GetModuleHandle(),用于另一个进程中的DLL [英] GetModuleHandle(), for a DLL in another process
问题描述
标题确实说明了所有这些,我有一个进入另一个过程的过程.我需要能够在该程序上使用GetModuleHandle来获取非Windows标准的某个DLL,并且我没有主程序的源代码.
我需要使用它通过GetProcAddress调用导出的函数,最后在CreateRemoteThread中使用它来远程启动该程序上的任务.
无论如何,我可以从另一个程序中获取一个ModuleHandle,而不是它用来创建远程线程的本地程序吗?
谢谢.
我看到了三种可能的解决方案.据我所知,没有Windows API允许您在另一个进程中获取模块的功能地址.
解决方案1:
最简单的解决方案IMO是将DLL注入目标进程,并从目标进程本身中检索所有需要的信息.使DLL进入目标进程的方式有很多,我最喜欢的是反射DLL注入. /p>
解决方案2:
解决方案2使用 EnumProcessModules (用法)从另一个进程中获取HMODULE
引用.您不能在直接调用GetProcAddress
的过程中使用它们.解决方法是使用 LoadLibraryEx ( "MODULE_NAME", NULL, DONT_RESOLVE_DLL_REFERENCES )
.成功加载模块后,这将为您提供一个HMODULE
实例,您可以将该实例传递给GetProcAddress
.
从GetProcAddress
返回的地址仅对您的地址空间有效,但幸运的是,它也相对于模块库.通过从地址中减去HMODULE
引用,然后将其添加到目标进程中的HMODULE
引用中,您将在目标进程中获得函数的地址.
例如:targetProc = myProc - myModule + targetModule;
其中myProc是char *
,而myModule和targetModule是HMODULE
.
解决方案3:
解决方案3是最难实施的IMO.此解决方案要求您读取目标的过程存储器以找到所需的模块,然后解析这些模块以查找功能地址.
我没有亲自测试解决方案2或3,但是从理论上讲它们应该可以工作.我已经亲自使用了解决方案1,并建议将其作为实现此目的的方法.其他两种解决方案需要大量样板代码来模仿现有的Windows API方法.
The title explains this all really, I have a process tapping into another process. I need to be able to GetModuleHandle, on this program for a certain DLL which isn't Windows standard, and I don't have the source code to the main program.
I need to use it to call an exported function with GetProcAddress and in the end use it in CreateRemoteThread to remotely start a task on that program.
Is there anyway I can get a ModuleHandle from another program, instead of the local program it is creating the remote thread with?
Thanks.
I see three possible solutions to this. As far as I know, there is no windows API that allows you to get a function address for a module in another process.
Solution 1:
The easiest solution, IMO, is to inject a DLL into the target process and retrieve all the needed information from within the target process itself. There are many different ways to get your DLL into the target process, my favorite is Reflective DLL Injection.
Solution 2:
Solution 2 uses EnumProcessModules ( Usage ) to fetch HMODULE
references from another process. You can not use these in calls to GetProcAddress
directly. The way around this is to load the DLL into your process using LoadLibraryEx( "MODULE_NAME", NULL, DONT_RESOLVE_DLL_REFERENCES )
. This, on successful module load, will provide you with an HMODULE
instance that you can pass to GetProcAddress
.
The address returned from GetProcAddress
is only valid for your address space, but luckily it is also relative to the module base. By subtracting your HMODULE
reference from the address and then adding it to the HMODULE
reference in the target process, you will get the address of the function in the target process.
Ex: targetProc = myProc - myModule + targetModule;
where myProc is a char *
and myModule and targetModule are HMODULE
.
Solution 3:
Solution 3 is the hardest IMO to implement. This solution requires you to read the target's process memory to locate the required modules, and then parse the modules to find the function addresses.
Resources for this solution can be found here and here.
I haven't personally tested either solution 2 or 3, but in theory they should work. I have used solution 1 personally, and would recommend that as the way to achieve this. The other two solutions require a lot of boilerplate code to emulate existing Windows API methods.
这篇关于GetModuleHandle(),用于另一个进程中的DLL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!