c++ - 使用 CreateRemoteThread 将变量传递给函数
问题描述
HANDLE CreateRemoteThread(
HANDLE hProcess,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
SIZE_T dwStackSize,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
DWORD dwCreationFlags,
LPDWORD lpThreadId
);
lp参数
指向要传递给线程函数的变量的指针。
int x = 0;
LPCWSTR foo = L"Hello World";
CreateRemoteThread(hProcess, 0, 0, pFunction, &x, 0, 0);
假设我需要将多个变量(例如xand foo)传递给需要两个参数的函数example:
LPCWSTR Test(int x, LPCWSTR foo)
{
//....
}
会怎么样?
解决方案
顾名思义,CreateRemoteThread()在外部进程中创建一个新线程。因此,lpStartAddress参数必须指向目标进程中函数的内存地址,并且lpParameter参数必须指向目标进程中存在的内存地址(除非它是指针转换的整数)。您不能将指针传递给正在调用的进程中本地存在的内存CreateRemoteThread()。您可以使用VirtualAllocEx()在另一个进程中分配内存,例如:
DWORD WINAPI MyThreadProc(LPVOID lpParameter)
{
INT *x = (INT*) lpParameter;
// use *x as needed...
VirtualFree(x, 0, MEM_RELEASE);
return 0;
}
...
LPTHREAD_START_ROUTINE pFunction = ...; // point to MyThreadProc() in hProcess
INT x = 0;
LPVOID param = VirtualAllocEx(hProcess, NULL, sizeof(x), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (!param) ...
SIZE_T numWritten;
if (!WriteProcessMemory(hProcess, param, &x, sizeof(x), &numWritten)) ...
if (!CreateRemoteThread(hProcess, 0, 0, pFunction, param, 0, 0)) ...
或者,您可以改用指针转换的整数,在这种情况下,您不需要分配任何东西:
DWORD WINAPI MyThreadProc(LPVOID lpParameter)
{
INT x = INT(reinterpret_cast<INT_PTR>(lpParameter));
// use x as needed...
return 0;
}
...
LPTHREAD_START_ROUTINE pFunction = ...; // point to MyThreadProc() in hProcess
int x = 0;
LPVOID param = reinterpret_cast<LPVOID>(INT_PTR(x));
if (!CreateRemoteThread(hProcess, 0, 0, pFunction, param, 0, 0)) ...
如果您需要将多个值传递给函数,则必须struct在目标进程中分配 a 来保存它们,例如:
#pragma pack(push, 1)
struct MyThreadData
{
INT x;
LPCWSTR foo; // points to fooData...
//WCHAR fooData[]...
};
#pragma pack(pop)
...
DWORD WINAPI MyThreadProc(LPVOID lpParameter)
{
MyThreadData *params = static_cast<MyThreadData*>(lpParameter);
// use params->x and params->foo as needed...
VirtualFree(params, 0, MEM_RELEASE);
return 0;
}
...
LPTHREAD_START_ROUTINE pFunction = ...; // point to MyThreadProc() in hProcess
INT x = 0;
LPCWSTR foo = L"Hello World";
int foo_numBytes = (lstrlenW(foo) + 1) * sizeof(WCHAR);
MyThreadData *params = static_cast<MyThreadData*>(VirtualAllocEx(hProcess, NULL, sizeof(MyThreadData) + fooNumBytes, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE));
if (!params) ...
SIZE_T numWritten;
if (!WriteProcessMemory(hProcess, &(params->x), &x, sizeof(x), &numWritten)) ...
LPWSTR foo_data = reinterpret_cast<LPWSTR>(params + 1);
if (!WriteProcessMemory(hProcess, &(params->foo), &foo_data, sizeof(foo_data), &numWritten)) ...
if (!WriteProcessMemory(hProcess, fooDataPtr, foo, foo_numBytes, &numWritten)) ...
CreateRemoteThread(hProcess, 0, 0, pFunction, params, 0, 0);
推荐阅读
- java - IBM MQ 会话断开连接
- oracle-sqldeveloper - 如何确定表的空逻辑数据块
- r - rockchalk 包中的警告信息
- javascript - 在将部署的合约地址传递给另一个合约构造函数时卡住了
- swift - 如何解决 SpriteKit SKTexture 的 CGImage “上下文泄漏”?
- javascript - 如何检查消息的作者是否是 Discord 机器人?
- sql - Hive SQL 交叉连接问题的条件
- python - python pandas如果连续出现n次精确id如何更改值
- java - 从 jar 文件中读取 .cer 文件失败
- django - 在 Django settings.py for Django-debug-toolbar 的 docker 中获取 NGINX ip 地址