viktoor81
23.05.2010, 13:34
при внедрении выдает ошибку и отправляет отчет на microsoft..проверьте пожалуйста код.
внедряемая библиотека
//---------------------------------------------------------------------------
#include <windows.h>
#include <tlhelp32.h>
#include "waasm_dll.h"
//---------------------------------------------------------------------------
struct fr_jmp
{
BYTE PuhsOp;
PVOID PushArg;
BYTE RetOp;
};
struct OldCode
{
DWORD One;
WORD two;
};
DWORD AdrCreateProcessA;
OldCode OldCrp;
fr_jmp JmpCrProcA;
DWORD written;
HANDLE CurrProc;
//---------------------------------------------------------------------------
BOOL WINAPI Intercept_MessageBoxA(HWND, char *, char *, UINT);
void StopThreads(void);
void RunThreads(void);
void SetHook(void);
#pragma argsused
int WINAPI DllEntryPoint(HINSTANCE hinst, unsigned long reason, void* lpReserved)
{
if (reason == DLL_PROCESS_ATTACH)
{
//останавливаем побочные нити
StopThreads();
//устанавливаем перехват
SetHook();
//запускаем нити
RunThreads();
}
return 1;
}
//---------------------------------------------------------------------------
void StopThreads()
{
DWORD CurrTh, CurrPr;
HANDLE h,ThrHandle ;
THREADENTRY32 Thread;
CurrTh = GetCurrentThreadId();
CurrPr = GetCurrentProcessId();
h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if ( h != INVALID_HANDLE_VALUE)
{
Thread.dwSize = sizeof(Thread);
for (bool loop = Thread32First(h, &Thread); loop; loop = Thread32Next(h, &Thread))
{
if ((Thread.th32ThreadID != CurrTh) && (Thread.th32OwnerProcessID == CurrPr))
{
ThrHandle = OpenThread(THREAD_SUSPEND_RESUME, false, Thread.th32ThreadID);
if ( ThrHandle>0 )
{
SuspendThread(ThrHandle);
CloseHandle(ThrHandle);
}
}
}
CloseHandle(h);
}
}
//---------------------------------------------------------------------------
void RunThreads()
{
DWORD CurrTh, CurrPr;
HANDLE h,ThrHandle ;
THREADENTRY32 Thread;
CurrTh = GetCurrentThreadId();
CurrPr = GetCurrentProcessId();
h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if ( h != INVALID_HANDLE_VALUE)
{
Thread.dwSize = sizeof(Thread);
for (bool loop = Thread32First(h, &Thread); loop; loop = Thread32Next(h, &Thread))
{
if ((Thread.th32ThreadID != CurrTh) && (Thread.th32OwnerProcessID == CurrPr))
{
ThrHandle = OpenThread(THREAD_SUSPEND_RESUME, false, Thread.th32ThreadID);
if ( ThrHandle>0 )
{
ResumeThread(ThrHandle);
CloseHandle(ThrHandle);
}
}
}
CloseHandle(h);
}
}
//---------------------------------------------------------------------------
void SetHook()
{
DWORD HKernel32, HUser32, bw;
HANDLE CurrProc = GetCurrentProcess();
//получение адреса CreateProcessA
AdrCreateProcessA = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"), "CreateProcessA");
//инициализация структуры перехвата CreateProcessA
JmpCrProcA.PuhsOp = 0x68;
JmpCrProcA.PushArg = (DWORD)&intercept_MessageBoxA;
JmpCrProcA.RetOp = 0xC3;
//сохраняем старое начало функции
ReadProcessMemory(CurrProc, (void*)AdrCreateProcessA, (void*)&OldCrp, sizeof(OldCode),&bw);
//записываем новое начало CreateProcessA
WriteProcessMemory(CurrProc, (void*)AdrCreateProcessA, (void*)&JmpCrProcA, sizeof(fr_jmp), &written);
}
//----------------------------------------------------------------------------
код внедрения
//---------------------------------------------------------------------------
#include <windows.h>
#include <tlhelp32.h>
#pragma hdrstop
struct Inject
{
BYTE PushCommand;
DWORD PushArgument;
WORD CallCommand;
DWORD CallAddr;
BYTE PushExitThread;
DWORD ExitThreadArg;
WORD CallExitThread;
DWORD CallExitThreadAddr;
DWORD AddrLoadLibrary;
DWORD AddrExitThread;
char LibraryName[MAX_PATH];
} cmds ;
//---------------------------------------------------------------------------
#pragma argsused
BOOL InjectDll(HANDLE,CHAR *);
DWORD GetProcessID(char*);
WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
if (!InjectDll(OpenProcess(PROCESS_ALL_ACCESS,false,
