滴水2.28 --挂起方式创建线程
1.线程继承2
当填写第三第四的时候
线程内 将包含创建的线程 的进程句柄 和线程 句柄 我们同时设置为可继承 让第三个线程来进行控制
{功能实现}
进程1
// ZZZZ.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <stdio.h>
#include <windows.h>
VOID TestCreateProcessByCmdline()
{
char szBuffer[256] = {0};
char szHandle[8] = {0};
SECURITY_ATTRIBUTES ie_sa_p;
ie_sa_p.nLength = sizeof(ie_sa_p);
ie_sa_p.lpSecurityDescriptor = NULL;
ie_sa_p.bInheritHandle = TRUE;
SECURITY_ATTRIBUTES ie_sa_t;
ie_sa_t.nLength = sizeof(ie_sa_t);
ie_sa_t.lpSecurityDescriptor = NULL;
ie_sa_t.bInheritHandle = TRUE;
//创建一个可以被继承的内核对象,此处是个进程
STARTUPINFO ie_si = {0};
PROCESS_INFORMATION ie_pi;
ie_si.cb = sizeof(ie_si);
TCHAR szCmdline[] =TEXT("C:\\PCHunter32.exe");
CreateProcess(
szCmdline,
NULL,
&ie_sa_p,
&ie_sa_t,
TRUE,
CREATE_NEW_CONSOLE,
NULL,
NULL, &ie_si, &ie_pi);
//组织命令行参数
sprintf(szHandle,"%x %x",ie_pi.hProcess,ie_pi.hThread);
sprintf(szBuffer,"C:/fa.exe %s",szHandle);
//定义创建进程需要用的结构体
STARTUPINFO si = {0};
PROCESS_INFORMATION pi;
si.cb = sizeof(si);
//创建子进程
BOOL res = CreateProcess(
NULL,
szBuffer,
NULL,
NULL,
TRUE,
CREATE_NEW_CONSOLE,
NULL,
NULL, &si, &pi);
}
int main(int argc, char* argv[])
{
TestCreateProcessByCmdline();
printf("Hello World!\n");
getchar();
return 0;
}
进程2
// fa.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <stdio.h>
#include <windows.h>
int main(int argc, char* argv[])
{
DWORD dwProcessHandle = -1;
DWORD dwThreadHandle = -1;
char szBuffer[256] = {0};
memcpy(szBuffer,argv[1],8);
sscanf(szBuffer,"%x",&dwProcessHandle);
memset(szBuffer,0,256);
memcpy(szBuffer,argv[2],8);
sscanf(szBuffer,"%x",&dwThreadHandle);
printf("获取IE进程、主线程句柄\n");
Sleep(2000);
//挂起主线程
printf("挂起主线程\n");
::SuspendThread((HANDLE)dwThreadHandle);
Sleep(5000);
//恢复主线程
::ResumeThread((HANDLE)dwThreadHandle);
printf("恢复主线程\n");
Sleep(5000);
//关闭ID进程
::TerminateProcess((HANDLE)dwProcessHandle,1);
::WaitForSingleObject((HANDLE)dwProcessHandle, INFINITE);
printf("ID进程已经关闭.....\n");
printf("Hello World!\n");
return 0;
}
4.参数介绍
倒数第三个参数为空时 开辟的进程只能获取到父进程的路径
这样修改成功找到
程序路径
倒数5参数 程序运行的状态 达到 程序挂起
`
点击查看代码
CreateProcess(
NULL,
szBuffer,
NULL,
NULL,
FALSE,
CREATE_SUSPENDED,
NULL,
NULL,
&ie_si,
&ie_pi
);
//恢复执行
ResumeThread(ie_pi.hThread);
挂起线程后
挂起状态 只分配了内存空间 没分配内容
可以再挂起状态对程序进行修改
后续再恢复
获取入口点 和imagebase
点击查看代码
CONTEXT contx;
contx.ContextFlags = CONTEXT_FULL;
GetThreadContext(ie_pi.hThread, &contx);
//获取入口点
DWORD dwEntryPoint = contx.Eax;
//获取ImageBase
char* baseAddress = (CHAR *) contx.Ebx+8;
memset(szBuffer,0,256);
ReadProcessMemory(ie_pi.hProcess,baseAddress,szBuffer,4,NULL);
//恢复执行
ResumeThread(ie_pi.hThread);
本文来自博客园,作者:逆向狗,转载请注明原文链接:https://www.cnblogs.com/Agtw/p/17165608.html
浙公网安备 33010602011771号