德爾福XE3 DLL注入64位DLL到64位進程不起作用

Question

我正在使用此代碼注入我的64位DLL進入64位進程在Windows 7 64位，CreateRemoteThread返回200但仍然沒有注入DLL，我測試我的DLL與另一個來源，它工作正常，進程資源管理器顯示我的代碼不起作用，這個代碼有什麼問題，我使用delphi XE3，我已經在64位目標平臺上編譯代碼。

function InjectDLL(dwPID: DWORD; DLLPath: pwidechar): integer; 
var 
dwThreadID: Cardinal; 
hProc, hThread, hKernel: NativeUInt; 
BytesWritten: NativeUInt; 
pRemoteBuffer, pLoadLibrary: Pointer; 
begin 
try 
hProc := OpenProcess(PROCESS_ALL_ACCESS, False, dwPID); 
if hProc = 0 then 
begin 
    Result := 0; 
    Exit; 
end; 
pRemoteBuffer := VirtualAllocEx(hProc, nil, Length(DLLPath) + 1, MEM_COMMIT, 
    PAGE_READWRITE); 
if pRemoteBuffer = nil then 
begin 
    Result := 0; 
    Exit; 
end; 
if WriteProcessMemory(hProc, Pointer(pRemoteBuffer), lpvoid(DLLPath), 
    Length(DLLPath) + 1, BytesWritten) = False then 
begin 
    Result := 0; 
    Exit; 
end; 
hKernel := GetModuleHandle(pwidechar('kernel32.dll')); 
pLoadLibrary := (GetProcAddress(hKernel, pansichar('LoadLibraryA'))); 
hThread := CreateRemoteThread(hProc, Pointer(nil), 0, Pointer(pLoadLibrary), 
    Pointer(pRemoteBuffer), 0, dwThreadID); 

WaitForSingleObject(hThread, INFINITE); 
VirtualFreeEx(hProc, Pointer(pRemoteBuffer), Length(DLLPath) + 1, 
    MEM_RELEASE); 
CloseHandle(hThread); 
CloseHandle(hProc); 
// ShowMessage(IntToStr(hThread)+' '+ inttostr(dwThreadID)); 
Result := 1; 
except 
on d: exception do 
begin 
end; 
end; 
end; 

Answer 1

你打電話給LoadLibraryA，但傳遞它UTF-16編碼的數據。切換到LoadLibraryW或將模塊名稱轉換爲ANSI。

我會做前者。除了切換到LoadLibraryW之外，您還需要複製整個緩衝區。通過用SizeOf(Char)*(Length(DLLPath) + 1)替換Length(DLLPath) + 1的兩個實例來實現此目的。

一些更多的評論：

• 使用PROCESS_ALL_ACCESS過大。您只需要PROCESS_CREATE_THREAD or PROCESS_QUERY_INFORMATION or PROCESS_VM_OPERATION or PROCESS_VM_WRITE or PROCESS_VM_READ。
• PAnsiChar投在GetProcAddress(hKernel, pansichar('LoadLibraryA'))看起來不對。因爲'LoadLibraryA'是UTF-16編碼的。只需使用GetProcAddress(hKernel, 'LoadLibraryA')即可。或者如果你沿着這條路線走下去的話'LoadLibraryW'。
• 使用NativeUInt作爲句柄是錯誤的。它並不重要，但你應該使用THandle。
• 使用MEM_RELEASE時，您必須通過0獲取size參數。

把那一起，代碼應該是這樣的：

function InjectDLL(dwPID: DWORD; DLLPath: PWideChar): integer; 
var 
    dwThreadID: Cardinal; 
    hProc, hThread, hKernel: THandle; 
    BytesToWrite, BytesWritten: SIZE_T; 
    pRemoteBuffer, pLoadLibrary: Pointer; 
begin 
    hProc := OpenProcess(PROCESS_CREATE_THREAD or PROCESS_QUERY_INFORMATION or PROCESS_VM_OPERATION or PROCESS_VM_WRITE or PROCESS_VM_READ, False, dwPID); 
    if hProc = 0 then 
    exit(0); 
    try 
    BytesToWrite := SizeOf(WideChar)*(Length(DLLPath) + 1); 
    pRemoteBuffer := VirtualAllocEx(hProc, nil, BytesToWrite, MEM_COMMIT, PAGE_READWRITE); 
    if pRemoteBuffer = nil then 
     exit(0); 
    try 
     if not WriteProcessMemory(hProc, pRemoteBuffer, DLLPath, BytesToWrite, BytesWritten) then 
     exit(0); 
     hKernel := GetModuleHandle('kernel32.dll'); 
     pLoadLibrary := GetProcAddress(hKernel, 'LoadLibraryW'); 
     hThread := CreateRemoteThread(hProc, nil, 0, pLoadLibrary, pRemoteBuffer, 0, dwThreadID); 
     try 
     WaitForSingleObject(hThread, INFINITE); 
     finally 
     CloseHandle(hThread); 
     end; 
    finally 
     VirtualFreeEx(hProc, pRemoteBuffer, 0, MEM_RELEASE); 
    end; 
    finally 
    CloseHandle(hProc); 
    end; 
    exit(1); 
end; 

就個人而言，我可能會傳遞一個string而非PWideChar，但也許你有一些其他的動機這樣做。