c# - 使用c#将c++ dll注入(inject)exe

Question

为什么我的 C# 代码没有将 dll 注入(inject)到 exe 中，但程序显示消息框“Injected!” ？ 它自己的 .dll 是用 c++ 编码的，而 exe 是用 C++ 编码的 我正在尝试注入(inject)我的 C# 代码，它怎么不起作用？ 这是我的注入(inject)器方法

[DllImport("kernel32")]
public static extern IntPtr CreateRemoteThread(
  IntPtr hProcess,
  IntPtr lpThreadAttributes,
  uint dwStackSize,
  UIntPtr lpStartAddress, // raw Pointer into remote process
  IntPtr lpParameter,
  uint dwCreationFlags,
  out IntPtr lpThreadId
);

[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(
    UInt32 dwDesiredAccess,
    Int32 bInheritHandle,
    Int32 dwProcessId
    );

[DllImport("kernel32.dll")]
public static extern Int32 CloseHandle(
IntPtr hObject
);

[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern bool VirtualFreeEx(
    IntPtr hProcess,
    IntPtr lpAddress,
    UIntPtr dwSize,
    uint dwFreeType
    );

[DllImport("kernel32.dll", CharSet = CharSet.Ansi, ExactSpelling = true)]
public static extern UIntPtr GetProcAddress(
    IntPtr hModule,
    string procName
    );

[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocEx(
    IntPtr hProcess,
    IntPtr lpAddress,
    uint dwSize,
    uint flAllocationType,
    uint flProtect
    );

[DllImport("kernel32.dll")]
static extern bool WriteProcessMemory(
    IntPtr hProcess,
    IntPtr lpBaseAddress,
    string lpBuffer,
    UIntPtr nSize,
    out IntPtr lpNumberOfBytesWritten
);

[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern IntPtr GetModuleHandle(
    string lpModuleName
    );

[DllImport("kernel32", SetLastError = true, ExactSpelling = true)]
internal static extern Int32 WaitForSingleObject(
    IntPtr handle,
    Int32 milliseconds
    );

public Int32 GetProcessId(String proc)
{
    Process[] ProcList;
    ProcList = Process.GetProcessesByName(proc);
    return ProcList[0].Id;
}

public void InjectDLL(IntPtr hProcess, String strDLLName)
{
    IntPtr bytesout;

    // Length of string containing the DLL file name +1 byte padding
    Int32 LenWrite = strDLLName.Length + 1;
    // Allocate memory within the virtual address space of the target process
    IntPtr AllocMem = (IntPtr)VirtualAllocEx(hProcess, (IntPtr)null, (uint)LenWrite, 0x1000, 0x40); //allocation pour WriteProcessMemory

    // Write DLL file name to allocated memory in target process
    WriteProcessMemory(hProcess, AllocMem, strDLLName, (UIntPtr)LenWrite, out bytesout);
    // Function pointer "Injector"
    UIntPtr Injector = (UIntPtr)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

    if (Injector == null)
    {
        MessageBox.Show(" Injector Error! \n ");
        // return failed
        return;
    }

    // Create thread in target process, and store handle in hThread
    IntPtr hThread = (IntPtr)CreateRemoteThread(hProcess, (IntPtr)null, 0, Injector, AllocMem, 0, out bytesout);
    // Make sure thread handle is valid
    if (hThread == null)
    {
        //incorrect thread handle ... return failed
        MessageBox.Show(" hThread [ 1 ] Error! \n ");
        return;
    }
    // Time-out is 10 seconds...
    int Result = WaitForSingleObject(hThread, 10 * 1000);
    // Check whether thread timed out...
    if (Result == 0x00000080L || Result == 0x00000102L || Result == 0xFFFFFFFF)
    {
        /* Thread timed out... */
        MessageBox.Show(" hThread [ 2 ] Error! \n ");
        // Make sure thread handle is valid before closing... prevents crashes.
        if (hThread != null)
        {
            //Close thread in target process
            CloseHandle(hThread);
        }
        return;
    }
    // Sleep thread for 1 second
    Thread.Sleep(1000);
    // Clear up allocated space ( Allocmem )
    VirtualFreeEx(hProcess, AllocMem, (UIntPtr)0, 0x8000);
    // Make sure thread handle is valid before closing... prevents crashes.
    if (hThread != null)
    {
        //Close thread in target process
        CloseHandle(hThread);
    }
    // return succeeded
    return;
}

然后我尝试运行一些程序并用我的 dll 注入(inject)它

private void metroButton2_Click(object sender, EventArgs e)
{
    String strDLLName = @"spd.dll";
    String strProcessName = "app";
    System.Diagnostics.Process.Start("app.exe", "!#@$$$!");                                   
    Int32 ProcID = GetProcessId(strProcessName);
    if (ProcID >= 0)
    {
        IntPtr hProcess = (IntPtr)OpenProcess(0x1F0FFF, 1, ProcID);
        if (hProcess == null)
        {
            MessageBox.Show("OpenProcess() Failed!");
            return;
        }
        else
        {
            InjectDLL(hProcess, strDLLName);
            MessageBox.Show("Injected!");  
        }

    }

}

它向我显示输出:“已注入(inject)!”但是在 .exe 上没有注入(inject) .dll 我应该怎么办 ？在注入(inject)之前/运行 .exe 之后提供更多 Thread.Sleep？ 任何帮助将不胜感激!

Answer 1

请注意 C++ 的NULL(0) 与 C# 的null 不同.您正在寻找的等效项是 IntPtr.Zero。

---

以GetProcAddress函数为例:

Return value

If the function succeeds, the return value is the address of the exported function or variable.

If the function fails, the return value is NULL. To get extended error information, call GetLastError.

Source: https://msdn.microsoft.com/en-us/library/windows/desktop/ms683212(v=vs.85).aspx

这里的 NULL 是一个 c++ 宏，定义为:

#define NULL 0

---

null 不等于 IntPtr.Zero，但 (IntPtr)null 等于 IntPtr.Zero >.