Платформа решения 64-битная. Я не знаю почему.
Код: Выделить всё
#include
#include
#include
std::uint32_t get_process_id(
__in const std::basic_string& name) {
PROCESSENTRY32 process_entry;
process_entry.dwSize = sizeof(PROCESSENTRY32);
auto process_snapshot = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
if (Process32First(process_snapshot, &process_entry))
{
do {
if (!wcscmp(process_entry.szExeFile, name.data()))
{
CloseHandle(process_snapshot);
return process_entry.th32ProcessID;
}
} while (Process32Next(process_snapshot, &process_entry));
}
CloseHandle(process_snapshot);
return 0;
}
void adjust_token_privileges() {
HANDLE h_token = NULL;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &h_token))
{
return;
}
TOKEN_PRIVILEGES priv = { 0 };
priv.PrivilegeCount = 1;
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid))
{
AdjustTokenPrivileges(h_token, FALSE, &priv, 0, NULL, NULL);
}
CloseHandle(h_token);
}
typedef NTSTATUS(WINAPI* NTALLOCATEVIRTUALMEMORY)(IN HANDLE ProcessHandle, IN OUT PVOID* BaseAddress, IN ULONG ZeroBits, IN OUT PSIZE_T RegionSize, IN ULONG AllocationType, IN ULONG Protect);
struct InjectParam {
int age;
NTALLOCATEVIRTUALMEMORY allocate;
};
//shell code
ULONG_PTR WINAPI inject_begin(InjectParam* inject_param) {
inject_param->age += 1;//age=2
PVOID memory_address = NULL;
SIZE_T size = 10;
//comment it CreateRemoteThread is ok
inject_param->allocate((HANDLE)-1, &memory_address, 0, &size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
return 0;
}
void inject_end() {
printf("11");
}
void remote_map_load_dll(HANDLE target_process)
{
InjectParam inject_param;
//将指定内存区域的内容清零
RtlZeroMemory(&inject_param, sizeof(inject_param));
inject_param.age = 1;
//-------------------------------
WORD* shell_code_begin = (WORD*)inject_begin;
DWORD shell_code_size = 0;
while (*shell_code_begin != 0XCCCC)
{
shell_code_begin++;
shell_code_size += 2;
}
printf("shellcode length:%d\n", shell_code_size);
PVOID shell_code_buffer = malloc(shell_code_size);
RtlCopyMemory(shell_code_buffer, inject_begin, shell_code_size);
//-------------------------------
//获取本进程的 ntdll.dll
HMODULE h_nt_dll = GetModuleHandleA("ntdll.dll");
inject_param.allocate = (NTALLOCATEVIRTUALMEMORY)GetProcAddress(h_nt_dll, "NtAllocateVirtualMemory");
printf("NtAllocateVirtualMemory address :0x%p\r\n", inject_param.allocate);
//-------------------------------
PBYTE shellcode_address = (PBYTE)VirtualAllocEx(target_process, 0, shell_code_size + sizeof(inject_param), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
// printf("shellcode_address:0x%p\r\n", shellcode_address);
//-------------------------------write shell code
SIZE_T dw_writed = 0;
PBYTE shell_code_address = shellcode_address;
printf("shell_code_address:0X%p\r\n", shell_code_address);
WriteProcessMemory(target_process, shell_code_address, shell_code_buffer, shell_code_size, &dw_writed);
printf("write ShellCodeAddress bytes:%d\r\n", dw_writed);
//------------------------------- write InjectParam
PBYTE inject_param_address = shellcode_address + shell_code_size;
printf("InjectParamAddress:0X%p\r\n", inject_param_address);
BOOL result = WriteProcessMemory(target_process, (LPVOID)inject_param_address, &inject_param, sizeof(inject_param), &dw_writed);
printf("write InjectParamAddress bytes:%d\r\n", dw_writed);
//-------------------------------
HANDLE remote_thread = CreateRemoteThread(target_process, 0, 0, (LPTHREAD_START_ROUTINE)shell_code_address, inject_param_address, 0, 0);
printf("remote_thread:0x%X\n", remote_thread);
if (remote_thread)
{
WaitForSingleObject(remote_thread, -1);
//ERROR_ACCESS_DENIED=0x5
DWORD exit_code = 0;
GetExitCodeThread(remote_thread, &exit_code);
printf("error:0x%x\n", exit_code);
//释放申请的内存
VirtualFreeEx(target_process, shellcode_address, 0, MEM_FREE);
CloseHandle(remote_thread);
}
//free
free(shell_code_buffer);
}
int main() {
int result = EXIT_SUCCESS;
//
adjust_token_privileges();
//get dwmpid
auto dwm_pid = get_process_id(L"CalculatorApp.exe");
auto h_handle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, dwm_pid);
printf("dwmpid:%d\r\n", dwm_pid);
//
remote_map_load_dll(h_handle);
CloseHandle(h_handle);
system("pause");
return result;
}
Помогите мне. Помогите мне определить, в чем может быть проблема.
Подробнее здесь:
https://stackoverflow.com/questions/792 ... d-failed-5
1733556858
Anonymous
CreateRemoteThread завершился с ошибкой 5 при вызове «inject_param->allocate((HANDLE)-1, &memory_address, 0, &size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);» в функции "inject_begin" 。прокомментируйте, что CreateRemoteThread в порядке。Платформа решения 64-битная. Я не знаю почему.
Мобильная версия