GetProcessID("notepad.exe") ),"wasm_dll.dll"))
{
MessageBox(0,"Hello ne explorer","title",0);
}
return 0;
}
//---------------------------------------------------------------------------
BOOL InjectDll(HANDLE Process,CHAR * ModulePath)
{
BYTE *Memory;
DWORD Code;
DWORD BytesWritten;
DWORD ThreadId;
HANDLE hThread;
DWORD hKernel32;
Memory = (BYTE*)VirtualAllocEx(Process, NULL, sizeof(cmds),
MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (Memory == NULL) return FALSE;
Code = (DWORD)Memory;
//инициализация внедряемого кода:
cmds.PushCommand = 0x68;
cmds.PushArgument = Code + 0x1E;
cmds.CallCommand = 0x15FF;
cmds.CallAddr = Code + 0x16;
cmds.PushExitThread = 0x68;
cmds.ExitThreadArg = 0;
cmds.CallExitThread = 0x15FF;
cmds.CallExitThreadAddr = Code + 0x1A;
// hKernel32 = (DWORD)GetModuleHandle("kernel32.dll");
cmds.AddrLoadLibrary = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
cmds.AddrExitThread = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"), "ExitThread");
strcpy(cmds.LibraryName, ModulePath);
//записать машинный код по зарезервированному адресу
WriteProcessMemory(Process, Memory, &cmds, sizeof(cmds), &BytesWritten);
//выполнить машинный код
hThread = CreateRemoteThread(Process, NULL, 0,
(unsigned long (__stdcall *)(void *))Memory, 0, 0, &ThreadId);
if (hThread == 0) return FALSE;
CloseHandle(hThread);
return TRUE;
}
//--------------------------------------------------------------------------
DWORD GetProcessID(char* lpNameProcess) // в параметрах передаем имя процесса жертвы
{
HANDLE snap;
PROCESSENTRY32 pentry32;
snap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0 );
if(snap==INVALID_HANDLE_VALUE) return 0;
pentry32.dwSize=sizeof(PROCESSENTRY32);
if(!Process32First(snap,&pentry32)) {CloseHandle(snap);return 0;}
do
{
if(!lstrcmpi(lpNameProcess,&pentry32.szExeFile[0]))
{
CloseHandle(snap);
return pentry32.th32ProcessID; // вот наша жертва для внедрения кода;-)
}
}while(Process32Next(snap,&pentry32));
CloseHandle(snap);
return 0;
}
внедряемая библиотека
//---------------------------------------------------------------------------
#include <windows.h>
#include <tlhelp32.h>
#include "waasm_dll.h"
//---------------------------------------------------------------------------
struct fr_jmp
{
BYTE PuhsOp;
PVOID PushArg;
BYTE RetOp;
};
struct OldCode
{
DWORD One;
WORD two;
};
DWORD AdrCreateProcessA;
OldCode OldCrp;
fr_jmp JmpCrProcA;
DWORD written;
HANDLE CurrProc;
//---------------------------------------------------------------------------
BOOL WINAPI Intercept_MessageBoxA(HWND, char *, char *, UINT);
void StopThreads(void);
void RunThreads(void);
void SetHook(void);
#pragma argsused
int WINAPI DllEntryPoint(HINSTANCE hinst, unsigned long reason, void* lpReserved)
{
if (reason == DLL_PROCESS_ATTACH)
{
//останавливаем побочные нити
StopThreads();
//устанавливаем перехват
SetHook();
//запускаем нити
RunThreads();
}
return 1;
}
//---------------------------------------------------------------------------
void StopThreads()
{
DWORD CurrTh, CurrPr;
HANDLE h,ThrHandle ;
THREADENTRY32 Thread;
CurrTh = GetCurrentThreadId();
CurrPr = GetCurrentProcessId();
h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if ( h != INVALID_HANDLE_VALUE)
{
Thread.dwSize = sizeof(Thread);
for (bool loop = Thread32First(h, &Thread); loop; loop = Thread32Next(h, &Thread))
{
if ((Thread.th32ThreadID != CurrTh) && (Thread.th32OwnerProcessID == CurrPr))
{
ThrHandle = OpenThread(THREAD_SUSPEND_RESUME, false, Thread.th32ThreadID);
if ( ThrHandle>0 )
{
SuspendThread(ThrHandle);
CloseHandle(ThrHandle);
}
}
}
CloseHandle(h);
}
}
//---------------------------------------------------------------------------
void RunThreads()
{
DWORD CurrTh, CurrPr;
HANDLE h,ThrHandle ;
THREADENTRY32 Thread;
CurrTh = GetCurrentThreadId();
CurrPr = GetCurrentProcessId();
h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if ( h != INVALID_HANDLE_VALUE)
