运行 注入的 Dll 的 DllMain 中的代码导致注入超时
Running code inside injected Dll's DllMain causes injection to timeout
所以我正在尝试将 dll 注入到进程中,到目前为止,我已经设法将 dll 注入到进程中,但是我无法将任何代码添加到 DllMain 中的 运行注入的 dll,当 DllMain 看起来像下面的代码时,它似乎作为目标应用程序工作 运行s 并且 Process Explorer 显示 dll 已被加载。
BOOL WINAPI DllMain(HANDLE hDllHandle, DWORD dwReason, LPVOID lpreserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
break;
case DLL_PROCESS_DETACH:
break;
};
return TRUE;
}
但是,当我在 DLL_PROCESS_ATTACH 下添加任何代码时,它会导致注入超时。这是我一直试图加载的内容:
extern "C" {
BOOL WINAPI DllMain(HANDLE hDllHandle, DWORD dwReason, LPVOID lpreserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
MessageBox(0, "Hello, world!", "Hello!", 0);
break;
case DLL_PROCESS_DETACH:
break;
};
return TRUE;
}
}
下面是我注入 dll 的方式:
bool InjectDLL(PROCESS_INFORMATION* pInfo, const char* dllPath) {
bool result = false;
HANDLE nmsProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pInfo->dwProcessId);
if (nmsProcess) {
LPVOID baseAddress = VirtualAllocEx(nmsProcess, NULL, strlen(dllPath) + 1, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (baseAddress) {
LPVOID loadLibraryAddress = (LPVOID)GetProcAddress(LoadLibraryA("kernel32.dll"), "LoadLibraryA");
WriteProcessMemory(nmsProcess, baseAddress, dllPath, strlen(dllPath) + 1, NULL);
HANDLE thread = CreateRemoteThread(nmsProcess, NULL, 0, (LPTHREAD_START_ROUTINE)loadLibraryAddress, baseAddress, 0, 0);
if (thread != NULL) {
switch (WaitForSingleObject(thread, 5000)) {
case WAIT_OBJECT_0:
cout << "Injected" << endl;
result = TRUE;
break;
case WAIT_ABANDONED:
cout << "Abandoned" << endl;
break;
case WAIT_TIMEOUT:
cout << "Timed out" << endl;
break;
case WAIT_FAILED:
cout << "Failed"<< endl;
break;
}
}
else {
cout << "Error: \n" << GetLastError() << endl;
}
CloseHandle(thread);
}
else {
cout << "Error: \n" << GetLastError() << endl;
}
VirtualFreeEx(nmsProcess, baseAddress, 0, MEM_RELEASE);
CloseHandle(nmsProcess);
}
return result;
}
我对 Dll 注入相当陌生,所以我可能在某个地方的注入中犯了错误,将不胜感激任何帮助。
编辑:
我也试过在另一个函数中调用 MessageBox,但结果相同:
extern "C" {
void Init(void) {
MessageBox(0, "Hello, world!", "Hello!", 0);
}
BOOL WINAPI DllMain(HANDLE hDllHandle, DWORD dwReason, LPVOID lpreserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
Init();
break;
case DLL_PROCESS_DETACH:
break;
};
return TRUE;
}
}
原来解决方案(感谢 Hans Passant 和 Christian.K)是在新线程中调用该函数,如下所示:
extern "C" {
void Init() {
MessageBox(0, "Hello, world!", "Hello!", 0);
}
BOOL WINAPI DllMain(HANDLE hDllHandle, DWORD dwReason, LPVOID lpreserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Init, NULL, 0, NULL);
break;
case DLL_PROCESS_DETACH:
break;
};
return TRUE;
}
}
所以我正在尝试将 dll 注入到进程中,到目前为止,我已经设法将 dll 注入到进程中,但是我无法将任何代码添加到 DllMain 中的 运行注入的 dll,当 DllMain 看起来像下面的代码时,它似乎作为目标应用程序工作 运行s 并且 Process Explorer 显示 dll 已被加载。
BOOL WINAPI DllMain(HANDLE hDllHandle, DWORD dwReason, LPVOID lpreserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
break;
case DLL_PROCESS_DETACH:
break;
};
return TRUE;
}
但是,当我在 DLL_PROCESS_ATTACH 下添加任何代码时,它会导致注入超时。这是我一直试图加载的内容:
extern "C" {
BOOL WINAPI DllMain(HANDLE hDllHandle, DWORD dwReason, LPVOID lpreserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
MessageBox(0, "Hello, world!", "Hello!", 0);
break;
case DLL_PROCESS_DETACH:
break;
};
return TRUE;
}
}
下面是我注入 dll 的方式:
bool InjectDLL(PROCESS_INFORMATION* pInfo, const char* dllPath) {
bool result = false;
HANDLE nmsProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pInfo->dwProcessId);
if (nmsProcess) {
LPVOID baseAddress = VirtualAllocEx(nmsProcess, NULL, strlen(dllPath) + 1, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (baseAddress) {
LPVOID loadLibraryAddress = (LPVOID)GetProcAddress(LoadLibraryA("kernel32.dll"), "LoadLibraryA");
WriteProcessMemory(nmsProcess, baseAddress, dllPath, strlen(dllPath) + 1, NULL);
HANDLE thread = CreateRemoteThread(nmsProcess, NULL, 0, (LPTHREAD_START_ROUTINE)loadLibraryAddress, baseAddress, 0, 0);
if (thread != NULL) {
switch (WaitForSingleObject(thread, 5000)) {
case WAIT_OBJECT_0:
cout << "Injected" << endl;
result = TRUE;
break;
case WAIT_ABANDONED:
cout << "Abandoned" << endl;
break;
case WAIT_TIMEOUT:
cout << "Timed out" << endl;
break;
case WAIT_FAILED:
cout << "Failed"<< endl;
break;
}
}
else {
cout << "Error: \n" << GetLastError() << endl;
}
CloseHandle(thread);
}
else {
cout << "Error: \n" << GetLastError() << endl;
}
VirtualFreeEx(nmsProcess, baseAddress, 0, MEM_RELEASE);
CloseHandle(nmsProcess);
}
return result;
}
我对 Dll 注入相当陌生,所以我可能在某个地方的注入中犯了错误,将不胜感激任何帮助。
编辑:
我也试过在另一个函数中调用 MessageBox,但结果相同:
extern "C" {
void Init(void) {
MessageBox(0, "Hello, world!", "Hello!", 0);
}
BOOL WINAPI DllMain(HANDLE hDllHandle, DWORD dwReason, LPVOID lpreserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
Init();
break;
case DLL_PROCESS_DETACH:
break;
};
return TRUE;
}
}
原来解决方案(感谢 Hans Passant 和 Christian.K)是在新线程中调用该函数,如下所示:
extern "C" {
void Init() {
MessageBox(0, "Hello, world!", "Hello!", 0);
}
BOOL WINAPI DllMain(HANDLE hDllHandle, DWORD dwReason, LPVOID lpreserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Init, NULL, 0, NULL);
break;
case DLL_PROCESS_DETACH:
break;
};
return TRUE;
}
}