2005-05-16
| |||
| |||
 为什么下面的代码会导致计算器非法操作呢? //我们使用函数的形式。即我们将自己程序中的一个函数植入到远程进程中。 #include <stdio.h> #include <windows.h> #include <process.h> static DWORD WINAPI MyFunc (LPVOID pData) { return *(DWORD*)pData; } static void AfterMyFunc (void) { } int main() { HWND hStart = ::FindWindow (TEXT("SciCalc"),NULL); DWORD PID, TID; TID = ::GetWindowThreadProcessId (hStart, &PID); HANDLE hProcess; hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, PID); char szBuffer[10]; *(DWORD*)szBuffer=1000;//for test void *pDataRemote =(char*) VirtualAllocEx( hProcess, 0, sizeof(szBuffer), MEM_COMMIT, PAGE_READWRITE ); ::WriteProcessMemory( hProcess, pDataRemote, szBuffer, sizeof(szBuffer), NULL); DWORD cbCodeSize=((LPBYTE) AfterMyFunc - (LPBYTE) MyFunc); PDWORD pCodeRemote = (PDWORD) VirtualAllocEx( hProcess, 0, cbCodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); ::WriteProcessMemory( hProcess, pCodeRemote, &MyFunc, cbCodeSize, NULL); HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) pCodeRemote, pDataRemote, 0 , NULL); DWORD h; if (hThread) { ::WaitForSingleObject( hThread, INFINITE ); ::GetExitCodeThread( hThread, &h ); printf("run and return %d\n", h); ::CloseHandle( hThread ); } //释放空间 ::VirtualFreeEx( hProcess, pCodeRemote, cbCodeSize,MEM_RELEASE ); ::VirtualFreeEx( hProcess, pDataRemote, sizeof(szBuffer),MEM_RELEASE ); //关闭进程句柄 ::CloseHandle( hProcess ); return 0; }      |
平板模式
