Vb6 dll注入器32位和x64 dll文件don';无法在notepad.exe x64中工作
我有一个用Visual Basic 6编译的DLL注入器,我正试图在x64 notepad.exe上注入我的DLL(x64),但没有任何效果 我在网上搜索了一下,看到了: [重要提示:32位/64位] 这是一个便携表:Vb6 dll注入器32位和x64 dll文件don';无法在notepad.exe x64中工作,vb6,64-bit,dll-injection,Vb6,64 Bit,Dll Injection,我有一个用Visual Basic 6编译的DLL注入器,我正试图在x64 notepad.exe上注入我的DLL(x64),但没有任何效果 我在网上搜索了一下,看到了: [重要提示:32位/64位] 这是一个便携表: 32位程序在32位目标中注入32位dll 32位程序在64位目标中注入64位dll 64位程序在32位目标中注入32位dll 64位程序在64位目标中注入64位dll 如果这是真的,那么我的喷油器应该工作了 有人能帮我吗 使用的代码: 模块1.bas 表格1 检查您是否获得了
- 32位程序在32位目标中注入32位dll
- 32位程序在64位目标中注入64位dll
- 64位程序在32位目标中注入32位dll
- 64位程序在64位目标中注入64位dll
检查您是否获得了进程ID 如果我没记错的话(我以前也试过),您无法仅使用API从32位进程获取64位进程的列表;因此,VB6应用程序只能看到32位进程。您需要(另一个)64位助手为您提供64位和32位进程ID的列表,然后您就可以使用这些ID了 编辑#1:提及的文档: 如果指定的进程是64位进程且调用方是 32位进程,此函数失败,最后一个错误代码为 部分拷贝错误(299) 更正:不相关,因为您在调用时没有指定要包含在快照中的进程(即第二个参数为null) 在调试时,您仍然可以通过获取64位记事本进程的PID并手动将其直接输入InjectByPID()来检查程序的注入部分是否工作 编辑#2:您可能会通过WMI获得包含64位进程的进程列表。看
更正:列出了64位和32位进程。我可能被搞混了。好的。这可能不是一个完整/直接的答案,因为它只提供了解决问题的方向;另外,我不精通amd64汇编代码,所以我无法在这方面帮助您 根据,对于要在64位进程上工作的
CreateRemoteThread()
,需要从另一个64位进程调用它(注意:这个答案基于这个假设,我没有测试)
知道这一点,您有三(3)个选择:
CreateRemoteThread()
。其他一切都是在VB6中完成的,包括引导代码的注入
- 要求:使用您选择的语言和工具(代理)和一些手动编写的amd64机器代码(引导代码)构建的x64可执行文件
- 难度:挑战性(除非编写和调试手工编写的amd64汇编代码是您最喜欢的消遣之一)
- 优势:相对而言,没有优势
- 缺点:两部分注入器加上您需要编写一些amd64机器代码来注入DLL。不必要的复杂
- 伪代码/程序流:
(1)x86注入器获取进程ID,然后处理到目标(x64)进程;
(2)x86 injector向目标(x64)进程分配一个内存块,该内存块的大小足以容纳要注入的DLL的路径以及负责将该DLL加载到远程进程的amd64引导代码(3)x86注入器将DLL路径和引导代码写入分配的内存(4)x86注入器执行x64代理,并将复制的进程句柄和指向分配内存的指针传递给它(如果引导代码未在分配内存块的开头启动,则偏移到引导代码的入口点)(5)x64代理调用
,其中包含引导代码的进程句柄和入口点地址(6)引导代码获取“kernel32.dll”的模块地址,proc。CreateRemoteThread()
的地址,并从提供的路径加载DLL;远程线程从那里继续(7)同时,x64代理返回调用LoadLibraryW()
的x86注入器结果CreateRemoteThread()
LoadLibraryW()
,将DLL加载到目标进程中。最简单的方法是让x86注入器找到目标进程的进程ID,当目标进程是64位进程时,将注入的DLL的进程ID和路径传递给x64代理,以便它执行注入
- 要求:使用您选择的语言和工具(代理)构建的x64可执行文件
- 难度:容易;只需要了解为x64平台构建的另一种语言
- 优点:不再需要处理amd64机器代码
- 缺点:仍然是由两部分组成的喷油器
- 伪代码/程序流:
(1)x86注入器获取目标(x64)进程的ID;
(2)x86注入器执行x64代理,并将要注入的DLL的目标进程ID和路径传递给它(3)x64代理在目标进程内分配内存,写入DLL路径,然后通过
解析并调用CreateRemoteThread()
,以及指向我们注入远程进程的DLL路径的地址;远程线程从那里继续(4)在LoadLibraryW()
CreateRemoteTh之后
Option Explicit Private Const INFINITE As Long = &HFFFF Private Const TOKEN_ADJUST_PRIVILEGES As Long = &H20 Private Const TOKEN_QUERY As Long = &H8 Private Const SE_PRIVILEGE_ENABLED As Long = &H2 Private Const ANYSIZE_ARRAY As Long = 1 Private Const SE_DEBUG_NAME As String = "SeDebugPrivilege" Private Const PAGE_READWRITE As Long = &H4 Private Const MEM_RELEASE As Long = &H8000 Private Const MEM_COMMIT As Long = &H1000 Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000 Private Const SYNCHRONIZE As Long = &H100000 Private Const PROCESS_VM_OPERATION As Long = (&H8) Private Const PROCESS_VM_WRITE As Long = (&H20) Private Const TH32CS_SNAPPROCESS As Long = 2& Private Const PROCESS_ALL_ACCESS As Long = _ (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or PROCESS_VM_WRITE Or PROCESS_VM_OPERATION Or &HFFF) Private Type PROCESSENTRY32 dwSize As Long cntUsage As Long th32ProcessID As Long th32DefaultHeapID As Long th32ModuleID As Long cntThreads As Long th32ParentProcessID As Long pcPriClassBase As Long dwFlags As Long szexeFile As String * 260 End Type Private Type Luid lowpart As Long highpart As Long End Type Private Type LUID_AND_ATTRIBUTES pLuid As Luid Attributes As Long End Type Private Type TOKEN_PRIVILEGES PrivilegeCount As Long Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES End Type Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Long, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long Private Declare Function VirtualFreeEx Lib "kernel32.dll" (ByVal hProcess As Long, ByRef lpAddress As Any, ByRef dwSize As Long, ByVal dwFreeType As Long) As Long Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long Private Declare Function OpenProcessToken Lib "advapi32" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long Private Declare Function LookupPrivilegeValue Lib "advapi32" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLuid As Luid) As Long Private Declare Function AdjustTokenPrivileges Lib "advapi32" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As Any, ReturnLength