Создание удаленного потока

[Dizelektwo]

Здравствуйте еще раз) Вот сегодня переписал на С++ код внедрения DLL через удаленный поток с делфи(который я не знаю). Программа стартует и выходит без ошибки, однако внедрения так и не происходит. Потому как должен выскакивать мессендж. Надеюсь кто нибудь подсобит об ошибке
Интересуюсь этой темой только для общего развития, пакостить никому в дальнейшем не собираюсь.

Код:

#include "stdafx.h"
#include "process.h"
#include "windows.h"
#include "iostream"
#include "tlhelp32.h"

using namespace std;


int _tmain(int argc, _TCHAR* argv[])
{

DWORD wrb,iptheed;
TCHAR buf[]="dlltest.dll";
PWSTR pszLibFileRemote = NULL;


HMODULE hint;

if((hint= LoadLibrary("dlltest.dll"))==NULL) { MessageBox(0,"error","not function",0) ; }

PTHREAD_START_ROUTINE GetDll=(PTHREAD_START_ROUTINE) GetProcAddress(hint,"outmsg");

//адрес ф-ии из библиотеки. 


//либа toolhelp32, ищем id процесса по имени

HANDLE hprocess=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL); 
PROCESSENTRY32 stprocess;
stprocess.dwSize=sizeof(stprocess);

bool next=Process32First(hprocess,&stprocess);

while(next) {

	next=Process32Next(hprocess,&stprocess);
	if(stprocess.szExeFile=="notepad") { break; }
}


DWORD processId=stprocess.th32ProcessID;
//присваиваем хэндл процесса структуре DWORD 


HANDLE popen=OpenProcess(PROCESS_CREATE_THREAD| PROCESS_ALL_ACCESS|PROCESS_VM_WRITE,true,processId);

//открывает процесс для извлечения инфо., записи


pszLibFileRemote = (PWSTR) VirtualAllocEx(popen,NULL, 255, MEM_COMMIT,PAGE_READWRITE);

//выделяем память в процессе

if(pszLibFileRemote==NULL) { MessageBox(0,"error alloc","error",0);} 

else {

	WriteProcessMemory(popen,pszLibFileRemote,buf,strlen(buf)*2,&wrb);
	//если удается выделить память- пишем в процесс

CreateRemoteThread(popen, NULL, 0, GetDll,NULL, 0, &iptheed);

// создаем нить в процессе с адресом ф-ии из нашей dll.

}


CloseHandle(popen);
CloseHandle(hprocess);
FreeLibrary(hint);

system("pause");
	return 0;
}

[rlib]

Порверьте, что инжектируемой библиотеке действительно нет в адресс-пространстве процесса-цели (любым дебагером, например http://www.smidgeonsoft.prohosting.c...le-viewer.html). Если есть, то ищите проблему в настройке таблицы импорта.

[Dizelektwo]

Код:

int _tmain(int argc, _TCHAR* argv[]) {
DWORD wrb;
char buf[]="dlltest.dll";
PWSTR pszLibFileRemote = NULL;
char notepad[]="notepad";
int cb=strlen(buf)+1;


HMODULE hint;

if((hint= LoadLibrary(TEXT("dlltest.dll")))==NULL) { MessageBox(0,"error","not function",0) ; }

PTHREAD_START_ROUTINE GetDll=(PTHREAD_START_ROUTINE) GetProcAddress(hint,"outmsg");
if(GetDll==NULL) {MessageBox(0,"error","GetDll",0);}


HANDLE hprocess=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL); 
PROCESSENTRY32 stprocess;
stprocess.dwSize=sizeof(stprocess);

bool next=Process32First(hprocess,&stprocess);

while(next) {
	
    next=Process32Next(hprocess,&stprocess);
	
	if(!strcmp(stprocess.szExeFile,notepad)) { break; }

}

int processId=stprocess.th32ProcessID;




HANDLE popen=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION| PROCESS_ALL_ACCESS|PROCESS_VM_WRITE,false,processId);
if(popen==NULL) {MessageBox(0,"error opening","!",0);}



pszLibFileRemote = (PWSTR) VirtualAllocEx(popen,NULL, 256, MEM_COMMIT,PAGE_READWRITE);



if(pszLibFileRemote==NULL) { MessageBox(0,"error alloc","!",0);} 

else {

	WriteProcessMemory(popen,pszLibFileRemote,buf,cb,&wrb);
	
