本文介绍了dll进样器32位和x64 dll文件在notepad.exe x64中不起作用的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有一个用Visual Basic 6编译的DLL注入器,我试图在x64 notepad.exe上注入我的DLL(x64),但没有任何作用。
我在网上搜索过这个并看到了这个:
[重要提示:32-BIT / 64位]
这是一个可移植性表:
- 32位程序在32位目标中注入32位dll
- 32位程序在64位目标中注入64位dll
- 64位程序在32位目标中注入32位dll
- 64位程序在64位目标中注入64位dll
如果这是真的,那么我的注入器应该正常工作。
有人可以帮帮我吗?
使用的代码:
Module1.bas
Option Explicit
Private Const INFINITE As Long =& HFFFF
Private Const TOKEN_ADJUST_PRIVILEGES As Long =& H20
Private Const TOKEN_QUERY As Long =& H8
Private Const SE_PRIVILEGE_ENABLED As Long =& H2
Private Const ANYSIZE_ARRAY As Long = 1
Private Const SE_DEBUG_NAME As String =" SeDebugPrivilege"
Private Const PAGE_READWRITE作为Long =& H4
Private Const MEM_RELEASE As Long =& H8000
Private Const MEM_COMMIT As Long =& H1000
Private Const STANDARD_RIGHTS_REQUIRED As Long =& HF0000
Private Const SYNCHRONIZE As Long =& H100000
Private Const PROCESS_VM_OPERATION As Long =(& H8)
Private Const PROCESS_VM_WRITE As Long =(& H20)
Private Const TH32CS_SNAPPROCESS As Long = 2&
私有Const PROCESS_ALL_ACCESS为Long = _
(STANDARD_RIGHTS_REQUIRED或SYNCHRONIZE或PROCESS_VM_WRITE或PROCESS_VM_OPERATION或& HFFF)
私有类型PROCESSENTRY32
dwSize As Long
cntUsage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szexeFile As String * 260
结束类型
私有类型Luid
lowpart As Long
highpart As Long
结束类型
私有类型LUID_AND_ATTRIBUTES
pLuid为Luid
属性为长
结束类型
私有类型TOKEN_PRIVILEGES
PrivilegeCount As Long
特权(ANYSIZE_ARRAY)为LUID_AND_ATTRIBUTES
结束类型
私有声明函数OpenProcess Lib" kernel32" (ByVal dwDesiredAccess As Long,ByVal bInheritHandle As Long,ByVal dwProcessId As Long)Long
Private Declare Function GetProcAddress Lib" kernel32" (ByVal hModule As Long,ByVal lpProcName As String)As long
Private Declare Function GetModuleHandle Lib" kernel32"别名"GetModuleHandleA" (ByVal lpModuleName As String)As Long
Private Declare Function VirtualAllocEx Lib" kernel32" (ByVal hProcess As Long,ByVal lpAddress As Long,ByVal flAllocationType As Long,ByVal flProtect As Long)As long
Private Declare Function WriteProcessMemory Lib" kernel32" (ByVal hProcess As Long,lpBaseAddress As Any,lpBuffer As Any,ByVal nSize As Long,lpNumberOfBytesWritten As Long)As long
Private Declare Function CloseHandle Lib" kernel32" (ByVal hObject As Long)As Long
Private Declare Function CreateRemoteThread Lib" kernel32" (ByVal hProcess As Long,lpThreadAttributes As Long,lpStartSize As Long,lpParameter As Long,ByVal dwCreationFlags As Long,lpThreadId As Long)As long
Private Declare Function VirtualFreeEx Lib" kernel32.dll" (ByVal hProcess As Long,ByRef lpAddress as Any,ByRef dwSize As Long,ByVal dwFreeType As Long)As Long
Private Declare Function WaitForSingleObject Lib" kernel32" (ByVal hHandle As Long,ByVal dwMilliseconds As Long)As Long
Private Declare Function OpenProcessToken Lib" advapi32" (ByVal ProcessHandle As Long,ByVal DesiredAccess As Long,TokenHandle As Long)Long
Private Declare Function LookupPrivilegeValue Lib" advapi32"别名"LookupPrivilegeValueA" (ByVal lpSystemName As String,ByVal lpName As String,lpLuid As Luid)As Long
Private Declare Function AdjustTokenPrivileges Lib" advapi32" (ByVal TokenHandle As Long,ByVal DisableAllPrivileges As Long,NewState As TOKEN_PRIVILEGES,ByVal BufferLength As Long,PreviousState As Any,ReturnLength As Long)As Long
Private Declare Function GetCurrentProcess Lib" kernel32" ()As Long
