使用 C 崩溃记事本进行 DLL 注入

DLL injection using C crash notepad

我使用 C 和 DLL 创建了一个 DLL 注入程序。当我尝试 运行 程序时,目标进程崩溃(我尝试了记事本和 cmd)。我正在将注入器和 DLL 编译为 64 位。使用 Visual Studio.

编译的程序和 DLL

经过一些检查,如果我删除 CreateRemoteThread 程序将不会崩溃,并且注入 DLL(当然不执行 DLL)。

我尝试使用 RUNDLL32.exe 来检查 DLL 是否有问题并且我已经能够看到消息框。

喷油器:

#include <Windows.h>
#include <stdio.h>

int main() {
    // The DLL path we want to inject and the target process id.
    LPCSTR dllpath = "C:\Users\....\hello-world.dll";
    int processID = 2980;

    printf("#### Starting ####\n");

    // Open target process handle    
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processID);
    if (hProcess == NULL) {

        //close handles
        CloseHandle(hProcess);

        printf("[!] Unable to find the target process id: %d\n" , processID);
        return 1;
    }
    printf("[+] Open target process handle\n");

    // Getting targt memory address for the dll path
    LPVOID dllpathMemoryAddr = VirtualAllocEx(hProcess, NULL, strlen(dllpath) + 1, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if (dllpathMemoryAddr == NULL) {

        //close handles
        CloseHandle(hProcess);

        printf("[!] Unable to get memory address of target process for the dllpath");
        return 1;
    }
    printf("[+] Allocate the memory address to store the dllpath\n");

    // Writing the dll path to the target memory address
    BOOL succeedWrite = WriteProcessMemory(hProcess, dllpathMemoryAddr, dllpath, strlen(dllpath) + 1, NULL);
    if (!succeedWrite) {

        //close handles
        CloseHandle(hProcess);

        printf("[!] Unable to write to the memory address of target process the dllpath\n");
        return 1;
    }
    printf("[+] Writed the dllpath to memory\n");

    // Getting LoadLibreryA address
    FARPROC loadLibAddr = 
        (GetModuleHandle(TEXT("kernel32.dll")), "LoadLibraryA");
    if (loadLibAddr == NULL) {
        // free the memory 
        VirtualFreeEx(hProcess, dllpathMemoryAddr, 0, MEM_RELEASE);

        //close handles
        CloseHandle(hProcess);

        printf("[!] Unable to get the memory address of LoadLibraryA function\n");
        return 1;
    }
    printf("[+] Allocate the memory address to LoadLibraryA function\n");

    // Create remote thread on the remote process to load the dll
    HANDLE rThread = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)loadLibAddr, dllpathMemoryAddr, 0, NULL);
    if (rThread == NULL) {
        // free the memory 
        VirtualFreeEx(hProcess, dllpathMemoryAddr, 0, MEM_RELEASE);

        //close handles
        CloseHandle(hProcess);

        printf("[!] Unable to create thread to execute the LoadLibraryA function\n the error: %u\n", GetLastError());
        return 1;
    }
    printf("[+] Created remote thread to execute the dll\n");
    // Waiting to opertion to complete
    WaitForSingleObject(rThread, INFINITE);

    // free the memory 
    VirtualFreeEx(hProcess, dllpathMemoryAddr, 0, MEM_RELEASE);

    //close handles
    CloseHandle(hProcess);
    CloseHandle(rThread);

    printf("#### DLL INJECTED ####\n");


    return TRUE;
}

DLL

#define WIN32_LEAN_AND_MEAN
#include <stdio.h>
#include <windows.h>

extern "C" __declspec(dllexport)
BOOL APIENTRY DllMain(HMODULE hModule,
                      DWORD ul_reason_for_call,
                      LPVOID lpReserved) {
  switch (ul_reason_for_call) {
    case DLL_PROCESS_ATTACH:
      MessageBox(NULL, "Hello world!", "Hello World!", NULL);
      break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
      break;
  }
  return TRUE;
}

输出:

#### Starting ####
[+] Open target process handle
[+] Allocate the memory address to store the dllpath
[+] Writed the dllpath to memory
[+] Allocate the memory address to LoadLibraryA function
[+] Created remote thread to execute the dll
#### DLL INJECTED ####

如果我正确理解了 OP 的评论,主要问题是 OP 最初使用了以下行(在编辑问题之前):

BOOL succeedWrite = WriteProcessMemory(hProcess, dllpathMemoryAddr, dllpath, strlen(dllpath), NULL);

通过写入 strlen(dllpath) 而不是 strlen(dllpath) + 1 字节,OP 没有将字符串的终止空字符写入远程进程。因此,当该非终止字符串作为函数参数传递给 LoadLibraryA.

时,远程进程可能会崩溃

正如评论部分所指出的,代码还存在一些其他问题,但这些问题不太可能是崩溃的原因。