	
HANDLE cprocess=CreateRemoteThread(popen, NULL, 0, GetDll,pszLibFileRemote, 0, NULL);

if(cprocess==NULL) { MessageBox(0,"error remote thread","!",0); exit(1);}

CloseHandle(cprocess);
}



CloseHandle(popen);
FreeLibrary(hint);

system("pause");
	return 0;
}

Вверху был код с грубыми ошибками, здесь немного исправил по msdn. Библиотека не подгружается, не смотря на то, что через прямой вызов ее функции проблем не возникает. Считаю что проблема возникает именно при создании удаленного потока. Краш и возникает на том моменте. вопрос не решен. Чувствую что где-то напортачил в параметре ф-ии.

rlib

Спасибо за удобный дебаггер. На удивление такой миниатюрный.

[rlib]

Скопировано с книжки Рихтера.

Код:

Module: InjLib.cpp
Notices: Copyright (c) 2008 Jeffrey Richter & Christophe Nasarre
******************************************************************************/


#include "..\CommonFiles\CmnHdr.h"    /* See Appendix A. */
#include <windowsx.h>
#include <stdio.h>
#include <tchar.h>
#include <malloc.h>        // For alloca
#include <TlHelp32.h>
#include "Resource.h"
#include <StrSafe.h>



///////////////////////////////////////////////////////////////////////////////


#ifdef UNICODE
   #define InjectLib InjectLibW
   #define EjectLib EjectLibW
#else
   #define InjectLib InjectLibA
   #define EjectLib EjectLibA
#endif   // !UNICODE


///////////////////////////////////////////////////////////////////////////////


BOOL WINAPI InjectLibW(DWORD dwProcessId, PCWSTR pszLibFile) {

   BOOL bOk = FALSE; // Assume that the function fails
   HANDLE hProcess = NULL, hThread = NULL;
   PWSTR pszLibFileRemote = NULL;

   __try {
      // Get a handle for the target process.
      hProcess = OpenProcess(
         PROCESS_QUERY_INFORMATION |   // Required by Alpha
         PROCESS_CREATE_THREAD     |   // For CreateRemoteThread
         PROCESS_VM_OPERATION      |   // For VirtualAllocEx/VirtualFreeEx
         PROCESS_VM_WRITE,             // For WriteProcessMemory
         FALSE, dwProcessId);
      if (hProcess == NULL) __leave;

      // Calculate the number of bytes needed for the DLL's pathname
      int cch = 1 + lstrlenW(pszLibFile);
      int cb = cch * sizeof(wchar_t);

      // Allocate space in the remote process for the pathname
      pszLibFileRemote = (PWSTR)
         VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);
      if (pszLibFileRemote == NULL) __leave;

      // Copy the DLL's pathname to the remote process' address space
      if (!WriteProcessMemory(hProcess, pszLibFileRemote,
         (PVOID) pszLibFile, cb, NULL)) __leave;

      // Get the real address of LoadLibraryW in Kernel32.dll
      PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
         GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
      if (pfnThreadRtn == NULL) __leave;

      // Create a remote thread that calls LoadLibraryW(DLLPathname)
      hThread = CreateRemoteThread(hProcess, NULL, 0,
         pfnThreadRtn, pszLibFileRemote, 0, NULL);
      if (hThread == NULL) __leave;

      // Wait for the remote thread to terminate
      WaitForSingleObject(hThread, INFINITE);

      bOk = TRUE; // Everything executed successfully
   }
   __finally { // Now, we can clean everything up

      // Free the remote memory that contained the DLL's pathname
      if (pszLibFileRemote != NULL)
         VirtualFreeEx(hProcess, pszLibFileRemote, 0, MEM_RELEASE);

      if (hThread != NULL)
         CloseHandle(hThread);

      if (hProcess != NULL)
         CloseHandle(hProcess);
   }

   return(bOk);
}

///////////////////////////////////////////////////////////////////////////////


BOOL WINAPI InjectLibA(DWORD dwProcessId, PCSTR pszLibFile) {

   // Allocate a (stack) buffer for the Unicode version of the pathname
   SIZE_T cchSize = lstrlenA(pszLibFile) + 1;
   PWSTR pszLibFileW = (PWSTR)
      _alloca(cchSize * sizeof(wchar_t));

