use*_*124 1 delphi dll dll-injection
我有一个简单的DLL,我在记事本中注入仅用于测试目的.我的注射器代码是这样的:
uses
Windows;
var
BytesWritten: cardinal;
PID, Process, Thread, ThreadId, hKernel: dword;
pLoadLibrary, Paramaters: pointer;
DLL: AnsiString;
begin
DLL := 'C:\test.dll'; // Must be full path name.
PID := 3160;
Process := OpenProcess(PROCESS_ALL_ACCESS,
False,
PID);
Paramaters := VirtualAllocEx(Process,
nil,
Length(DLL),
MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
WriteProcessMemory(Process,
Paramaters,
PAnsiChar(DLL),
Length(DLL),
BytesWritten);
hKernel := GetModuleHandle('KERNEL32.DLL');
pLoadLibrary := GetProcAddress(hKernel,
'LoadLibraryA');
Thread := CreateRemoteThread(Process,
nil,
0,
pLoadLibrary,
Paramaters,
0,
ThreadId);
WaitForSingleObject(Thread, INFINITE);
VirtualFreeEx(Process,
Paramaters,
0,
MEM_RELEASE);
CloseHandle(Thread);
CloseHandle(Process);
end.
我的DLL代码很简单:
uses
SysUtils,
Classes,
Windows;
{$R *.res}
procedure EntryPoint(Reason: dword); stdcall;
begin
if Reason = DLL_PROCESS_ATTACH then
begin
MessageBox(0, 'DLL Injected', 'DLL Injected', 0);
end;
end;
begin
DLLProc:= @EntryPoint;
EntryPoint(DLL_PROCESS_ATTACH);
end.
当我在记事本过程中注入dll时,我得到MessageBox sayin DLL Injected,但几秒后它崩溃说: 00FFE102模块test.dll中的异常EAccessViolation.地址00FFF102的访问冲突.写入地址00FFF102. 我正在使用Delphi 2010,Windows 7 x64,管理员权限,没有UAC,记事本和dll都是x32 ...
您的EntryPoint函数声明不正确.它不应该使用stdcall.正确的声明是:
procedure EntryPoint(Reason: Integer);
检查RTL源代码以获取TDLLProc的声明,或参考文档,以确认这是准确的.
如果只有你在分配给DLLProc时没有使用@运算符,编译器就能告诉你这个.
正如Sertac所说,您还应该在写入目标进程的文件名中包含一个空终止符.
| 归档时间: |
|
| 查看次数: |
1706 次 |
| 最近记录: |