[IMMER NOCH!] Problem mit CreateRemoteThread(), hilfe!
-
Hi,
ich versuche im moment ein Programm zu schreiben das einen thread in einem anderen Programm startet. Das ist erst mal mein Ansatz:bool InjectDLL( DWORD dwProcessID ) { HANDLE hProcess = 0; cout << "\n (2) Try to open process with all access ..." << endl; hProcess = OpenProcess( PROCESS_ALL_ACCESS, 0, dwProcessID ); if( !hProcess ) { CloseHandle( hProcess ); return false; } cout << " Process handle was sucessfully recieved!" << endl; // ***** Allocate some memory in this process ***** DWORD dwThreadSize = (DWORD)ThreadEnd - (DWORD)ThreadStart; cout << " Thread function size: " << dwThreadSize << endl; LPVOID lpMemBase = VirtualAllocEx( hProcess, 0, dwThreadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE ); if( lpMemBase == 0 ) { CloseHandle( hProcess ); return false; } cout << " Allocated memory : " << hex << "0x" << lpMemBase << " - " << "0x" << (DWORD)lpMemBase + (DWORD)dwThreadSize << endl; if( ( WriteProcessMemory( hProcess, lpMemBase, (LPVOID)ThreadStart, dwThreadSize, 0 ) ) == 0 ) { CloseHandle( hProcess ); return false; } // ***** Start thread ***** if( ( CreateRemoteThread( hProcess, 0, 0, (LPTHREAD_START_ROUTINE)lpMemBase, 0, 0, 0 ) ) == 0 ) { CloseHandle( hProcess ); return false; } // ***** READY ***** CloseHandle( hProcess ); return true; }Was ich machen will? Ich habe eine Threadfunktion die ein paar dinge im fremden Process ausführen soll, dazu ermittle ich erst einmal die größe der funktion um mit VirtualAllocEx speicher im fremden process anzuforden und dort dann meine Threadfunktion reizu schreiben, bis hier her funktioniert auch alles. Aber ab CreateRemoteThread gibts Ärger:
Fehlermeldung:--------------------------- Victim.exe - Fehler in Anwendung --------------------------- Die Anweisung in "0x00d46c8c" verweist auf Speicher in "0x00d46c8c". Der Vorgang "read" konnte nicht auf dem Speicher durchgeführt werden. Klicken Sie auf "OK", um das Programm zu beenden. Klicken Sie auf "Abbrechen", um das Programm zu debuggen. --------------------------- OK Abbrechen ---------------------------Wo habe ich hier nen Fehler gemacht?
Gruß Tobi.
-
T0bi schrieb:
[...] die ein paar dinge im fremden Process ausführen soll [...]
Wenn Du Code in einen anderen Prozess injizierst, der die DLL's der Funktionen, die im injizierten Code aufgerufen werden, nicht geladen hat, kracht es. Da müsstest Du die Funktionsadresse absolut mitliefern (siehe dazu mal auf Codeproject.com). Besondern bei sehr systemnahen Prozessen ist das der Fall. Bei Explorer.exe allerdings (z.B.) nicht
.Hoffe Du hast nix böses vor
.
-
Nein
Aber könntest du mir bitte noch mal deinen ersten Satz erläutern den hab ich jetzt gerade nicht gecheckt.
Gruß Tobi.
-
GetProcAddress helfen tut.
-
Kann es sein das es an dem WaitForSingleObject() liegen kann? Ich habe den letzten Teil jetzt einmal so abgeändert:
// ***** Start thread ***** HANDLE hThread = CreateRemoteThread( hProcess, 0, 0, (LPTHREAD_START_ROUTINE)lpMemBase, 0, 0, 0 ); if( !hThread ) { CloseHandle( hThread ); CloseHandle( hProcess ); return false; } WaitForSingleObject( hThread, INFINITE );[EDIT]
Hm klappt doch net ganz wenn ich die thread funktion leer lasse klappt es, wenn ich aba dort code ausführen will knallts wieder. hmmm...