   // Convert the ANSI pathname to its Unicode equivalent
   StringCchPrintfW(pszLibFileW, cchSize, L"%S", pszLibFile);

   // Call the Unicode version of the function to actually do the work.
   return(InjectLibW(dwProcessId, pszLibFileW));
}


///////////////////////////////////////////////////////////////////////////////

[rlib]

Код:

BOOL WINAPI EjectLibW(DWORD dwProcessId, PCWSTR pszLibFile) {

   BOOL bOk = FALSE; // Assume that the function fails
   HANDLE hthSnapshot = NULL;
   HANDLE hProcess = NULL, hThread = NULL;

   __try {
      // Grab a new snapshot of the process
      hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
      if (hthSnapshot == INVALID_HANDLE_VALUE) __leave;

      // Get the HMODULE of the desired library
      MODULEENTRY32W me = { sizeof(me) };
      BOOL bFound = FALSE;
      BOOL bMoreMods = Module32FirstW(hthSnapshot, &me);
      for (; bMoreMods; bMoreMods = Module32NextW(hthSnapshot, &me)) {
         bFound = (_wcsicmp(me.szModule,  pszLibFile) == 0) ||
                  (_wcsicmp(me.szExePath, pszLibFile) == 0);
         if (bFound) break;
      }
      if (!bFound) __leave;

      // Get a handle for the target process.
      hProcess = OpenProcess(
         PROCESS_QUERY_INFORMATION |
         PROCESS_CREATE_THREAD     |
         PROCESS_VM_OPERATION,  // For CreateRemoteThread
         FALSE, dwProcessId);
      if (hProcess == NULL) __leave;

      // Get the real address of FreeLibrary in Kernel32.dll
      PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
         GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "FreeLibrary");

         if (pfnThreadRtn == NULL) __leave;

         // Create a remote thread that calls FreeLibrary()
         hThread = CreateRemoteThread(hProcess, NULL, 0,
            pfnThreadRtn, me.modBaseAddr, 0, NULL);
         if (hThread == NULL) __leave;

         // Wait for the remote thread to terminate
         WaitForSingleObject(hThread, INFINITE);

         bOk = TRUE; // Everything executed successfully
      }
      __finally { // Now we can clean everything up

         if (hthSnapshot != NULL)
            CloseHandle(hthSnapshot);

         if (hThread != NULL)
            CloseHandle(hThread);

         if (hProcess != NULL)
            CloseHandle(hProcess);
      }

      return(bOk);
   }


   ///////////////////////////////////////////////////////////////////////////////


   BOOL WINAPI EjectLibA(DWORD dwProcessId, PCSTR pszLibFile) {

      // Allocate a (stack) buffer for the Unicode version of the pathname
      SIZE_T cchSize = lstrlenA(pszLibFile) + 1;
      PWSTR pszLibFileW = (PWSTR)
         _alloca(cchSize * sizeof(wchar_t));

      // Convert the ANSI pathname to its Unicode equivalent
         StringCchPrintfW(pszLibFileW, cchSize, L"%S", pszLibFile);

      // Call the Unicode version of the function to actually do the work.
      return(EjectLibW(dwProcessId, pszLibFileW));
   }


   ///////////////////////////////////////////////////////////////////////////////


   BOOL Dlg_OnInitDialog(HWND hWnd, HWND hWndFocus, LPARAM lParam) {

      chSETDLGICONS(hWnd, IDI_INJLIB);
      return(TRUE);
   }

///////////////////////////////////////////////////////////////////////////////

void Dlg_OnCommand(HWND hWnd, int id, HWND hWndCtl, UINT codeNotify) {

   switch (id) {
      case IDCANCEL:
         EndDialog(hWnd, id);
         break;

      case IDC_INJECT:
         DWORD dwProcessId = GetDlgItemInt(hWnd, IDC_PROCESSID, NULL, FALSE);
         if (dwProcessId == 0) {
            // A process ID of 0 causes everything to take place in the
            // local process; this makes things easier for debugging.
            dwProcessId = GetCurrentProcessId();
         }