Private Declare Function CreateToolhelp32Snapshot Lib" kernel32.dll" (ByVal lFlags As Long,lProcessID As Long)As Long
Private Declare Function ProcessFirst Lib" kernel32.dll"别名"Process32First" (ByVal hSnapshot As Long,uProcess As PROCESSENTRY32)Long
Private Declare Function ProcessNext Lib" kernel32.dll"别名"Process32Next" (ByVal hSnapshot As Long,uProcess As PROCESSENTRY32)As long
公共函数InjectByPID(ByVal sDllPath As String,ByVal lProcessID As Long)As Boolean
Dim lProc As Long
Dim lLibAdd As Long
Dim lMem As Long
Dim lRet As Long
Dim lThread As Long
On Local Error GoTo InjectByPID_Error
'//调整令牌权限以打开系统进程
调用AdjustPrivileges(GetCurrentProcess)
'//使用所有访问权限打开进程
lProc = OpenProcess(PROCESS_ALL_ACCESS,False,lProcessID )
如果lProc = 0则GoTo InjectByPID_Error
'//获取LoadLibrary的地址
lLibAdd = GetProcAddress(GetModuleHandle(" kernel32.dll")," LoadLibraryA" )
如果lLibAdd = 0则GoTo InjectByPID_Error
'//分配内存以保存进程内存中Dll文件的路径
lMem = VirtualAllocEx(lProc,0,Len) (S DllPath),MEM_COMMIT,PAGE_READWRITE)
如果lMem = 0则GoTo InjectByPID_Error
'//在刚刚创建的位置写入Dll文件的路径
调用WriteProcessMemory(lProc, ByVal lMem,ByVal sDllPath,Len(sDllPath),lRet)
如果lRet = 0则GoTo InjectByPID_Error
'//创建一个从LoadLibrary函数开始的远程线程和_
传递的是内存指针
lThread = CreateRemoteThread(lProc,ByVal 0,0,ByVal lLibAdd,ByVal lMem,0,0&)
如果lThread = 0则GoTo InjectByPID_Error
'//等待线程完成
调用WaitForSingleObject(lThread,INFINITE)
'//释放在另一个进程上创建的内存
调用VirtualFreeEx(lProc, lMem,Len(sDllPath),MEM_RELEASE)
'//释放其他进程的句柄
调用CloseHandle(lProc)
InjectByPID = True
On Error GoTo 0
退出函数
InjectByPID_Error:
'//释放在另一个进程上创建的内存
调用VirtualFreeEx(lProc,lMem,Len(sDllPath),MEM_RELEASE)
'/ /释放其他进程的句柄
调用CloseHandle(lProc)
结束函数
公共函数AdjustPrivileges(ByVal lProcessID As Long)As Boolean
Dim lToken As Long
Dim tTOKEN_PRIVILEGES As TOKEN_PRIVILEGES
On Local Error GoTo AdjustPrivileges_Error
如果不是OpenProcessToken(lProcessID,TOKEN_ADJUST_PRIVILEGES或TOKEN_QUERY,lToken)= 0那么
使用tTOKEN_PRIVILEGES
如果LookupPrivilegeValue(vbNullString,SE_DEBUG_NAME,.Privileges(0).pLuid)= 0则
退出函数
结束如果
.PrivilegeCount = 1
.Privileges(0 ).Attributes = SE_PRIVILEGE_ENABLED
以
结束如果不是AdjustTokenPrivileges(lToken,0,tTOKEN_PRIVI) LEGES,Len(tTOKEN_PRIVILEGES),0&,0&)= 0然后
AdjustPrivileges = True
结束如果
结束如果
On Error GoTo 0
退出函数
AdjustPrivileges_Error:
结束函数
'获取PID
公共函数whereISmyFUFUprocess(ByVal ProcessName As String)As Long
Dim procSnapshot As Long
Dim uProcess As PROCESSENTRY32
Dim success As Long
Dim ProcessId As Long
Dim ProcessId_found As Boolean
ProcessId_found = False
procSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0&)
如果procSnapshot = -1则退出函数
uProcess.dwSize = Len(uProcess)
success = ProcessFirst(procSnapshot,uProcess)
如果success = 1那么
Do
如果LCase(VBA.Left $(uProcess.szexeFile,InStr(1,uProcess) .szexeFile,Chr(0)) - 1))= LCase(ProcessName)然后
Pr ocessId = uProcess.th32ProcessID
Debug.Print"使用PID找到的第一个进程:" &安培; ProcessId
如果ProcessId_found = True则
Debug.Print"使用PID找到第二个进程:" &安培; ProcessId
whereISmyFUFUprocess = ProcessId
退出Do
结束如果
ProcessId_found = True
结束如果
循环当ProcessNext(procSnapshot,uProcess)
结束如果
如果whereISmyFUFUprocess = 0那么
whereISmyFUFUprocess = ProcessId
结束如果
调用CloseHandle(procSnapshot)
结束功能
Form 1
Private Declare Sub Sleep Lib" kernel32.dll" (ByVal dwMilliseconds As Long)
Private Sub Command1_Click()
Dim PID As Long
'//运行记事本
Shell" notepad.exe",vbNormalFocus
睡眠1000
PID = whereISmyFUFUprocess(" notepad.exe")
