源程序注入和程序崩潰

Question

今天，我讀了一篇文章（http://www.codeproject.com/KB/threads/winspy.aspx）來描述源注入，並且我嘗試編寫一個程序來做同樣的事情。但是我爲winmind注入了源，它崩潰了。我找不到崩潰的原因。

我的代碼：

請描述噴出數據結構

typedef LRESULT (WINAPI *MESSAGEBOX)(HWND, LPCWSTR, LPCWSTR, UINT);

typedef struct { 
HWND hwnd; 
    UINT type; 
    MESSAGEBOX fnMessageBox;   // pointer to user32!SendMessage 
    BYTE pbText[64 * sizeof(TCHAR)]; // text param 
    BYTE pbTextCap[64 * sizeof(TCHAR)]; // caption param 
} INJDATA, *PINJDATA; 

2.代碼被注入

static int WINAPI ThreadFunc (INJDATA *pData) 
{ 
    int nXferred = 0; 

    nXferred = pData->fnMessageBox(pData->hwnd, (LPCWSTR)pData->pbText, (LPCWSTR)pData->pbTextCap, pData->type); 
    pData->pbText [63 * sizeof(TCHAR)] = __TEXT('\0'); 
    pData->pbTextCap [63 * sizeof(TCHAR)] = __TEXT('\0');  

    return nXferred; 
} 


// This function marks the memory address after ThreadFunc. 
// int cbCodeSize = (PBYTE) AfterThreadFunc - (PBYTE) ThreadFunc. 
static void AfterThreadFunc (void) { 
} 

3.Copies的ThreadFunc和INJDATA到遠程進程，並且開始遠程ThreadFunc的執行情況

int CallMessageBox (HANDLE hProcess, HWND hWnd, LPCWSTR pbString, LPCWSTR pbStringCap) 
{ 
    HINSTANCE hUser32; 
    INJDATA  *pDataRemote; // the address (in the remote process) where INJDATA will be copied to; 
    DWORD  *pCodeRemote; // the address (in the remote process) where ThreadFunc will be copied to; 
    HANDLE  hThread = NULL; // the handle to the thread executing the remote copy of ThreadFunc; 
    DWORD  dwThreadId = 0; 

    int  nCharsXferred = 0; // number of chars retrieved by WM_GETTEXT in the remote thread; 
    DWORD dwNumBytesXferred = 0; // number of bytes written/read to/from the remote process; 

    __try { 
     hUser32 = GetModuleHandle(__TEXT("user32")); 
     if (hUser32 == NULL) 
      __leave; 

     // Initialize INJDATA and then 
     // copy it to the remote process 
     INJDATA DataLocal = { 
      hWnd, 
      MB_OK, 
      (MESSAGEBOX) GetProcAddress(hUser32, "MessageBoxW")   
     }; 

     if(DataLocal.fnMessageBox == NULL) 
      __leave;   

     wcscpy((LPWSTR) DataLocal.pbText, (LPCWSTR) pbString); 
     wcscpy((LPWSTR) DataLocal.pbTextCap, (LPCWSTR) pbStringCap); 

     // 1. Allocate memory in the remote process for INJDATA 
     // 2. Write a copy of DataLocal to the allocated memory 
     pDataRemote = (INJDATA*) VirtualAllocEx(hProcess, 0, sizeof(INJDATA), MEM_COMMIT, PAGE_READWRITE); 
     if (pDataRemote == NULL) 
      __leave; 
     WriteProcessMemory(hProcess, pDataRemote, &DataLocal, sizeof(INJDATA), &dwNumBytesXferred); 


     // Calculate the number of bytes that ThreadFunc occupies 
     const int cbCodeSize = ((LPBYTE) AfterThreadFunc - (LPBYTE) ThreadFunc); 

     // 1. Allocate memory in the remote process for the injected ThreadFunc 
     // 2. Write a copy of ThreadFunc to the allocated memory 
     pCodeRemote = (PDWORD) VirtualAllocEx(hProcess, 0, cbCodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);  
     if (pCodeRemote == NULL) 
      __leave; 
     WriteProcessMemory(hProcess, pCodeRemote, &ThreadFunc, cbCodeSize, &dwNumBytesXferred); 


     // Start execution of remote ThreadFunc 
     hThread = CreateRemoteThread(hProcess, NULL, 0, 
       (LPTHREAD_START_ROUTINE) pCodeRemote, 
       pDataRemote, 0 , &dwThreadId); 
     if (hThread == NULL) 
      __leave; 

     WaitForSingleObject(hThread, INFINITE); 

     } 
    __finally { 

     if (pDataRemote != 0) 
      VirtualFreeEx(hProcess, pDataRemote, 0, MEM_RELEASE); 

     if (pCodeRemote != 0) 
      VirtualFreeEx(hProcess, pCodeRemote, 0, MEM_RELEASE); 

     if (hThread != NULL) { 
      GetExitCodeThread(hThread, (PDWORD) &nCharsXferred); 
      CloseHandle(hThread);   
     } 
    } 

    // Return the number of chars retrieved 
    return nCharsXferred; 
} 

Answer 1

不幸的是，這個描述已經過時。最新版本的Windows有一些稱爲ASLR（地址空間佈局隨機化）的保護。它保護他們免受基本的代碼注入，並確保每個進程都擁有自己的地址空間。並非所有進程都啓用了ASLR，但在大多數情況下舊的技術不適用。

編輯：注入的代碼是否被執行，然後你崩潰？如果是這樣的話，可能是因爲EIP寄存器增加了，但在注入的shellcode中沒有更多的指令要執行。您將指令指針設置爲分配的內存並執行代碼，但在該過程之後，只有沒有更多有效的指令可以執行。爲了防止這種情況，我會分配更多的內存，並編寫一個簡單的shellcode，它將無限循環，並阻止EIP在內存中執行一些隨機事件。