         TCHAR szLibFile[MAX_PATH];
         GetModuleFileName(NULL, szLibFile, _countof(szLibFile));
         PTSTR pFilename = _tcsrchr(szLibFile, TEXT('\\')) + 1;
         _tcscpy_s(pFilename, _countof(szLibFile) - (szLibFile - szLibFile),
             TEXT("22-ImgWalk.DLL"));
         if (InjectLib(dwProcessId, szLibFile)) {
             chVERIFY(EjectLib(dwProcessId, szLibFile));
             chMB("DLL Injection/Ejection successful.");
         } else {
             chMB("DLL Injection/Ejection failed.");
         }
         break;
   }
}


///////////////////////////////////////////////////////////////////////////////


INT_PTR WINAPI Dlg_Proc(HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam) {

   switch (uMsg) {
      chHANDLE_DLGMSG(hWnd, WM_INITDIALOG, Dlg_OnInitDialog);
      chHANDLE_DLGMSG(hWnd, WM_COMMAND,    Dlg_OnCommand);
   }
   return(FALSE);
}


///////////////////////////////////////////////////////////////////////////////


int WINAPI _tWinMain(HINSTANCE hInstExe, HINSTANCE, PTSTR pszCmdLine, int) {

   DialogBox(hInstExe, MAKEINTRESOURCE(IDD_INJLIB), NULL, Dlg_Proc);
   return(0);
}

 //////////////////////////////// End of File //////////////////////////////////

[Dizelektwo]

Ошибок я в своем коде наделал жестоких. Это все из за недопонимания.
Теперь, вроде, все косяки исправил, проблема остается.
В упор не вижу ошибку. Архитектура ОС win7 64x может быть причиной?

Код:

#include "stdafx.h"
#include "process.h"
#include "windows.h"
#include "iostream"
#include "tlhelp32.h"

using namespace std;

int _tmain(int argc, _TCHAR* argv[])
{

DWORD ipthid,wrb;
char notepad[]="notepad.exe";
char dllPath[]="D:\\dlltest.dll";

HMODULE hint;

LPTHREAD_START_ROUTINE GetDll =(LPTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle("Kernel32.dll"),"LoadLibraryA");

if(GetDll==NULL) { MessageBox(0,"error","GetDll",0);}



HANDLE hprocess=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL); 
PROCESSENTRY32 stprocess;
stprocess.dwSize=sizeof(stprocess);

bool next=Process32First(hprocess,&stprocess);

while(next) {
	
    next=Process32Next(hprocess,&stprocess);
	if(!strcmp(stprocess.szExeFile,notepad)) { break; }

}

int processId=stprocess.th32ProcessID;



HANDLE popen=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_ALL_ACCESS|PROCESS_VM_WRITE|PROCESS_VM_OPERATION|PROCESS_QUERY_INFORMATION ,false,processId);
if(popen==NULL) {MessageBox(0,"error opening","!",0);}



LPVOID pszLibFileRemote = VirtualAllocEx(popen,0, sizeof(dllPath)+2, MEM_COMMIT,PAGE_EXECUTE_READWRITE);

if(pszLibFileRemote==NULL) { MessageBox(0,"error alloc","!",0);} 

else {

	WriteProcessMemory(popen,pszLibFileRemote,(LPVOID) dllPath, sizeof(dllPath)+2, &wrb);
	
HANDLE cprocess=CreateRemoteThread(popen, 0, 0,(LPTHREAD_START_ROUTINE) GetDll,pszLibFileRemote, 0, &ipthid);
 
if(cprocess==NULL) { MessageBox(0,"error remote thread","!",0); exit(1);} 


WaitForSingleObject(cprocess, INFINITE);
}

VirtualFreeEx(popen,NULL,sizeof(dllPath)+2,MEM_DECOMMIT);
  

CloseHandle(popen);
system("pause");
	return 0;
}

[rlib]

А где у вас ДЛЛ-ина которую вы инжектите лежит?