Und jetzt gibts keinen krach.
-
Poste mal die Threadfunktion bzw. setze den auskommentierten Code zeilen/blockweise wieder ein.
Etwa feste Adressen dabei ?
-
Hier mal der ganze code, is ja net viel:
/******************************************************************************* Author : Tobi Date : 2rd March '08 Project : Hook victim *******************************************************************************/ //--- Includes ----------------------------------------------------------------- #include <windows.h> #include <iostream> using namespace std; //--- Globals ------------------------------------------------------------------ typedef int (*fpMyMsgBox)( HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType ); //--- Prototypes --------------------------------------------------------------- DWORD WINAPI ThreadStart( LPVOID vParam ); void ThreadEnd( ); DWORD GetProcessID( const char *szWindowName ); bool InjectDLL( DWORD dwProcessID ); //--- Main --------------------------------------------------------------------- int main( int argc, char* argv[ ] ) { DWORD dwProcessID = 0; // ***** Set console title ***** SetConsoleTitle( "Hook the victem o.O" ); // ***** Get PID ***** cout << "\n (1) Try to get PID ..." << endl; dwProcessID = GetProcessID( "Victim" ); if( dwProcessID == 0 ) { cout << " FAILED!" << endl; Sleep( 1500 ); return 0; } cout << " PID: " << dwProcessID << endl; // ***** Try to open process and inject dll function ***** if( !( InjectDLL( dwProcessID ) ) ) { cout << " FAILED!" << endl; Sleep( 1500 ); return 0; } getchar( ); return 0; } //--- Definitions -------------------------------------------------------------- // ***** Thread ***** DWORD WINAPI ThreadStart( LPVOID vParam ) { // HINSTANCE hDLL = LoadLibrary( "VictimHook.dll" ); // fpMyMsgBox fpMMB = (fpMyMsgBox)GetProcAddress( hDLL, "MyMsgBox" ); return 0; } void ThreadEnd( ) { } // ***** this function recieves a process id from window name ***** DWORD GetProcessID( const char *szWindowName ) { DWORD dwProcessID = 0; HWND hWindow = 0; hWindow = FindWindow( 0, szWindowName ); if( !hWindow ) { return 0; } GetWindowThreadProcessId( hWindow, &dwProcessID ); return dwProcessID; } // ***** This function inject my function from dll ***** bool InjectDLL( DWORD dwProcessID ) { HANDLE hProcess = 0; cout << "\n (2) Try to open process with all access ..." << endl; hProcess = OpenProcess( PROCESS_ALL_ACCESS, 0, dwProcessID ); if( !hProcess ) { CloseHandle( hProcess ); return false; } cout << " Process handle was sucessfully recieved!" << endl; // ***** Allocate some memory in this process ***** DWORD dwThreadSize = (DWORD)ThreadEnd - (DWORD)ThreadStart; cout << " Thread function size: " << dwThreadSize << endl; LPVOID lpMemBase = VirtualAllocEx( hProcess, 0, dwThreadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE ); if( lpMemBase == 0 ) { CloseHandle( hProcess ); return false; } cout << " Allocated memory : " << hex << "0x" << lpMemBase << " - " << "0x" << (DWORD)lpMemBase + (DWORD)dwThreadSize << endl; if( ( WriteProcessMemory( hProcess, lpMemBase, (LPVOID)ThreadStart, dwThreadSize, 0 ) ) == 0 ) { CloseHandle( hProcess ); return false; } // ***** Start thread ***** HANDLE hThread = CreateRemoteThread( hProcess, 0, 0, (LPTHREAD_START_ROUTINE)lpMemBase, 0, 0, 0 ); if( !hThread ) { CloseHandle( hThread ); CloseHandle( hProcess ); return false; } WaitForSingleObject( hThread, INFINITE ); // ***** READY ***** CloseHandle( hThread ); CloseHandle( hProcess ); return true; } //--- EXIT ---------------------------------------------------------------------Gruß Tobi.
