从内存中处理执行 [英] Process execution from memory
问题描述
我成功编译了 http://pastebin.com/1hPDib5w [ ^ ]。显然我正试图从内存中执行一个进程给出它们的完整路径。
在main函数中我用这种方式调用DoStuff函数... DoStuff(C: \\ Windows \\ System32 \\\\
otepad.exe,C:\\ Windows \\System32 \\ calc.exe);
现在程序运行会打开一个空白的命令提示符(更不用说因为cin.get())但是打开记事本和计算器程序都没有。我检查了任务管理器天气这两个过程中的任何一个是否正在运行,但是没有它们没有运行。我注意到的唯一事情是我的MS VS 2010 Express中的输出窗口显示这些消息....
'RunFromMem.exe':已加载'C:\ Windows \SysWOW64 \ ntdll.dll',无法找到或打开PDB文件
'RunFromMem.exe':已加载'C:\ Windows \SysWOW64 \ kernel32.dll',无法找到或打开PDB文件
'RunFromMem.exe':已加载'C:\ Windows \SysWOW64 \KernelBase.dll',无法找到或打开PDB文件
'RunFromMem.exe ':已加载'C:\ Windows \SysWOW64 \ msvcp100.dll',无法找到或打开PDB文件
'RunFromMem.exe':已加载'C:\ Windows \ SysWOW64 \ msvcr100.dll',无法找到或打开PDB文件
'RunFromMem.exe':已加载'C:\ Windows \SysWOW64 \ apphelp.dll',无法找到或打开PDB文件
'RunFromMem.exe':加载'ImageAtBase0xf60000',加载由包含/排除设置禁用。
' RunFromMem.exe':卸载'ImageAtBase0xf60000'
我检查了这些消息,人们建议符号表没有正确加载。
我该怎么做才能解决问题?如果还有其他更好的源代码,请建议。
提前致谢。
I successfully compiled the source code found here in http://pastebin.com/1hPDib5w[^]. Obviously I am trying to execute a process from memory given their full path.
In the main function i called the DoStuff function this way... DoStuff("C:\\Windows\\System32\\notepad.exe", "C:\\Windows\\System32\\calc.exe");
Now the program runs opens a blank command prompt (not to mention because of the cin.get()) but neither notepad nor calculator program opens. I checked the task manager weather any of these two process are running or not, but no they are not running. The only thing that i notice is that the output window in my MS VS 2010 Express displays these messages....
'RunFromMem.exe': Loaded 'C:\Windows\SysWOW64\ntdll.dll', Cannot find or open the PDB file
'RunFromMem.exe': Loaded 'C:\Windows\SysWOW64\kernel32.dll', Cannot find or open the PDB file
'RunFromMem.exe': Loaded 'C:\Windows\SysWOW64\KernelBase.dll', Cannot find or open the PDB file
'RunFromMem.exe': Loaded 'C:\Windows\SysWOW64\msvcp100.dll', Cannot find or open the PDB file
'RunFromMem.exe': Loaded 'C:\Windows\SysWOW64\msvcr100.dll', Cannot find or open the PDB file
'RunFromMem.exe': Loaded 'C:\Windows\SysWOW64\apphelp.dll', Cannot find or open the PDB file
'RunFromMem.exe': Loaded 'ImageAtBase0xf60000', Loading disabled by Include/Exclude setting.
'RunFromMem.exe': Unloaded 'ImageAtBase0xf60000'
I checked about these msgs, people are suggesting that the symbol tables are not getting loaded properly.
What should I do to solve the problem? If there is any other better source code available then please suggest.
Thanks in advance.
推荐答案
啊,我发现你对编写病毒和漏洞有兴趣...
看来你可以在这里下载这些符号(但我自己从未使用过):
http://msdn.microsoft.com/en-us/windows/ hardware / gg463028 [ ^ ]
问题可能出在代码本身而不是那些系统dll中。在这里检查相同的代码并检查底部的注释。
http://leetmatrix.blogspot.nl/2013/05/execute-executable-inside-another.html [ ^ ]
祝你好运!
Ah, I see you are interested in the field of writing viruses and exploits...
It seems you can download those symbols here (but never used it myself):
http://msdn.microsoft.com/en-us/windows/hardware/gg463028[^]
The problem is probably in the code itself and not in those system dll's. Check the same code here and check the comment at the bottom.
http://leetmatrix.blogspot.nl/2013/05/execute-executable-inside-another.html[^]
Good luck!
这篇关于从内存中处理执行的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!