[Dizelektwo]

На диске D, так же есть и в папке проекта. Менял директории, ошибка одна и та же.
Именно при создании потока. Да, тут еще добавил дебаг привелегии, результат не изменился. В общем каша какая-то.

Наверно проблема с либами. Пробовал и с явной точкой входа и без явной.

Код:

dllhead.h

#include "stdafx.h"
#include "iostream"

using namespace std;

extern "C++" _declspec(dllexport) int myfunction(int, int);
extern "C++" _declspec(dllexport) int outmsg();

_ _ _ _ _ _ _ _ _ _

#include "stdafx.h"
#include "dllhead.h"

extern "C++" _declspec(dllexport) int myfunction(int one,int two) {
	int sum=one+two;
	return sum;

}

extern "C++" _declspec(dllexport) int outmsg() {

	MessageBox(0,"lib_inject OK","yes",0);

	return 0;
}

______________________________________



void OutMsg() {

	MessageBoxW(0,L"inject_ok",L"ok",0);

	
}

void OutMsg2() {

     MessageBoxW(0,L"good",L"bay my inj",0);

}

BOOL WINAPI DllMain( HMODULE hModule,DWORD dwReason,LPVOID lpReserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:

	OutMsg();
	

break;

case DLL_PROCESS_DETACH:

OutMsg2();

break;
}
return TRUE;
}

[Dizelektwo]

вопрос решен. спасибо

Код:

void EnableDebugPrivilege()
{
    static char Priv[] = "SeDebugPrivilege";
    static LUID luid;
    static PHANDLE hToken;
    static TOKEN_PRIVILEGES tkp;
    static DWORD ReturnLength;
    OpenProcessToken(INVALID_HANDLE_VALUE, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,(PHANDLE)&hToken);
    if(!LookupPrivilegeValue(NULL,(char*)&Priv,&luid))
    {
        CloseHandle(hToken);
        return;
    }
    else
    tkp.PrivilegeCount = TRUE;
    tkp.Privileges->Luid.LowPart = luid.LowPart;
    tkp.Privileges->Luid.HighPart = luid.HighPart;
    tkp.Privileges->Attributes = SE_PRIVILEGE_ENABLED;
    AdjustTokenPrivileges(hToken,NULL,&tkp,sizeof(tkp),&tkp,&ReturnLength);
}



int _tmain(int argc, _TCHAR* argv[])
{
	
EnableDebugPrivilege();
DWORD ipthid,wrb;
char notepad[]="firefox.exe";
char dllPath[]="D:\\d.dll";


HMODULE hint;

LPTHREAD_START_ROUTINE GetDll =(LPTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle("Kernel32.dll"),"LoadLibraryA");

if(GetDll==NULL) { MessageBox(0,"error","GetDll",0);}



HANDLE hprocess=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL); 
PROCESSENTRY32 stprocess;
stprocess.dwSize=sizeof(stprocess);

bool next=Process32First(hprocess,&stprocess);

while(next) {
	
    next=Process32Next(hprocess,&stprocess);
	if(!strcmp(stprocess.szExeFile,notepad)) { break; }

}

DWORD processId=stprocess.th32ProcessID;



HANDLE popen=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_ALL_ACCESS|PROCESS_VM_WRITE|PROCESS_VM_OPERATION ,false,processId);
if(popen==NULL) {MessageBox(0,"error opening","!",0);}



LPVOID pszLibFileRemote = VirtualAllocEx(popen,0, strlen(dllPath)+1, MEM_COMMIT,PAGE_EXECUTE_READWRITE);

if(pszLibFileRemote==NULL) { MessageBox(0,"error alloc","!",0);} 

else {

	
	WriteProcessMemory(popen,pszLibFileRemote,dllPath, strlen(dllPath), &wrb);
	
	HANDLE cprocess=CreateRemoteThread(popen, 0, 0,(LPTHREAD_START_ROUTINE) GetDll,pszLibFileRemote, 0, &ipthid);
 
if(cprocess==NULL) { MessageBox(0,"error remote thread","!",0); exit(1);} 


WaitForSingleObject(cprocess, INFINITE);
}

VirtualFreeEx(popen,NULL,strlen(dllPath)+1,MEM_DECOMMIT);
  
CloseHandle(popen);
system("pause");
	return 0;
}