（转载）CreateRemoteThread （代码注入）

来源：互联网发布：俄罗斯新纳粹知乎编辑：程序博客网时间：2024/05/23 21:15

转载自：http://win32.mvps.org/processes/remthread.html

CreateRemoteThread

Update 12-Dec-00: Keith Brown drew my attention to some weirdbehaviour. If incremental linking is on, and if a wstrstream is used to converta string to a numeric PID, then the remote thread will crash the target process,and I have not the faintest idea why. (OK, so I have an idea, but it's allspeculation.) In consequence, I removed all references to the standard C++library.

Update 21-Nov-99: Tomas Restrepo found a bug, and one of anunbelievably horrible kind, too -- I used VirtualFree() instead of VirtualFreeEx(),meaning that I not only leaked memory in the target process, but also freedsomething I never allocated in the remthread process. The bug has been fixed,and I owe Tomas a big thank-you.

This sample demonstrates how to get the command line another process wasstarted with. To this end, it performs the following steps:

opens the target process

allocates two chunks of memory in the target process' address space; one is executable, the other one for data

copies a function from the local address space to the first piece of memory in the target

initializes the allocated data area in the target

calls CreateRemoteThread() to get the copied code going

waits on the thread handle until the newly created thread is done

copies the (now filled-in) data area back into the local address space

There are other methods, too, for code injection, most notably hooks. ICK!Not only does a hook not hook all processes, it usually includes a ton of bloat.I know people who write global hooks in VB and drag megabytes and megabytes ofdead fish into every process their hook touches.

A few caveats apply:

The code you copy into the target should not call any functionsbesides those in kernel32.dll; only kernel32.dll is guaranteed to be present(and at the same load address) in both the local and the target processes. Ifyou need more or other library routines, pass the addresses of LoadLibrary() andGetProcAddress(), both of which are in kernel32.dll, to the injected code, andlet it go and get the rest itself.

Do not call subroutines. If you must, then copy each routine individually,and supply a table to the new addresses of the copied routines in your dataarea. Why? Because the linker is free to reorder functions; if you definefunctions in the order first(), second(), ..., last(), after_last() and copy thecode between &first and &after_last, you may find that the linker hasmoved second() elsewhere, and you are missing it. You can, however,supply the linker with a text file listing the ordering of the functions; doingthat will allow you to copy a block of memory from first() toafter_last().

Tread lightly. Loading DLLs always may have unexpected side effects; try tostick with Windows-supplied DLLs, and the fewer the better.

Don't bother the target process. Interference is not only impolite, it isdownright risky, as the target, in all likelihood, is unaware of your intrusion.

If you produce a debug build, remember to remove the /GZ switch from theproject options!（ If you forget, the compiler generates calls to a routine thatchecks the stack for munging -- calls to a routine that is not there.

remthread.dsw, 4 KB: workspace file,not that you need it ...
remthread.dsp, 1 KB: project file.

remthread.cpp,6 KB: the meat of this sample. The rest is salad.
stdafx.cpp, 1 KB; stdafx.h,1 KB: these two generate the precompiled header.

remthread.zip,61 KB: all of the above, plus a ready-to-run executable.