-
Hiilfä
-
HIER das neuste ding, geht aber immer noch nicht, ACCESS VIOLATION!
/*********************************************************************************** Author : Tobias Stein Data : 6th March '08 Project : WinApi hook Remarks : --- All Rights Reserved! (c)Copyright by Tobias Stein! ***********************************************************************************/ //--- Includes --------------------------------------------------------------------- #include "stdafx.h" using namespace std; //--- Usertypes -------------------------------------------------------------------- typedef HINSTANCE (*fpLoadLibrary)( char* ); typedef FARPROC (*fpGetProcAddress)( HINSTANCE, char* ); typedef void (*fpMyFunction)( void ); typedef struct { fpLoadLibrary LoadLib; fpGetProcAddress GetProcAdd; char szDLLName[ 128 ]; } INJECTDATA; //--- Globals ---------------------------------------------------------------------- //--- Prototypes ------------------------------------------------------------------- DWORD GetPID( const char *szWindowName ); DWORD WINAPI ThreadProc( LPVOID vParam ); void ThreadEnd( ); bool InjectDLL( DWORD dwProcessID ); bool EnableDebugPrivilege( ); //--- Main ------------------------------------------------------------------------- int main( int argc, char* argv[ ] ) { DWORD dwPID = 0; // ***** Set console name ***** SetConsoleTitle( "WinApi Hook" ); // ***** Get PID ***** cout << "\n - Try to get process ID ..." << endl; dwPID = GetPID( "WinApi Victim" ); if( dwPID == 0 ) { cout << " FAILED!" << endl; Sleep( 1500 ); return 0; } cout << " Process ID: " << dwPID << endl; if( !( InjectDLL( dwPID ) ) ) { cout << " FAILED!" << endl; Sleep( 1500 ); return 0; } getchar( ); return 0; } //--- Definitions ------------------------------------------------------------------ // ***** This function get the PID from window name ***** DWORD GetPID( const char *szWindowName ) { HWND hWindow = 0; DWORD dwPID = 0; hWindow = FindWindow( 0, szWindowName ); if( !hWindow ) return 0; GetWindowThreadProcessId( hWindow, &dwPID ); return dwPID; } // ***** Thread procedure ***** DWORD WINAPI ThreadProc( LPVOID vParam ) { INJECTDATA *iData = (INJECTDATA*)vParam; HINSTANCE hDLL = iData->LoadLib( iData->szDLLName ); return 0; } // ***** End of thread function ***** void ThreadEnd( ) { } // ***** DLL inject routine ***** bool InjectDLL( DWORD dwProcessID ) { DWORD rw; // ***** Get all access ***** EnableDebugPrivilege( ); // ***** Get process handle ***** cout << "\n - Try to recieve the process handle ..." << endl; HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, 0, dwProcessID ); if( !hProcess ) { CloseHandle( hProcess ); return false; } cout << " Process handle: " << hex << hProcess << endl; // ***** Get Thread function size ***** cout << "\n - Determine structur & thread function size ..." << endl; DWORD dwThreadSize = (DWORD)ThreadEnd - (DWORD)ThreadProc; cout << " Inject structur size: " << dec << sizeof( INJECTDATA ) << " Bytes" << endl; cout << " Thread function size: " << dec << dwThreadSize << " Bytes" << endl; // ***** Allocate some memory for INJECTDATA ***** cout << "\n - Try to allocate memory for INJECTDATA structur (" << sizeof( INJECTDATA ) << ") ..." << endl; LPVOID pMemData = VirtualAllocEx( hProcess, 