我正在尝试在 C 中的 32 位进程中实现基本进程挖空。
#include <Windows.h>
#include <stdio.h>
#include <winternl.h>
int main(int argc, char* argv[])
{
STARTUPINFOW si = { 0 };
PROCESS_INFORMATION pi = { 0 };
// Create the process to be hollowed
BOOL processCreationSuccess =
CreateProcessW
(
L"C:\\Windows\\system32\\notepad.exe",
NULL,
NULL,
NULL,
FALSE,
CREATE_SUSPENDED,
NULL,
NULL,
&si,
&pi
);
if (!processCreationSuccess)
{
printf("Process creation failed with error: %d\n", GetLastError());
return 1;
}
printf("Process created at suspended state successfully\n");
PROCESS_BASIC_INFORMATION pbi;
UINT retLen = 0;
NTSTATUS pebGotten =
NtQueryInformationProcess
(
pi.hProcess,
ProcessBasicInformation,
&pbi,
sizeof(pbi),
retLen
);
if (pebGotten != 0)
{
printf("Problem with getting PEB structure (NtQueryInformationProcess, %d", GetLastError());
return 1;
}
printf("PEB is at address %p\n", pbi.PebBaseAddress);
BYTE imageBase[0x8];
UINT bytesRead = 0;
BOOL readSuccess = ReadProcessMemory
(
pi.hProcess,
pbi.PebBaseAddress + 0x10,
&imageBase,
0x8,
&bytesRead
);
if (!readSuccess)
{
printf("Problem with getting PEB address, %d", GetLastError());
return 1;
}
printf("Image base address: %p\n", imageBase);
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)imageBase;
if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) {
printf("Invalid DOS signature\n");
return 1;
}
PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((DWORD_PTR)dosHeader + dosHeader->e_lfanew);
if (ntHeaders->Signature != IMAGE_NT_SIGNATURE) {
printf("Invalid NT signature\n");
return 1;
}
PIMAGE_OPTIONAL_HEADER optionalHeader = &ntHeaders->OptionalHeader;
if (optionalHeader->Magic != IMAGE_NT_OPTIONAL_HDR_MAGIC) {
printf("Invalid optional header magic\n");
return 1;
}
DWORD entryPoint = optionalHeader->AddressOfEntryPoint;
printf("Entry point: %p", entryPoint);
return 0;
}
在这里,我以挂起模式创建进程,并使用NtQueryInformationProcess 获取指向进程PEB 的指针。然后,我转到 peb 的基地址 + 0x10(我也尝试了 0x8,因为我在 32 位上。 但是每次,我的程序都会打印我设置的“无效 DOS 签名”消息。这意味着图像库是错误的。我还尝试使用 IDA 对其进行调试,发现 pebBaseAddress 指向某个奇怪的地方......
我真的不知道该怎么办,我正在努力寻找问题。
有人可以帮我吗?