{
Thread.dwSize = sizeof(Thread);
for (bool loop = Thread32First(h, &Thread); loop; loop = Thread32Next(h, &Thread))
{
if ((Thread.th32ThreadID != CurrTh) && (Thread.th32OwnerProcessID == CurrPr))
{
ThrHandle = OpenThread(THREAD_SUSPEND_RESUME, false, Thread.th32ThreadID);
if ( ThrHandle>0 )
{
ResumeThread(ThrHandle);
CloseHandle(ThrHandle);
}
}
}
CloseHandle(h);
}
}
//---------------------------------------------------------------------------
void SetHook()
{
DWORD HKernel32, HUser32, bw;
HANDLE CurrProc = GetCurrentProcess();
//получение адреса CreateProcessA
AdrCreateProcessA = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"), "CreateProcessA");
//инициализация структуры перехвата CreateProcessA
JmpCrProcA.PuhsOp = 0x68;
JmpCrProcA.PushArg = (DWORD)&intercept_MessageBoxA;
JmpCrProcA.RetOp = 0xC3;
//сохраняем старое начало функции
ReadProcessMemory(CurrProc, (void*)AdrCreateProcessA, (void*)&OldCrp, sizeof(OldCode),&bw);
//записываем новое начало CreateProcessA
WriteProcessMemory(CurrProc, (void*)AdrCreateProcessA, (void*)&JmpCrProcA, sizeof(fr_jmp), &written);
}
//----------------------------------------------------------------------------
код внедрения
//---------------------------------------------------------------------------
#include <windows.h>
#include <tlhelp32.h>
#pragma hdrstop
struct Inject
{
BYTE PushCommand;
DWORD PushArgument;
WORD CallCommand;
DWORD CallAddr;
BYTE PushExitThread;
DWORD ExitThreadArg;
WORD CallExitThread;
DWORD CallExitThreadAddr;
DWORD AddrLoadLibrary;
DWORD AddrExitThread;
char LibraryName[MAX_PATH];
} cmds ;
//---------------------------------------------------------------------------
#pragma argsused
BOOL InjectDll(HANDLE,CHAR *);
DWORD GetProcessID(char*);
WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
if (!InjectDll(OpenProcess(PROCESS_ALL_ACCESS,false,
GetProcessID("notepad.exe") ),"wasm_dll.dll"))
{
MessageBox(0,"Hello ne explorer","title",0);
}
return 0;
}
//---------------------------------------------------------------------------
BOOL InjectDll(HANDLE Process,CHAR * ModulePath)
{
BYTE *Memory;
DWORD Code;
DWORD BytesWritten;
DWORD ThreadId;
HANDLE hThread;
DWORD hKernel32;
Memory = (BYTE*)VirtualAllocEx(Process, NULL, sizeof(cmds),
MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (Memory == NULL) return FALSE;
Code = (DWORD)Memory;
//инициализация внедряемого кода:
cmds.PushCommand = 0x68;
cmds.PushArgument = Code + 0x1E;
cmds.CallCommand = 0x15FF;
cmds.CallAddr = Code + 0x16;
cmds.PushExitThread = 0x68;
cmds.ExitThreadArg = 0;
cmds.CallExitThread = 0x15FF;
cmds.CallExitThreadAddr = Code + 0x1A;
// hKernel32 = (DWORD)GetModuleHandle("kernel32.dll");
cmds.AddrLoadLibrary = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
cmds.AddrExitThread = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"), "ExitThread");
strcpy(cmds.LibraryName, ModulePath);
//записать машинный код по зарезервированному адресу
WriteProcessMemory(Process, Memory, &cmds, sizeof(cmds), &BytesWritten);
//выполнить машинный код
hThread = CreateRemoteThread(Process, NULL, 0,
(unsigned long (__stdcall *)(void *))Memory, 0, 0, &ThreadId);
if (hThread == 0) return FALSE;
CloseHandle(hThread);
return TRUE;
}
//--------------------------------------------------------------------------
DWORD GetProcessID(char* lpNameProcess) // в параметрах передаем имя процесса жертвы
{
HANDLE snap;
PROCESSENTRY32 pentry32;
snap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0 );
if(snap==INVALID_HANDLE_VALUE) return 0;
pentry32.dwSize=sizeof(PROCESSENTRY32);
if(!Process32First(snap,&pentry32)) {CloseHandle(snap);return 0;}
do
{
if(!lstrcmpi(lpNameProcess,&pentry32.szExeFile[0]))
{
CloseHandle(snap);
return pentry32.th32ProcessID; // вот наша жертва для внедрения кода;-)
}
}while(Process32Next(snap,&pentry32));
CloseHandle(snap);
return 0;
}