0, sizeof( INJECTDATA ), MEM_COMMIT, PAGE_EXECUTE_READWRITE ); if( pMemData == 0 ) { CloseHandle( hProcess ); return false; } cout << " Allocated memory: 0x" << hex << (DWORD)pMemData << " - 0x" << ( (DWORD)pMemData + sizeof( INJECTDATA ) ) << endl; // ***** Create INJECTDATA struct and wirte to allocate memory ***** INJECTDATA iData; memset( &iData, 0, sizeof( INJECTDATA ) ); iData.LoadLib = (fpLoadLibrary)GetProcAddress( GetModuleHandle( "Kernel32.dll" ), "LoadLibraryA" ); iData.GetProcAdd = (fpGetProcAddress)GetProcAddress( GetModuleHandle( "Kernel32.dll" ), "GetProcAddress" ); strcpy( iData.szDLLName, "WinApiHookDLL.dll" ); cout << "\n - Write IINJECTDATA struct to allocated memory (" << dec << (DWORD)pMemData << ") ..." << endl; rw = 0; if( ( WriteProcessMemory( hProcess, (LPVOID)pMemData, &iData, sizeof( INJECTDATA ), &rw ) ) == 0 ) { CloseHandle( hProcess ); return false; } cout << " Done!" << endl; // ***** Allocate some memory for thread func ***** cout << "\n - Try to allocate memory for thread function (" << dwThreadSize << ") ..." << endl; LPVOID pMemThread = VirtualAllocEx( hProcess, 0, dwThreadSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); if( pMemThread == 0 ) { CloseHandle( hProcess ); return false; } cout << " Allocated memory: 0x" << hex << (DWORD)pMemThread << " - 0x" << ( (DWORD)pMemThread + dwThreadSize ) << endl; // ***** Write thread function to allocated memory ***** cout << "\n - Write Thread function to allocated memory (" << dec << (DWORD)pMemThread << ") ..." << endl; rw = 0; if( ( WriteProcessMemory( hProcess, (LPVOID)pMemThread, ThreadProc, dwThreadSize, &rw ) ) == 0 ) { CloseHandle( hProcess ); return false; } cout << " Done!" << endl; // ***** Now start remote thread ***** cout << "\n - Start remote thread ..." << endl; HANDLE hThread = CreateRemoteThread( hProcess, 0, 0, (LPTHREAD_START_ROUTINE)pMemThread, pMemData, 0, 0 ); if( !hThread ) { CloseHandle( hThread ); CloseHandle( hProcess ); return false; } WaitForSingleObject( hThread, INFINITE ); int iSuccess = 0; GetExitCodeThread( hThread, (LPDWORD)iSuccess ); if( iSuccess == 0 ) { CloseHandle( hThread ); CloseHandle( hProcess ); return false; } cout << " Thread was successfully started!" << endl; // ***** Free allocated memory ***** cout << " - Try to free allocated memory ..." << endl; if( ( VirtualFreeEx( hProcess, pMemData, 0, MEM_RELEASE ) ) == 0 ) { CloseHandle( hThread ); CloseHandle( hProcess ); return false; } if( ( VirtualFreeEx( hProcess, pMemThread, 0, MEM_RELEASE ) ) == 0 ) { CloseHandle( hThread ); CloseHandle( hProcess ); return false; } cout << " Free memory done!" << endl; // ***** READY ***** CloseHandle( hThread ); CloseHandle( hProcess ); return true; } // ***** Get more access ***** bool EnableDebugPrivilege( ) { TOKEN_PRIVILEGES priv; HANDLE hThis, hToken; LUID luid; hThis = GetCurrentProcess(); OpenProcessToken(hThis, TOKEN_ADJUST_PRIVILEGES, &hToken); LookupPrivilegeValue(0, "seDebugPrivilege", &luid); priv.PrivilegeCount = 1; priv.Privileges[0].Luid = luid; priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges(hToken, false, &priv, 0, 0, 0); CloseHandle(hToken); CloseHandle(hThis); return true; } //--- EXIT -------------------------------------------------------------------------
