WIN7 64下CreateRemoteThread失败了。。。
在XP下正常工作,但是在WIN7 64位下就不行了
每次调用函数后都对返回码和GetLastError检查了
唯独在CreateRemoteThread的时候返回NULL,并且GetLastError返回5 拒绝访问。
我已经加了提升权限的代码了
--------------
#include <iostream>#include <windows.h>#include <Winbase.h>using namespace std;BOOL KSN_DLLINJ_CRT_inject(int pid, char *dllPath);void EnableDebugPrivilege(HANDLE processHandle);char *lpBuffer = (char*) malloc(255);/** * 打印出错误信息。 */void PrintError(char* code){ long err = GetLastError(); if (err != ERROR_SUCCESS) { FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM, NULL, err, LANG_NEUTRAL, (LPTSTR) &lpBuffer, 0, NULL ); *(lpBuffer + strlen(lpBuffer) - 2) = '\0'; cout<<"Error("<<err<<":"<<lpBuffer<<") at "<<code<<endl; }}int main(int args, char** argc){ int pid; char *dllPath; cout<<"PID:"; cin>>pid; dllPath = "E:/workspace/DotNet/TestDLL/Release/TestDll.dll"; cout<<"DLL:"<<dllPath<<endl; //cin>>dllPath; KSN_DLLINJ_CRT_inject(pid, dllPath); cout<<"DLL注入成功。"<<endl; system("PAUSE");}/** * 远程线程注入DLL。 */BOOL KSN_DLLINJ_CRT_inject(int pid, char *dllPath){ HANDLE hProcess; // 设置当前进程权限。 EnableDebugPrivilege(GetCurrentProcess()); // 打开指定进程。 hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_ALL_ACCESS, FALSE, pid); PrintError("OpenProcess"); // 向目标进程地址空间写入DLL地址。 DWORD dllLength = lstrlenA(dllPath) + 1; DWORD writeLength; LPVOID dllPathSpace = VirtualAllocEx(hProcess, NULL, dllLength, MEM_COMMIT, PAGE_READWRITE); PrintError("VirtualAllocEx"); if (NULL == dllPathSpace) { CloseHandle(hProcess); return FALSE; } if (WriteProcessMemory(hProcess, dllPathSpace, (LPVOID) dllPath, dllLength, &writeLength)) { PrintError("WriteProcessMemory"); // 需写入字节数与实际写入字节数不同,数据异常导致失败。 if (dllLength != writeLength) { VirtualFreeEx(hProcess, dllPathSpace, writeLength, MEM_DECOMMIT); PrintError("VirtualFreeEx"); CloseHandle(hProcess); cout<<"内存写入错误,数据校验失败(Length:"<<dllLength<<",Write:"<<writeLength<<"),错误代码是"<<GetLastError()<<"。"<<endl; return FALSE; } } else { PrintError("WriteProcessMemory"); CloseHandle(hProcess); return FALSE; } // 在目标进程中建立远程线程并调用LoadLibrary。 DWORD dwID; HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) LoadLibraryA, dllPathSpace, 0, &dwID); PrintError("CreateRemoteThread"); cout<<dwID<<endl; //WIN7 HANDLE hThread = CreateRemoteThreadEx(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) LoadLibraryA, dllPathSpace, 0, &dwID); //cout<<"ThreadHandle:"<<hThread<<", ErrorNo:"<<GetLastError()<<endl; return TRUE;}/** * 提升进程权限。 */void EnableDebugPrivilege(HANDLE processHandle){ HANDLE hToken; LUID sedebugnameValue; TOKEN_PRIVILEGES tkp; if (!OpenProcessToken(processHandle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) { PrintError("OpenProcessToken"); return; } if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) { PrintError("LookupPrivilegeValue"); CloseHandle(hToken); return; } tkp.PrivilegeCount = 1; tkp.Privileges[0].Luid = sedebugnameValue; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL)) { PrintError("AdjustTokenPrivileges"); CloseHandle(hToken); }}