Sleep 1000
InjectByPID" Project1.dll",PID
End Sub
解决方案
I have a DLL injector compiled with Visual Basic 6 and I'm trying to inject my DLL (x64) on x64 notepad.exe, but nothing works.
I had searched on web about this and saw this:
[IMPORTANT: 32-BIT / 64-BIT]
This is a portability table:
- 32bit program inject 32bit dll in a 32bit target
- 32bit program inject 64bit dll in a 64bit target
- 64bit program inject 32bit dll in a 32bit target
- 64bit program inject 64bit dll in a 64bit target
If this is true, so my injector should is working.
Can someone help me please?
Code used:
Module1.bas
Option Explicit
Private Const INFINITE As Long = &HFFFF
Private Const TOKEN_ADJUST_PRIVILEGES As Long = &H20
Private Const TOKEN_QUERY As Long = &H8
Private Const SE_PRIVILEGE_ENABLED As Long = &H2
Private Const ANYSIZE_ARRAY As Long = 1
Private Const SE_DEBUG_NAME As String = "SeDebugPrivilege"
Private Const PAGE_READWRITE As Long = &H4
Private Const MEM_RELEASE As Long = &H8000
Private Const MEM_COMMIT As Long = &H1000
Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Private Const SYNCHRONIZE As Long = &H100000
Private Const PROCESS_VM_OPERATION As Long = (&H8)
Private Const PROCESS_VM_WRITE As Long = (&H20)
Private Const TH32CS_SNAPPROCESS As Long = 2&
Private Const PROCESS_ALL_ACCESS As Long = _
(STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or PROCESS_VM_WRITE Or PROCESS_VM_OPERATION Or &HFFF)
Private Type PROCESSENTRY32
dwSize As Long
cntUsage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szexeFile As String * 260
End Type
Private Type Luid
lowpart As Long
highpart As Long
End Type
Private Type LUID_AND_ATTRIBUTES
pLuid As Luid
Attributes As Long
End Type
Private Type TOKEN_PRIVILEGES
PrivilegeCount As Long
Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES
End Type
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Long, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32.dll" (ByVal hProcess As Long, ByRef lpAddress As Any, ByRef dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Private Declare Function OpenProcessToken Lib "advapi32" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function LookupPrivilegeValue Lib "advapi32" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLuid As Luid) As Long
Private Declare Function AdjustTokenPrivileges Lib "advapi32" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As Any, ReturnLength As Long) As Long
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long
Private Declare Function CreateToolhelp32Snapshot Lib "kernel32.dll" (ByVal lFlags As Long, lProcessID As Long) As Long
Private Declare Function ProcessFirst Lib "kernel32.dll" Alias "Process32First" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Private Declare Function ProcessNext Lib "kernel32.dll" Alias "Process32Next" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Public Function InjectByPID(ByVal sDllPath As String, ByVal lProcessID As Long) As Boolean
Dim lProc As Long
Dim lLibAdd As Long
Dim lMem As Long
Dim lRet As Long
Dim lThread As Long
On Local Error GoTo InjectByPID_Error
'//Adjust token privileges to open system processes
Call AdjustPrivileges(GetCurrentProcess)
'// Open the process with all access
lProc = OpenProcess(PROCESS_ALL_ACCESS, False, lProcessID)
If lProc = 0 Then GoTo InjectByPID_Error
