文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >使用CreateProcess运行资源

使用CreateProcess运行资源
EN

Stack Overflow用户
提问于 2014-03-25 20:13:40
回答 1查看 613关注 0票数 0

我有一个PE exe作为另一个exe的资源。如果我提取资源并将其写入文件,它运行得很好。如果我尝试用CreateProcess运行,我得到一个错误(不能运行应用程序)

这是我创建过程的代码:

代码语言:javascript
复制
void BBStub::RunFromMemory(unsigned char* pImage, char* pPath)
{

  DWORD dwWritten = 0;
  DWORD dwHeader = 0;
  DWORD dwImageSize = 0;
  DWORD dwSectionCount = 0;
  DWORD dwSectionSize = 0;
  DWORD firstSection = 0;
  DWORD previousProtection = 0;
  DWORD jmpSize = 0;

  IMAGE_NT_HEADERS INH;
  IMAGE_DOS_HEADER IDH;
  IMAGE_SECTION_HEADER Sections[1000];

  PROCESS_INFORMATION peProcessInformation;
  STARTUPINFO peStartUpInformation;
  CONTEXT pContext;
  SECURITY_ATTRIBUTES secAttrib;

  char* pMemory;
  char* pFile;
  memcpy(&IDH, pImage, sizeof(IDH));
  memcpy(&INH, (void*)((DWORD)pImage + IDH.e_lfanew), sizeof(INH));

  dwImageSize = INH.OptionalHeader.SizeOfImage;
  pMemory = (char*)malloc(dwImageSize);
  memset(pMemory, 0, dwImageSize);
  pFile = pMemory;

  dwHeader = INH.OptionalHeader.SizeOfHeaders;
  firstSection = (DWORD)(((DWORD)pImage + IDH.e_lfanew) + sizeof(IMAGE_NT_HEADERS));
  memcpy(Sections, (char*)(firstSection), sizeof(IMAGE_SECTION_HEADER)*INH.FileHeader.NumberOfSections);

  memcpy(pFile, pImage, dwHeader);

  if ((INH.OptionalHeader.SizeOfHeaders % INH.OptionalHeader.SectionAlignment) == 0)
  {
      jmpSize = INH.OptionalHeader.SizeOfHeaders;
  }
  else
  {
      jmpSize = INH.OptionalHeader.SizeOfHeaders / INH.OptionalHeader.SectionAlignment;
      jmpSize += 1;
      jmpSize *= INH.OptionalHeader.SectionAlignment;
  }

  pFile = (char*)((DWORD)pFile + jmpSize);

  for (dwSectionCount = 0; dwSectionCount < INH.FileHeader.NumberOfSections; dwSectionCount++)
  {
      jmpSize = 0;
      dwSectionSize = Sections[dwSectionCount].SizeOfRawData;
      memcpy(pFile, (char*)(pImage + Sections[dwSectionCount].PointerToRawData), dwSectionSize);

      if ((Sections[dwSectionCount].Misc.VirtualSize % INH.OptionalHeader.SectionAlignment) == 0)
      {
          jmpSize = Sections[dwSectionCount].Misc.VirtualSize;
      }
      else
      {
          jmpSize = Sections[dwSectionCount].Misc.VirtualSize / INH.OptionalHeader.SectionAlignment;
          jmpSize += 1;
          jmpSize *= INH.OptionalHeader.SectionAlignment;
      }
      pFile = (char*)((DWORD)pFile + jmpSize);
  }


  memset(&peStartUpInformation, 0, sizeof(STARTUPINFO));
  memset(&peProcessInformation, 0, sizeof(PROCESS_INFORMATION));
  memset(&pContext, 0, sizeof(CONTEXT));

  peStartUpInformation.cb = sizeof(peStartUpInformation);

  cout << peStartUpInformation.cb << endl;
  //      if (CreateProcess(NULL, pPath, &secAttrib, NULL, false, CREATE_SUSPENDED, NULL, NULL, &peStartUpInformation, &peProcessInformation))
  try
  {

      if (CreateProcess(NULL, pPath, NULL, NULL, false, CREATE_SUSPENDED, NULL, NULL, &peStartUpInformation, &peProcessInformation))
      {
          pContext.ContextFlags = CONTEXT_FULL;
          GetThreadContext(peProcessInformation.hThread, &pContext);
          VirtualProtectEx(peProcessInformation.hProcess, (void*)((DWORD)INH.OptionalHeader.ImageBase), dwImageSize, PAGE_EXECUTE_READWRITE, &previousProtection);
          WriteProcessMemory(peProcessInformation.hProcess, (void*)((DWORD)INH.OptionalHeader.ImageBase), pMemory, dwImageSize, &dwWritten);
          WriteProcessMemory(peProcessInformation.hProcess, (void*)((DWORD)pContext.Ebx + 8), &INH.OptionalHeader.ImageBase, 4, &dwWritten);
          pContext.Eax = INH.OptionalHeader.ImageBase + INH.OptionalHeader.AddressOfEntryPoint;
          SetThreadContext(peProcessInformation.hThread, &pContext);
          ResumeThread(peProcessInformation.hThread);
      }
      else {
          DWORD dw = GetLastError();
          cout << "Error" << endl;
          cout << dw << endl;
      }
  }
  catch (exception e)
  {
      cout << e.what();
  }
  free(pMemory);
}

有什么想法吗?

c++
winapi
createprocess
EN

回答 1

Stack Overflow用户

发布于 2020-04-22 04:54:22

这被称为RunPE,您启动一个挂起的进程,然后将可执行文件映射到它的内存中,将弹性it设置为入口点,然后恢复该进程。

做这件事的最好的代码来自hasherezade,可以在她的github上找到。

票数 0
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/22634262

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档