I now write an automatic injection tool, the DLL can be automatically into a process, but when debugging failure when creating access to remote address?
Determine the DLL file is no problem, now found in the hthread=CreateRemoteThread (process, NULL, 0, funstart paddr, 0, 0). Failure,
Please bosses guidance,
The code is as follows:

 
# include & lt; stdio.h> 
# include & lt; Stdlib. H> 
# include & lt; Windows. H> 
# include 


//by token ascend permission 
BOOL opendebug () 
{
//token 
HANDLE htoken; 
//whether elevate privileges success 
BOOL fok=FALSE; 
//open the process token, improve debugging permissions, 
If (OpenProcessToken (GetCurrentProcess (), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, & amp; Htoken)) 
{
//permission 
The TOKEN_PRIVILEGES tp; 
//set the default permissions 
Tp. PrivilegeCount=1; 
//traverse permission 
if (! LookupPrivilegeValue (NULL, SE_DEBUG_NAME, & amp; Tp. Privileges [0]. Luid)) 
{

} 
//open 
Tp. Privileges [0]. Attributes=SE_PRIVILEGE_ENABLED; 
//whether the token effective 
if (! AdjustTokenPrivileges (htoken, FALSE, & amp; Tp, sizeof (tp), NULL, NULL)) 
{

} 
The else 
{
If I=TRUE; 
} 
The CloseHandle (htoken);//close the token 
} 
Return if; 

} 

//discovery process 
DWORD findprocessid (char * name) 
{
//using the snapshot, open to 
HANDLE hsnap=CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0); 
PROCESSENTRY32 pe32; 
Pe32. DwSize=sizeof (PROCESSENTRY32); 
Process32First (hsnap, & amp; Pe32);//find 
Do 
{
If (_strcmpi (pe32 szExeFile, name)==0) 
{
Puts (" find it "); 
Return pe32. Th32ProcessID;//find 
} 


} while (Process32Next (hsnap, & amp; Pe32)); 
The CloseHandle (hsnap);//close 
return 0; 
} 

//DLL injection 
Int dllinject (HANDLE process, const char * dllname, const char * funname) 
{
Void * pfun () ()=NULL;//function pointer 
//create a remote thread 
HANDLE hthread=NULL; 
//get the length of the string 
Int dllnamelength=strlen (dllname) + 1; 
//allocate memory in the process of others 
LPVOID paddr=VirtualAllocEx (process, NULL, dllnamelength MEM_COMMIT, PAGE_READWRITE); 
//determine whether memory allocation success 
If (paddr==NULL) 
{
Printf (" process memory allocation failure "); 
} 
The else 
{
//writing processes 
WriteProcessMemory (process, paddr (void *) dllname, dllnamelength, 0). 
Printf (" \ n process memory allocation is successful and copy success "); 

//open the kernel 
HMODULE hmode=GetModuleHandleA (" Kernel32. DLL "); 
//get the kernel address 
LPTHREAD_START_ROUTINE funstart=(LPTHREAD_START_ROUTINE) GetProcAddress call (hmode, "LoadLibraryA"); 

//open the remote thread 
Hthread=CreateRemoteThread (process, NULL, 0, funstart paddr, 0, 0). 

//can only call to start the function 
If (hthread==NULL) 
{
Puts (" \ n open thread failure "); 
} 
//waiting thread open 
The WaitForSingleObject (hthread, INFINITE); 
Printf (" \ n remote thread end "); 


} 
return 0; 
} 

//process of module name module function name 
Int insertdll (exename, char * const char * dllname, const char * funname) 
{
//open access 
Opendebug (); 
//looking for thread id 
DWORD processid=findprocessid (exename); 

If (processid!=0) 
{
//open the 
HANDLE the process=OpenProcess (PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, processid); 
If (the process!=NULL) 
{
//injection 
Dllinject (process, dllname, funname); 

} 
The CloseHandle (process); 
} 
The else 
{
Printf (" process lookup failure "); 
} 
return 0; 
} 

//the main function 
Void main () 
{
Char * dllname="C: \ \ Users \ \ Administrator \ \ Documents \ \ visual studio 2015 \ \ Projects \ \ injection tools to implement \ \ DLL DLL"; 
Insertdll (" notepad. Exe, "dllname," go "); 

system("pause"); 
} 

CodePudding user response:

Run as an administrator,

CodePudding user response:

Zhao four teacher, an administrator to run in hthread=CreateRemoteThread (process, NULL, 0, funstart paddr, 0, 0). Failure,
You can help me have a look at it, where is wrong

CodePudding user response:

https://msdn.microsoft.com/zh-cn/library/windows/desktop/ms682437 (v=versus 85). Aspx

Call GetLastError get failure reason, make an analysis again

CodePudding user response:

Paschen teacher, hello, call GetLastError, I receive 6, for the handle is invalid, that is to say the hthread=CreateRemoteThread (process, NULL, 0, funstart paddr, 0, 0) in the wrong, but I carefully check all the parameters are no problem, but I don't know why the handle is invalid

CodePudding user response:

Close the UAC, firewalls, antivirus software
Restart the computer and administrator user login
As an administrator to run
When the DLL in the manifest file you need administrator rights tag
.

CodePudding user response:

Close the UAC, firewalls, antivirus software
Restart the computer and administrator user login
As an administrator to run
I have tried, but the same error, I don't know why

CodePudding user response:

O bosses guidance

CodePudding user response:

refer to 7th floor zhouqunhai response:

o o bosses guidance

Uh, 32 bit into a 32-bit process, process of 64 into 64,

System comes with a notepad is a 64 - bit, if you want to inject 64 32-bit process, this code, you are not enough,

As for why not, you can baidu, also can ask again,

CodePudding user response:

WinAPIOverride http://jacquelin.potier.free.fr/winapioverride32/

CodePudding user response:

Policy group without permission

CodePudding user response:

nullnullnullnullnullnullnullnull