[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
uint dwSize, AllocationType flAllocationType, MemoryProtection flProtect);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);
[Flags]
public enum AllocationType
{
Commit = 0x1000,
Reserve = 0x2000,
Decommit = 0x4000,
Release = 0x8000,
Reset = 0x80000,
Physical = 0x400000,
TopDown = 0x100000,
WriteWatch = 0x200000,
LargePages = 0x20000000
}
[Flags]
public enum MemoryProtection
{
Execute = 0x10,
ExecuteRead = 0x20,
ExecuteReadWrite = 0x40,
ExecuteWriteCopy = 0x80,
NoAccess = 0x01,
ReadOnly = 0x02,
ReadWrite = 0x04,
WriteCopy = 0x08,
GuardModifierflag = 0x100,
NoCacheModifierflag = 0x200,
WriteCombineModifierflag = 0x400
}
[StructLayout(LayoutKind.Sequential, Pack=1]
public struct RemoteThreadParams
{
[MarshalAs(UnmanagedType.U1)]
public byte Param1;
[MarshalAs(UnmanagedType.I4)]
public int Param2;
...
}
[DllImport("kernel32")]
public static extern IntPtr CreateRemoteThread(
IntPtr hProcess,
IntPtr lpThreadAttributes,
uint dwStackSize,
IntPtr lpStartAddress,
IntPtr lpParameter,
uint dwCreationFlags,
out uint lpThreadId
);
RemoteThreadParams params = new RemoteThreadParams();
parms.Param1 = 10;
parms.Param2 = 200;
// Allocate some native heap memory in your process big enough to store the
// parameter data
IntPtr iptrtoparams = Marshal.AllocHGlobal(Marshal.SizeOf(RemoteThreadParams));
// Copies the data in your structure into the native heap memory just allocated
Marshal.StructureToPtr(params, iptrtoparams, false);
// Use to get a handle to the process you intend to create a thread in.
OpenProcess(...,...,...);
// Use to alloc "committed" memory that is addressable by other process
IntPtr iptrremoteallocatedmemory = VirtualAllocEx()...
// Copy from your process memory to the memory the remoteprocess will be accessing
WriteProcessMemory(...,iptrremoteallocatedmemory,iptrtoparams,...,...);
Marshal.FreeHGlobal(iptrtoparams); // safe to free, as you have done the copy
CreateRemoteThread(...,...,...,...,iptrremoteallocatedmemory,...,...);
// Free the memory that was allocated for the other process...but be
// careful of its lifetime.
//
// Only free when the thread will no longer be accessing the allocated native
// memory i.e. when it's finished.
VirtualFreeEx(...,...,...,...);
在你的 C/C++ 代码中有:
#pragma pack(push,1)
struct tagRemoteThreadParams
{
BYTE Param1;
int Param2;
} RemoteThreadParams, *PRemoteThreadParams;
#pragma pack(pop)
投下LPVOID由线程函数接收到PRemoteThreadParams (i.e. *RemoteThreadParams).
如果您希望将一些“字符串”作为参数之一,那么您将需要做更多的工作来整理它们。如需更多帮助,请参阅:
- http://www.developerfusion.com/article/84519/mastering-structs-in-c/ http://www.developerfusion.com/article/84519/mastering-structs-in-c/
其他一些参考:
- Dll注入。带参数执行CreateRemoteThread https://stackoverflow.com/questions/6582096/dll-injection-execute-createremotethread-with-parameter
- http://social.msdn.microsoft.com/Forums/vstudio/en-US/e044a6ff-c463-4b9b-8c82-f791c35dbaa1/virtualallocexwriteprocessmemory-and-writing-c-char-arrays?forum=csharpgeneral http://social.msdn.microsoft.com/Forums/vstudio/en-US/e044a6ff-c463-4b9b-8c82-f791c35dbaa1/virtualallocexwriteprocessmemory-and-writing-c-char-arrays?forum=csharpgeneral
