如果你看看一个简单的DLL注入的以下工作代码:DLL注入用CreateRemoteThread
//Open the target process with read , write and execute priviledges
Process = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_VM_OPERATION, FALSE, ID);
//Get the address of LoadLibraryA
LoadLibrary = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
// Allocate space in the process for our DLL
Memory = (LPVOID)VirtualAllocEx(Process, NULL, strlen(dll)+1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
// Write the string name of our DLL in the memory allocated
WriteProcessMemory(Process, (LPVOID)Memory, dll, strlen(dll)+1, NULL);
// Load our DLL
CreateRemoteThread(Process, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibrary, (LPVOID)Memory, NULL, NULL);
//Let the program regain control of itself
CloseHandle(Process);
的事情让我困惑的是,GetProcAddress
回报的LoadLibraryA
温控功能地址当前进程,如何你可以通过它作为参数CreateRemoteThread
和期望目标进程来运行它吗?
由于CreateRemoteThread将'LoadLibrary'作为参数并对其进行调用。由于它也需要'Memory'作为参数,这是它传递给'LoadLibrary'的参数。 – Brandon
这仍然无法解释为什么你需要当前进程**的'LoadLibrary'函数地址。 'Memory'是dll名称的地址,为什么不只是将'LoadLibrary'作为一个字符串传递,如果你只是想调用它? –
因为在其他过程中的偏移量将完全相同。如果其他进程是x32并且进程是x32,则与kernel32的偏移量相同。如果您的进程是x64,而另一个进程是x64,则偏移量也是相同的。如果另一个进程是x32,而你的进程是x64,反之亦然,则偏移量将会不同,并且注入将失败。我相信User32.dll也始终加载在相同的偏移量。与Kernel32.dll类似 – Brandon