我在使用 CreateRemoteThread() 时遇到问题。我花了过去 3 天的时间试图弄清楚,但我正在失去理智。
当我使用函数 CreateRemoteThread() 函数返回 NULL 如果我使用 getLastError() 我得到 error 6 (这意味着 无效句柄)。我试图将我自己的 dll 注入到 notepad.exe 进程中,但出现此错误并且注入没有发生。我使用以下命令获取进程句柄 => HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,processID);
然后我尝试了以下 HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,GetCurrentPoccessID()); 除了 dll 被注入到当前正在执行的进程中并且 它有效之外,它完全相同。我有点假设这是一个权限问题,但我已经关闭了包括 Windows Defender 在内的所有 AV。我真的很想知道是什么阻止了我执行注入,因为其他人都希望能够使用类似的代码执行注入。我使用的是 windows 11 64 位系统。在下方找到注入代码和 dll 代码。注意
1:.dll 和 .exe 是 x64 位
2:我以 adm 身份运行它
注射.cpp
#include <windows.h>
#include <iostream>
int main()
{
// Path to the target process
const char* targetProcess = "C:\\Windows\\System32\\notepad.exe";
// Path to the DLL to inject
const char* dllPath = "C:\\Users\\fagner\\Desktop\\windowsM\\dll\\dlli2.dll";
// Load the target process
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE,1034);// if I replace process ID with GetCurrentProcessId() it works **1034 is an example id
if (hProcess == NULL)
{
std::cout << "Failed to open the target process." << std::endl;
return 1;
}
std::cout<<"id: "<<hProcess<<std::endl;
// Allocate memory for the DLL path in the target process
LPVOID dllPathAddress = VirtualAllocEx(hProcess, NULL, strlen(dllPath) + 1, MEM_COMMIT, PAGE_READWRITE);
if (dllPathAddress == NULL)
{
std::cout << "Failed to allocate memory in the target process." << std::endl;
CloseHandle(hProcess);
return 1;
}
// Write the DLL path into the target process
if (!WriteProcessMemory(hProcess, dllPathAddress, dllPath, strlen(dllPath) + 1, NULL))
{
std::cout << "Failed to write DLL path into the target process." << std::endl;
VirtualFreeEx(hProcess, dllPathAddress, 0, MEM_RELEASE);
CloseHandle(hProcess);
return 1;
}
// Get the address of the LoadLibraryA function
HMODULE hKernel32 = GetModuleHandle(TEXT("kernel32.dll"));
if (hKernel32 == NULL)
{
std::cout << "Failed to get the handle of kernel32.dll." << std::endl;
VirtualFreeEx(hProcess, dllPathAddress, 0, MEM_RELEASE);
CloseHandle(hProcess);
return 1;
}
LPTHREAD_START_ROUTINE loadLibraryAddr = (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32, "LoadLibraryA");
if (loadLibraryAddr == NULL)
{
std::cout << "Failed to get the address of LoadLibraryA." << std::endl;
VirtualFreeEx(hProcess, dllPathAddress, 0, MEM_RELEASE);
CloseHandle(hProcess);
return 1;
}
// Create a remote thread in the target process to load the DLL
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, loadLibraryAddr, dllPathAddress, 0, NULL);
// when I use another process such as notepad createRemoteThread returns NULL
if (hThread == NULL)
{
// when I target any other porcess GetLasterror() returns 6 which mean "invalid error"
std::cout << "Failed to create a remote thread in the target process. code: "<<GetLastError() << std::endl;
VirtualFreeEx(hProcess, dllPathAddress, 0, MEM_RELEASE);
CloseHandle(hProcess);
return 1;
}
std::cout<< "last error: " << GetLastError()<<std::endl;
std::cout << "DLL injected successfully!" << std::endl;
// Wait for the remote thread to finish
WaitForSingleObject(hThread, INFINITE);
// Clean up resources
VirtualFreeEx(hProcess, dllPathAddress, 0, MEM_RELEASE);
CloseHandle(hThread);
CloseHandle(hProcess);
return 0;
}
dlli.dll
#include <Windows.h>
#include <fstream>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
// Create a file called "injected.txt" in the current directory
std::ofstream file("injected.txt");
if (file.is_open())
{
file << "DLL Injected Successfully!" << std::endl;
file.close();
}
break;
}
return TRUE;
}```