'// Get the address of LoadLibrary
lLibAdd = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA")
If lLibAdd = 0 Then GoTo InjectByPID_Error
'// Allocate memory to hold the path to the Dll File in the process's memory
lMem = VirtualAllocEx(lProc, 0, Len(sDllPath), MEM_COMMIT, PAGE_READWRITE)
If lMem = 0 Then GoTo InjectByPID_Error
'// Write the path to the Dll File in the location just created
Call WriteProcessMemory(lProc, ByVal lMem, ByVal sDllPath, Len(sDllPath), lRet)
If lRet = 0 Then GoTo InjectByPID_Error
'// Create a remote thread that starts begins at the LoadLibrary function and _
is passed are memory pointer
lThread = CreateRemoteThread(lProc, ByVal 0, 0, ByVal lLibAdd, ByVal lMem, 0, 0&)
If lThread = 0 Then GoTo InjectByPID_Error
'// Wait for the thread to finish
Call WaitForSingleObject(lThread, INFINITE)
'// Free the memory created on the other process
Call VirtualFreeEx(lProc, lMem, Len(sDllPath), MEM_RELEASE)
'//Release the handle to the other process
Call CloseHandle(lProc)
InjectByPID = True
On Error GoTo 0
Exit Function
InjectByPID_Error:
'// Free the memory created on the other process
Call VirtualFreeEx(lProc, lMem, Len(sDllPath), MEM_RELEASE)
'//Release the handle to the other process
Call CloseHandle(lProc)
End Function
Public Function AdjustPrivileges(ByVal lProcessID As Long) As Boolean
Dim lToken As Long
Dim tTOKEN_PRIVILEGES As TOKEN_PRIVILEGES
On Local Error GoTo AdjustPrivileges_Error
If Not OpenProcessToken(lProcessID, TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, lToken) = 0 Then
With tTOKEN_PRIVILEGES
If LookupPrivilegeValue(vbNullString, SE_DEBUG_NAME, .Privileges(0).pLuid) = 0 Then
Exit Function
End If
.PrivilegeCount = 1
.Privileges(0).Attributes = SE_PRIVILEGE_ENABLED
End With
If Not AdjustTokenPrivileges(lToken, 0, tTOKEN_PRIVILEGES, Len(tTOKEN_PRIVILEGES), 0&, 0&) = 0 Then
AdjustPrivileges = True
End If
End If
On Error GoTo 0
Exit Function
AdjustPrivileges_Error:
End Function
'Get PID
Public Function whereISmyFUFUprocess(ByVal ProcessName As String) As Long
Dim procSnapshot As Long
Dim uProcess As PROCESSENTRY32
Dim success As Long
Dim ProcessId As Long
Dim ProcessId_found As Boolean
ProcessId_found = False
procSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0&)
If procSnapshot = -1 Then Exit Function
uProcess.dwSize = Len(uProcess)
success = ProcessFirst(procSnapshot, uProcess)
If success = 1 Then
Do
If LCase(VBA.Left$(uProcess.szexeFile, InStr(1, uProcess.szexeFile, Chr(0)) - 1)) = LCase(ProcessName) Then
ProcessId = uProcess.th32ProcessID
Debug.Print "First process found with PID: " & ProcessId
If ProcessId_found = True Then
Debug.Print "Second process found with PID: " & ProcessId
whereISmyFUFUprocess = ProcessId
Exit Do
End If
ProcessId_found = True
End If
Loop While ProcessNext(procSnapshot, uProcess)
End If
If whereISmyFUFUprocess = 0 Then
whereISmyFUFUprocess = ProcessId
End If
Call CloseHandle(procSnapshot)
End FunctionForm 1
Private Declare Sub Sleep Lib "kernel32.dll" (ByVal dwMilliseconds As Long)
Private Sub Command1_Click()
Dim PID As Long
' // Run Notepad
Shell "notepad.exe", vbNormalFocus
Sleep 1000
PID = whereISmyFUFUprocess("notepad.exe")
Sleep 1000
InjectByPID "Project1.dll", PID
End Sub 解决方案
这篇关于dll进样器32位和x64 dll文件在notepad.exe x64中不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!