As Long) As Long Private Declare Function GetCurrentProcess Lib "kernel32" () As Long Private Declare Function CreateToolhelp32Snapshot Lib "kernel32.dll" (ByVal lFlags As Long, lProcessID As Long) As Long Private Declare Function ProcessFirst Lib "kernel32.dll" Alias "Process32First" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long Private Declare Function ProcessNext Lib "kernel32.dll" Alias "Process32Next" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long Public Function InjectByPID(ByVal sDllPath As String, ByVal lProcessID As Long) As Boolean Dim lProc As Long Dim lLibAdd As Long Dim lMem As Long Dim lRet As Long Dim lThread As Long On Local Error GoTo InjectByPID_Error '//Adjust token privileges to open system processes Call AdjustPrivileges(GetCurrentProcess) '// Open the process with all access lProc = OpenProcess(PROCESS_ALL_ACCESS, False, lProcessID) If lProc = 0 Then GoTo InjectByPID_Error '// Get the address of LoadLibrary lLibAdd = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA") If lLibAdd = 0 Then GoTo InjectByPID_Error '// Allocate memory to hold the path to the Dll File in the process's memory lMem = VirtualAllocEx(lProc, 0, Len(sDllPath), MEM_COMMIT, PAGE_READWRITE) If lMem = 0 Then GoTo InjectByPID_Error '// Write the path to the Dll File in the location just created Call WriteProcessMemory(lProc, ByVal lMem, ByVal sDllPath, Len(sDllPath), lRet) If lRet = 0 Then GoTo InjectByPID_Error '// Create a remote thread that starts begins at the LoadLibrary function and _ is passed are memory pointer lThread = CreateRemoteThread(lProc, ByVal 0, 0, ByVal lLibAdd, ByVal lMem, 0, 0&) If lThread = 0 Then GoTo InjectByPID_Error '// Wait for the thread to finish Call WaitForSingleObject(lThread, INFINITE) '// Free the memory created on the other process Call VirtualFreeEx(lProc, lMem, Len(sDllPath), MEM_RELEASE) '//Release the handle to the other process Call CloseHandle(lProc) InjectByPID = True On Error GoTo 0 Exit Function InjectByPID_Error: '// Free the memory created on the other process Call VirtualFreeEx(lProc, lMem, Len(sDllPath), MEM_RELEASE) '//Release the handle to the other process Call CloseHandle(lProc) End Function Public Function AdjustPrivileges(ByVal lProcessID As Long) As Boolean Dim lToken As Long Dim tTOKEN_PRIVILEGES As TOKEN_PRIVILEGES On Local Error GoTo AdjustPrivileges_Error If Not OpenProcessToken(lProcessID, TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, lToken) = 0 Then With tTOKEN_PRIVILEGES If LookupPrivilegeValue(vbNullString, SE_DEBUG_NAME, .Privileges(0).pLuid) = 0 Then Exit Function End If .PrivilegeCount = 1 .Privileges(0).Attributes = SE_PRIVILEGE_ENABLED End With If Not AdjustTokenPrivileges(lToken, 0, tTOKEN_PRIVILEGES, Len(tTOKEN_PRIVILEGES), 0&, 0&) = 0 Then AdjustPrivileges = True End If End If On Error GoTo 0 Exit Function AdjustPrivileges_Error: End Function 'Get PID Public Function whereISmyFUFUprocess(ByVal ProcessName As String) As Long Dim procSnapshot As Long Dim uProcess As PROCESSENTRY32 Dim success As Long Dim ProcessId As Long Dim ProcessId_found As Boolean ProcessId_found = False procSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0&) If procSnapshot = -1 Then Exit Function uProcess.dwSize = Len(uProcess) success = ProcessFirst(procSnapshot, uProcess) If success = 1 Then Do If LCase(VBA.Left$(uProcess.szexeFile, InStr(1, uProcess.szexeFile, Chr(0)) - 1)) = LCase(ProcessName) Then ProcessId = uProcess.th32ProcessID Debug.Print "First process found with PID: " & ProcessId If ProcessId_found = True Then Debug.Print "Second process found with PID: " & ProcessId whereISmyFUFUprocess = ProcessId Exit Do End If ProcessId_found = True End If Loop While ProcessNext(procSnapshot, uProcess) End If If whereISmyFUFUprocess = 0 Then whereISmyFUFUprocess = ProcessId End If Call CloseHandle(procSnapshot) End Function
Private Declare Sub Sleep Lib "kernel32.dll" (ByVal dwMilliseconds As Long) Private Sub Command1_Click() Dim PID As Long ' // Run Notepad Shell "notepad.exe", vbNormalFocus Sleep 1000 PID = whereISmyFUFUprocess("notepad.exe") Sleep 1000 InjectByPID "Project1.dll", PID End Sub