C++: Injecting 32 bit targets from 64 bit process
I have written a DLL-Injector in C++ recently, for which the requirements were the following
- The INJECTING PROCESS (let\'s call it the \'Injec
-
This answer addresses an earlier version of the question, it is mostly irrelevant to the case of a 64-bit injector.
Are you saying that approach works? Because according to the documentation, you can't get information about 64-bit processes from WOW64:
If the function is called by a 32-bit application running under WOW64, the dwFilterFlag option is ignored and the function provides the same results as the EnumProcessModules function.
(
EnumProcessModulesexplains the restriction further)If this function is called from a 32-bit application running on WOW64, it can only enumerate the modules of a 32-bit process. If the process is a 64-bit process, this function fails and the last error code is ERROR_PARTIAL_COPY (299).
But you really do need to find the base address where
kernel32.dllloaded, because of ASLR.讨论(0) -
I think you could use the debug symbols API to save yourself parsing the PE header and export table. This route should yield the required information for the 32-bit injector; 64-bit target case as well, although I still don't see how you're going to pass a 64-bit address to
CreateRemoteThread.- EnumerateLoadedModules64
- SymFromName
- ImageRvaToVa
Normally these debug symbol functions require a .pdb or .sym file to operate, however I'm pretty sure they also get information from a DLL export table (just going from experience of what a debugger shows for files where I don't have symbols present).
讨论(0) -
I stumbled upon this thread looking for a solution for the same problem.
So far I'm inclined to use another simpler solution. To obtain a 32-bit kernel proc address, the 64-bit process can just execute a 32-bit program that will look up the proc addresses for us:
#include <Windows.h> int main(int argc, const char**) { if(argc > 1) return (int) LoadLibraryA; else return (int) GetProcAddress; }讨论(0)
加载中...
- 热议问题