C ++注入代码

（（请参阅下面的完整代码，请参阅下文）

[我正在尝试在Visual C ++ 2010 Express中运行此代码（http://www.codeproject.com/Tips/740480/Code-Injection-A-Generic-Approach-for-bit-and-bit）以将代码注入explorer.exe，但是当我从命令行运行它时，它返回“错误！”。这意味着线程返回为0。我假设

    LPVOID DataAddress = VirtualAllocEx(p, NULL, sizeof(PARAMETERS), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(p, DataAddress, &data, sizeof(PARAMETERS), NULL);

HANDLE thread = CreateRemoteThread(p, NULL, 0, (LPTHREAD_START_ROUTINE)MyFuncAddress, DataAddress, 0, NULL);

由于某种原因无法为notepad.exe分配空间或找不到记事本？

我对C ++知之甚少，我试图理解这一点。我已经验证了是否可以返回正确的pid for Explorer（如果有帮助的话）（打印pid并通过任务列表进行了验证）。在Visual C ++中，我将其作为空白项目运行，并且在构建它时，它的构建没有错误。因此，我的一般思考过程是：代码有效，但是由于某种原因它不能正确分配空间或执行记事本？我熟悉Python，通常要做的是打印出许多调试步骤。我应该在这段代码中打印什么以帮助调试？

而且，在代码下面，我已经放置了调试信息。

/*
    Application:    Code injection into a running process.
    Author:            _RT
    Dated:            07-March-2014
*/

#include <windows.h>
#include <fstream>
#include <stdlib.h>

#pragma comment(lib,"advapi32.lib")
#pragma comment(lib,"user32.lib")

typedef BOOL (WINAPI* CreatePrcssParam)(LPCTSTR, LPTSTR, LPSECURITY_ATTRIBUTES, 
    LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCTSTR, LPVOID, LPVOID);

struct PARAMETERS{
    LPVOID CreateProcessInj;
    char lpApplicationName[50];
    char lpCommandLine[10];
    LPSECURITY_ATTRIBUTES lpProcessAttributes;
    LPSECURITY_ATTRIBUTES lpThreadAttributes;
    BOOL bInheritHandles;
    DWORD dwCreationFlags;
    LPVOID lpEnvironment;
    LPCTSTR lpCurrentDirectory;
    LPVOID lpStartupInfo;
    LPVOID lpProcessInformation;
};

int privileges();
DWORD myFunc(PARAMETERS * myparam);
DWORD Useless();    //used to calculate size of myFunc()

int main()
{
    privileges();

    _STARTUPINFOA si;
    PROCESS_INFORMATION pi;

    ZeroMemory(&si, sizeof(si));
    si.cb = sizeof(si);
    ZeroMemory(&pi, sizeof(pi));

    DWORD pid;
    GetWindowThreadProcessId(FindWindow(NULL, "Start Menu"), &pid);

    HANDLE p;
    p = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
    if (p == NULL)
    {
        printf("ERROR");
        return 1; //error
    }

    char * AppName = "C:\\Windows\\system32\\notepad.exe";
    char * CmdLine = "";

  //Writing the structure vital for CreateProcess function
    LPVOID StrtUpInfo = VirtualAllocEx(p, NULL, sizeof(si), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
    WriteProcessMemory(p, StrtUpInfo, &si, sizeof(si), NULL);

    LPVOID PrcssInfo = VirtualAllocEx(p, NULL, sizeof(si), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
    WriteProcessMemory(p, PrcssInfo, &pi, sizeof(pi), NULL);
  //=========================================================

    PARAMETERS data = {0};
    HMODULE Kernel32 = LoadLibrary("Kernel32.dll");
    data.CreateProcessInj = GetProcAddress(Kernel32, "CreateProcessA");
    strcpy_s(data.lpApplicationName,AppName);
    strcpy_s(data.lpCommandLine, CmdLine);
    data.lpProcessAttributes = NULL;
    data.lpThreadAttributes = NULL;
    data.bInheritHandles = FALSE;
    data.dwCreationFlags = NULL;
    data.lpEnvironment = NULL;
    data.lpCurrentDirectory = NULL;
    data.lpStartupInfo = StrtUpInfo;
    data.lpProcessInformation = PrcssInfo;

