DWORD dwHandle;
HANDLE hThread=CreateRemoteThread (hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) GetModuleHandleA,
LpParameter, 0, & amp; DwTid);
The WaitForSingleObject (hThread, INFINITE);
GetExitCodeThread (hThread, & amp; DwHandle);//the end of the thread is the Dll module of the handle, see the MSDN
https://msdn.microsoft.com/en-us/library/windows/desktop/ms683190 (v=versus 85). Aspx
Use Process Hacker to DLL injection address is: 0 x7ffc6bce0000
GetExitCodeThread (hThread, & amp; DwHandle); Perform dwHandle value is: after the completion of 6 bce0000, 7 FFC lost the previous high, I checked under 0 x7ffc6bce0000 already beyond the scope of DWORD, so high in front of lost, but is LPDWORD GetExitCodeThread method of parameters, how to break?
I am WIN10 64 - bit system 4 g memory
2. Also think of another way to get injected DLL address, be in the process of MODULEENTRY32 traversal injected DLL, but call Module32First when they make a mistake, the debug found MODULEENTRY32 modBaseAddr appear "read/write string character error", structure the other fields, the normal CreateToolhelp32Snapshot TH32CS_SNAPMODULE and TH32CS_SNAPMODULE32 tried calling, the same mistake, teach genuflect is begged
CodePudding user response:
Reference WinAPIOverride32 source code fragments,CodePudding user response:
EXPORT BOOL EnablePrivilege (PCTSTR szDebugName) {
HANDLE hToken=NULL;
__try {
If (szDebugName==NULL)
__leave;
TOKEN_PRIVILEGES priv={1, {{{0, 0}, SE_PRIVILEGE_ENABLED}}};
LookupPrivilegeValue (0, szDebugName, & amp; Priv. Privileges [0]. Luid);
OpenProcessToken (GetCurrentProcess (), TOKEN_ADJUST_PRIVILEGES, & amp; HToken);
If (hToken==NULL)
__leave;
if (! AdjustTokenPrivileges (hToken, FALSE, & amp; Priv, sizeof (priv), 0, 0))
__leave;
Return TRUE;
} __finally {
If (hToken!=NULL)
The CloseHandle (hToken);
}
Return FALSE;
}
EXPORT DWORD GetProcessIdByName (PCTSTR szProcessName) {
HANDLE hSnapshot=NULL;
__try {
If (szProcessName==NULL)
__leave;
If ((hSnapshot=CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0))==NULL)
__leave;
PROCESSENTRY32 ps={sizeof (ps)};
If (Process32First (hSnapshot, & amp; Ps)) {
Do {
If (LSTRCMP (ps. SzExeFile szProcessName)==0)
The return of ps. Th32ProcessID;
} while (Process32Next (hSnapshot, & amp; Ps));
}
} __finally {
If (hSnapshot!=NULL)
The CloseHandle (hSnapshot);
}
Return 0;
}
EXPORT HMODULE GetModuleHandleByName (DWORD dwPID, PCTSTR szDllName) {
HANDLE hSnapshot=NULL;
__try {
If (szDllName==NULL)
__leave;
If ((hSnapshot=CreateToolhelp32Snapshot (TH32CS_SNAPMODULE, dwPID))==NULL)
__leave;
MODULEENTRY32 md={sizeof (md)};
If (Module32First (hSnapshot, & amp; Md)) {
Do {
If (LSTRCMP (md. SzModule szDllName)==0 | | LSTRCMP (md) szExePath, szDllName)==0)
Return the md. HModule;
} while (Module32Next (hSnapshot, & amp; Md));
}
} __finally {
If (hSnapshot!=NULL)
The CloseHandle (hSnapshot);
}
Return NULL;
}
EXPORT BOOL LoadRemoteDll (DWORD dwPID, PCTSTR szDllName) {
HANDLE hProcess=NULL;
PVOID szRemoteDllName=NULL;
HANDLE hThread=NULL;
__try {
If (szDllName==NULL)
__leave;
If ((hProcess=OpenProcess (PROCESS_ALL_ACCESS, FALSE, dwPID))==NULL)
__leave;
Const SIZE_T ch=(lstrlen (szDllName) + 1) * sizeof (TCHAR);
If ((szRemoteDllName=VirtualAllocEx (hProcess, NULL, ch, MEM_COMMIT, PAGE_READWRITE))==NULL)
__leave;
if (! WriteProcessMemory (hProcess, szRemoteDllName szDllName, ch, NULL))
__leave;
Const PTHREAD_START_ROUTINE pfnLoadLibrary=PTHREAD_START_ROUTINE (GetProcAddress call (GetModuleHandle (TEXT (" Kernel32 ")), _STR_ LoadLibrary ()));
If (pfnLoadLibrary==NULL)
__leave;
If ((hThread=CreateRemoteThread (hProcess, NULL, 0, pfnLoadLibrary szRemoteDllName, 0, NULL))=NULL)
__leave;
The WaitForSingleObject (hThread, INFINITE);
Return TRUE;
} __finally {
If (hThread!=NULL)
The CloseHandle (hThread);
If (szRemoteDllName!=NULL)
VirtualFreeEx (hProcess, szRemoteDllName, 0, MEM_RELEASE);
If (hProcess!=NULL)
The CloseHandle (hProcess);
}
Return FALSE;
}
EXPORT BOOL FreeRemoteDll (DWORD dwPID, PCTSTR szDllName) {
HANDLE hProcess=NULL;
HANDLE hThread=NULL;
__try {
If (szDllName==NULL)
__leave;
If ((hProcess=OpenProcess (PROCESS_ALL_ACCESS, FALSE, dwPID))==NULL)
__leave;
Const PTHREAD_START_ROUTINE pfnFreeLibrary=PTHREAD_START_ROUTINE (GetProcAddress call (GetModuleHandle (TEXT (" Kernel32 ")), "FreeLibrary"));
If (pfnFreeLibrary==NULL)
__leave;
If ((hThread=CreateRemoteThread (hProcess, NULL, 0, pfnFreeLibrary, GetModuleHandleByName (dwPID, szDllName), 0, NULL))=NULL)
__leave;
The WaitForSingleObject (hThread, INFINITE);
Return TRUE;
} __finally {
If (hThread!=NULL)
The CloseHandle (hThread);
If (hProcess!=NULL)
The CloseHandle (hProcess);
nullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnull