• Process Memory


    BOOL WINAPI InjectLibW(DWORD dwProcessId, PCWSTR pszLibFile) {
    
       BOOL bOk = FALSE; // Assume that the function fails
       HANDLE hProcess = NULL, hThread = NULL;
       PWSTR pszLibFileRemote = NULL;
    
       __try {
          // Get a handle for the target process.
          hProcess = OpenProcess(
             PROCESS_QUERY_INFORMATION |   // Required by Alpha
             PROCESS_CREATE_THREAD     |   // For CreateRemoteThread
             PROCESS_VM_OPERATION      |   // For VirtualAllocEx/VirtualFreeEx
             PROCESS_VM_WRITE,             // For WriteProcessMemory
             FALSE, dwProcessId);
          if (hProcess == NULL) __leave;
    
          // Calculate the number of bytes needed for the DLL's pathname
          int cch = 1 + lstrlenW(pszLibFile);
          int cb  = cch * sizeof(wchar_t);
    
          // Allocate space in the remote process for the pathname
          pszLibFileRemote = (PWSTR) 
             VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);
          if (pszLibFileRemote == NULL) __leave;
    
          // Copy the DLL's pathname to the remote process' address space
          if (!WriteProcessMemory(hProcess, pszLibFileRemote, 
             (PVOID) pszLibFile, cb, NULL)) __leave;
    
          // Get the real address of LoadLibraryW in Kernel32.dll
          PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
             GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
          if (pfnThreadRtn == NULL) __leave;
    
          // Create a remote thread that calls LoadLibraryW(DLLPathname)
          hThread = CreateRemoteThread(hProcess, NULL, 0, 
             pfnThreadRtn, pszLibFileRemote, 0, NULL);
    
          DWORD dwErr = GetLastError();
    
    
          if (hThread == NULL) __leave;
    
    
          // Wait for the remote thread to terminate
          WaitForSingleObject(hThread, INFINITE);
    
          bOk = TRUE; // Everything executed successfully
       }
       __finally { // Now, we can clean everything up
    
          // Free the remote memory that contained the DLL's pathname
          if (pszLibFileRemote != NULL) 
             VirtualFreeEx(hProcess, pszLibFileRemote, 0, MEM_RELEASE);
    
          if (hThread  != NULL) 
             CloseHandle(hThread);
    
          if (hProcess != NULL) 
             CloseHandle(hProcess);
       }
    
       return(bOk);
    }
    
    _FX void * SbieDll_InjectLow_getPage(HANDLE hProcess, void *remote_addr)
    {
    	SIZE_T mySize;
    	ULONG_PTR tempAddr;
    	void * myTable = 0;
    	UCHAR *func;
    	ULONG myProtect;
    	short myBuffer[1024];
    	SIZE_T readSize;
    	BOOL myVM;
    	HANDLE myKernel32;
    	HANDLE myNtDll;
    	//HANDLE myTestDll;
    	func = (UCHAR *)((ULONG_PTR)m_LdrInitializeThunk);
    	myKernel32 = GetModuleHandleA("kernel32.dll");
    	myNtDll = GetModuleHandleA("ntdll.dll");
    	//  myTestDll = 0; 
    
    	/*
    	if(myTestDll) {
    		//for testing remove this code!
    		sprintf(buffer,"Dll Collision Test: address %p\n",myTestDll);
    		OutputDebugStringA(buffer);
    		myTable = VirtualAllocEx(hProcess,myTestDll,0x100, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
    	}
    	else {
    	*/
    	tempAddr = ((ULONG_PTR)myNtDll < (ULONG_PTR)myKernel32 ? (ULONG_PTR)myNtDll : (ULONG_PTR)myKernel32) - 0x10000;
    	myTable = VirtualAllocEx(hProcess, (void *)tempAddr, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    	//  }
    	/*
    	else {
    		//use hack if all else fails
    		//OutputDebugStringA("Unable to allocate page!\n");
    		max_attempts = 0;
    	}
    	*/
    
    	if (myTable) {
    		mySize = 0;
    		if (SbieDll_Has32BitJumpHorizon(myTable, func)) {
    			WriteProcessMemory(hProcess, myTable, &remote_addr, 8, &mySize);
    			/*
    			sprintf(buffer,"myPage = %p, kernel32 = %p, ntdll = %p\n",myTable,myKernel32,myNtDll);
    			OutputDebugStringA(buffer);
    			*/
    			if (mySize == 8) {
    				return myTable;
    			}
    		}
    	}
    	/*
    	sprintf(buffer,"Failed to find table for target address %p, func = %p\n",myTable,func);
    	OutputDebugStringA(buffer);
    	*/
    
    	readSize = 1;
    	tempAddr = (ULONG_PTR)func - 8;
    	ReadProcessMemory(hProcess, (void *)((ULONG_PTR)tempAddr), &myBuffer, 8, &readSize);
    
    	// if hot patch area
    	if (*((ULONG_PTR *)&myBuffer) == 0x9090909090909090 || *((ULONG_PTR *)&myBuffer) == 0xcccccccccccccccc) {
    		//OutputDebugStringA("Using hotpatch area\n");
    		myTable = (void *)tempAddr;
    	}
    	else { //not hot patch area: This is a hack
    		//patch area in .rdata section of ntdll
    		ReadProcessMemory(hProcess, (void *)((ULONG_PTR)tempAddr + 0x100000), myBuffer, sizeof(myBuffer), &readSize);
    		if (readSize != sizeof(myBuffer)) {
    			//OutputDebugStringA("Error reading Memory\n");
    			return NULL;
    		}
    		for (int i = 0; i < sizeof(myBuffer) && !myTable; i++) {
    			if (*((ULONG_PTR*)&myBuffer[i]) == 0x9090909090909090 ||
    				*((ULONG_PTR*)&myBuffer[i]) == 0xcccccccccccccccc) {
    				myTable = (void *)((ULONG_PTR)tempAddr + i);
    				/*
    				sprintf(buffer,"HACK: table found at %p, index %x\n",myTable, i);
    				OutputDebugStringA(buffer);
    				*/
    			}
    		}
    		if (!myTable) {
    			//OutputDebugStringA("Table not found\n");
    			return NULL;
    		}
    
    	} //end else not hotpatch area
    
    	myVM = VirtualProtectEx(hProcess, myTable, sizeof(void *), PAGE_READWRITE, &myProtect);
    	if (myVM) {
    		SIZE_T len2 = 0;
    		myVM = WriteProcessMemory(hProcess, myTable, &remote_addr, 8, &len2);
    		if (myVM && 8 == len2) {
    			myVM = VirtualProtectEx(hProcess, myTable, 8, myProtect, &myProtect);
    			if (myVM) {
    				return myTable;
    			}
    		}
    	}
    
    	return NULL;
    }
    

      

      ptrVTable->offset = VirtualAlloc((void *)tempAddr, VTABLE_SIZE, MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, PAGE_READWRITE);

                         myTable = VirtualAllocEx(hProcess, (void *)tempAddr, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

    NTSTATUS status = NtAllocateVirtualMemory(hProcess, &remote_addr, i, &region_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

           WriteProcessMemory(hProcess, myTable, &remote_addr, 8, &mySize);

           ReadProcessMemory(hProcess, (void *)((ULONG_PTR)tempAddr), &myBuffer, 8, &readSize);

    m_LdrInitializeThunk = (ULONG_PTR) GetProcAddress(Dll_Ntdll, "LdrInitializeThunk");

    VirtualFree(inject, 0, MEM_RELEASE);

                                         VirtualProtect(RegionBase, RegionSize, PAGE_EXECUTE_READWRITE, &prot)

    myVM = VirtualProtectEx(hProcess, myTable, sizeof(void *), PAGE_READWRITE, &myProtect);

  • 相关阅读:
    安防视频监控直播的画面都是如何采集的?
    为什么说线上教育是未来的趋势?
    音视频流媒体服务器发展到现在有哪些难题?应该怎么解决?
    为什么流媒体服务器做安防视频直播或者娱乐直播服务?
    视频流媒体服务器如何将视频直播转推到其他平台?
    线上教育课堂如何解决H5视频点播转码出现的黑屏问题?
    海康摄像头以GB28181国标协议接入国标流媒体服务器流断码问题的解决办法
    国标GB28181协议流媒体视频平台EasyGBS如何将内网的摄像机视频推送到公网?
    网页全终端视频流媒体播放器EasyPlayer之使用 nginx 和 rtmp 插件搭建视频直播和点播服务器
    安防音视频流媒体服务器EasyDSS之编解码的基本原理及压缩编码的方法介绍
  • 原文地址:https://www.cnblogs.com/chunyou128/p/15992639.html
Copyright © 2020-2023  润新知