    DWORD size_myFunc = (PBYTE)Useless - (PBYTE)myFunc;  //this gets myFunc's size

    //Writing the code part of myFunc -- Instructions to be executed
    LPVOID MyFuncAddress = VirtualAllocEx(p, NULL, size_myFunc, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(p, MyFuncAddress, (void*)myFunc, size_myFunc, NULL);

    //Writing the data part of myFunc -- Parameters of the functios
    LPVOID DataAddress = VirtualAllocEx(p, NULL, sizeof(PARAMETERS), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
    WriteProcessMemory(p, DataAddress, &data, sizeof(PARAMETERS), NULL);

    HANDLE thread = CreateRemoteThread(p, NULL, 0, (LPTHREAD_START_ROUTINE)MyFuncAddress, DataAddress, 0, NULL);
    if (thread != 0){
        //injection completed, not we can wait for it to end and free the memory
        WaitForSingleObject(thread, INFINITE);   //this waits until thread thread has finished
        VirtualFree(MyFuncAddress, 0, MEM_RELEASE); //free myFunc memory
        VirtualFree(DataAddress, 0, MEM_RELEASE); //free data memory
        CloseHandle(thread);
        CloseHandle(p);  //don't wait for the thread to finish, just close the handle to the process
    }
    else{
        printf("Error!");
    }
    return EXIT_SUCCESS;
}

static DWORD myFunc(PARAMETERS * myparam){

    CreatePrcssParam CreatePrcss = (CreatePrcssParam)myparam->CreateProcessInj;
    BOOL result = CreatePrcss((LPCTSTR)myparam->lpApplicationName, NULL, 
    myparam->lpProcessAttributes, myparam->lpThreadAttributes, 
    myparam->bInheritHandles, myparam->dwCreationFlags, myparam->lpEnvironment, 
    myparam->lpCurrentDirectory, myparam->lpStartupInfo, myparam->lpProcessInformation);
    return 0;
}

static DWORD Useless(){
    return 0;
}

//this function is needed to get some extra privileges so your code will be able to work without conflicts with the system
int privileges(){
    HANDLE Token;
    TOKEN_PRIVILEGES tp;
    if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &Token))
    {
        LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
        tp.PrivilegeCount = 1;
        tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
        if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL) == 0){
            return 1; //FAIL
        }
        else{
            return 0; //SUCCESS
        }
    }
    return 1;
}

调试信息：

'inj_01.exe': Loaded 'C:\Users\root\Documents\Visual Studio 2010\Projects\inj_01\Debug\inj_01.exe', Symbols loaded.
'inj_01.exe': Loaded 'C:\Windows\SysWOW64\ntdll.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:\Windows\SysWOW64\kernel32.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:\Windows\SysWOW64\KernelBase.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:\Windows\SysWOW64\user32.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:\Windows\SysWOW64\gdi32.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:\Windows\SysWOW64\lpk.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:\Windows\SysWOW64\usp10.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:\Windows\SysWOW64\msvcrt.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:\Windows\SysWOW64\advapi32.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:\Windows\SysWOW64\sechost.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:\Windows\SysWOW64\rpcrt4.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:\Windows\SysWOW64\sspicli.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:\Windows\SysWOW64\cryptbase.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:\Windows\SysWOW64\msvcr100d.dll', Symbols loaded.
'inj_01.exe': Loaded 'C:\Windows\SysWOW64\imm32.dll', Symbols loaded (source information stripped).
'inj_01.exe': Loaded 'C:\Windows\SysWOW64\msctf.dll', Symbols loaded (source information stripped).
The thread 'Win32 Thread' (0x11b8) has exited with code 0 (0x0).
The program '[6244] inj_01.exe: Native' has exited with code 0 (0x0).

感谢您提供任何帮助/指针