我正在尝试将dll注入explorer.exe(显示消息框的简单64位dll)
但是QueueUserApc返回零(这意味着错误),当我执行GetLastError时,它返回6
[我认为在调用QueueUserApc的第81行出现了问题
请帮助我我正在尝试解决此问题2天> >>
#include <windows.h>
#include <stdio.h>
#include <WinUser.h>
#include <TlHelp32.h>
#include <vector>
using std::vector;
BOOL EnableDebugPriv() {
HANDLE hToken;
LUID Value;
TOKEN_PRIVILEGES tp;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
return(GetLastError());
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Value))
return(GetLastError());
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = Value;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL)) {
return FALSE;
}
CloseHandle(hToken);
return TRUE;
}
DWORD getPidByName(LPCSTR name, vector<DWORD> &tids) {
DWORD pid = NULL;
HANDLE hSnapshot = INVALID_HANDLE_VALUE;
PROCESSENTRY32 pe;
THREADENTRY32 te;
pe.dwSize = sizeof(pe);
te.dwSize = sizeof(te);
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL);
Process32First(hSnapshot, &pe);
do {
if (strcmp(name, pe.szExeFile) == 0) {
pid = pe.th32ProcessID;
if (Thread32First(hSnapshot, &te)) {
do {
if (te.th32OwnerProcessID == pid) {
tids.push_back(te.th32ThreadID);
}
} while (Thread32Next(hSnapshot, &te));
}
break;
}
} while (Process32Next(hSnapshot, &pe));
CloseHandle(hSnapshot);
return pid;
}
BOOL injectDll(LPCSTR path, DWORD pid, vector<DWORD> &tids) {
HANDLE hProcess, hThread = INVALID_HANDLE_VALUE;
LPVOID pRemoteBuf;
DWORD dwBufSize = lstrlen(path) + 1;
LPTHREAD_START_ROUTINE pThreadProc;
if (!(hProcess = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, pid))) {
return FALSE;
}
if (!(pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE))) {
return FALSE;
}
WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)path, dwBufSize, NULL);
pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
if (pThreadProc == NULL) {
return FALSE;
}
printf("tids size: %d\n", tids.size());
for (int i = 0; i < tids.size(); i++) {
hThread = OpenThread(THREAD_SET_CONTEXT, FALSE, tids[i]);
if (hThread != NULL) {
DWORD result = QueueUserAPC((PAPCFUNC)pThreadProc, hThread, (ULONG_PTR)pRemoteBuf);
if (result != 0) {
printf("[*] Injection Succeed!");
}
else if (result == 0) {
printf("0 RESULT\n");
printf("result val: %d\n", result);
printf("GetLastError: %d\n", GetLastError());
}
else if(hThread != INVALID_HANDLE_VALUE) {
printf("INVALID_HANDLE_VALUE");
}
}
}
CloseHandle(hProcess);
return TRUE;
}
int main() {
vector<DWORD> tids;
EnableDebugPriv();
printf("%d", getPidByName("explorer.exe", tids));
if (injectDll("C:\\Dll1.dll", getPidByName("explorer.exe", tids), tids)) {
printf("[*] Finally Succeed!\n");
}
else {
printf("ERROR");
}
}
```c++
我正在尝试将dll注入explorer.exe(显示messagebox的简单64位dll),但是QueueUserApc返回零(这意味着错误),并且当我执行GetLastError时,它返回6我认为有些事情了...
但是QueueUserApc返回零(这意味着错误),当我执行GetLastError时,它返回