loadlibraryw(loadlibraryW函数)
请懂电脑的人看下我的SER扫描报告[CODE]
RVA 错误: LoadLibraryA (危险等级: 高, 被下面模块所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys)
RVA 错误: LoadLibraryExA (危险等级: 高, 被下面模块所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys)
RVA 错误: LoadLibraryExW (危险等级: 高, 被下面模块所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys)
RVA 错误: LoadLibraryW (危险等级: 高, 被下面模块所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys)
RVA 错误: GetProcAddress (危险等级: 高, 被下面模块所HOOK: \??\C:\WINDOWS\system32\drivers\klif.sys)
这里一段是卡巴造成的 没有问题,需要完整的SRENG日志
使用LoadLibrary总是提示找不到指定的模块
将所需要的dll模块放到一个自定义目录中,使用全路径测试一下看看结果。
可能是权限的问题。
LoadLibrary一个DLL时,系统做了哪些事
上源代码
主要功能:启动NotePad,在NotePad进程里创建RemoteThread加载我们自己的DLL,DLL加载时创建一个托盘,SubClass NotePad的主窗口,在标题栏上画一个Button。
HMODULE
LoadLibraryW(
LPCWSTR lpwLibFileName
)
{
return LoadLibraryExW( lpwLibFileName, NULL, 0 );
}
HMODULE
LoadLibraryExW(
LPCWSTR lpwLibFileName,
HANDLE hFile,
DWORD dwFlags
)
{
LPWSTR TrimmedDllName;
LPWSTR AllocatedPath;
NTSTATUS Status;
HMODULE hModule;
UNICODE_STRING DllName_U, AppPathDllName_U;
UNICODE_STRING AllocatedPath_U;
ULONG DllCharacteristics;
extern PLDR_DATA_TABLE_ENTRY BasepExeLdrEntry;
TrimmedDllName = NULL;
DllCharacteristics = 0;
if (dwFlags DONT_RESOLVE_DLL_REFERENCES) {
DllCharacteristics |= IMAGE_FILE_EXECUTABLE_IMAGE;
}
RtlInitUnicodeString(DllName_U, lpwLibFileName);
//
// Quick check to see if dll being loaded is the main exe. For some reason
// hook stuff tends to do this and this is worst path through the loader
//
if ( !(dwFlags LOAD_LIBRARY_AS_DATAFILE) BasepExeLdrEntry (DllName_U.Length == BasepExeLdrEntry-FullDllName.Length) ){
if ( RtlEqualUnicodeString(DllName_U,BasepExeLdrEntry-FullDllName,TRUE) ) {
return (HMODULE)BasepExeLdrEntry-DllBase;
}
}
//
// check to see if there are trailing spaces in the dll name (Win95 compat)
//
if ( DllName_U.Length DllName_U.Buffer[(DllName_U.Length-1)1] == (WCHAR)' ') {
TrimmedDllName = RtlAllocateHeap(RtlProcessHeap(), MAKE_TAG( TMP_TAG ), DllName_U.MaximumLength);
if ( !TrimmedDllName ) {
BaseSetLastNTError(STATUS_NO_MEMORY);
return NULL;
}
RtlCopyMemory(TrimmedDllName,DllName_U.Buffer,DllName_U.MaximumLength);
DllName_U.Buffer = TrimmedDllName;
while (DllName_U.Length DllName_U.Buffer[(DllName_U.Length-1)1] == (WCHAR)' ') {
DllName_U.Buffer[(DllName_U.Length-1)1] = UNICODE_NULL;
DllName_U.Length -= sizeof(WCHAR);
DllName_U.MaximumLength -= sizeof(WCHAR);
}
}
//
// If DLL redirection is on for this application, we check to see if the DLL requested
// (without path qualification) exists in the app. (EXE) folder. If so, we load that.
// Else we fall back to regular search logic.
//
if (gDoDllRedirection DllName_U.Length) {
Status = ComputeRedirectedDllName(DllName_U, AppPathDllName_U) ;
if(!NT_SUCCESS(Status)) {
if ( TrimmedDllName ) {
RtlFreeHeap(RtlProcessHeap(), 0, TrimmedDllName);
}
BaseSetLastNTError(Status);
return NULL;
}
if (RtlDoesFileExists_U(AppPathDllName_U.Buffer)) {
DllName_U.Buffer = AppPathDllName_U.Buffer ;
DllName_U.MaximumLength = AppPathDllName_U.MaximumLength ;
DllName_U.Length = AppPathDllName_U.Length;
}
}
//
// Determine the path that the program was created from
//
AllocatedPath = BaseComputeProcessDllPath(
dwFlags LOAD_WITH_ALTERED_SEARCH_PATH ? DllName_U.Buffer : NULL,
GetEnvironmentStringsW()
);
if ( !AllocatedPath ) {
Status = STATUS_NO_MEMORY;
if ( TrimmedDllName ) {
RtlFreeHeap(RtlProcessHeap(), 0, TrimmedDllName);
}
goto bail;
}
RtlInitUnicodeString(AllocatedPath_U, AllocatedPath);
try {
if (dwFlags LOAD_LIBRARY_AS_DATAFILE) {
#ifdef WX86
// LdrGetDllHandle clears UseKnownWx86Dll, but the value is
// needed again by LdrLoadDll.
BOOLEAN Wx86KnownDll = NtCurrentTeb()-Wx86Thread.UseKnownWx86Dll;
#endif
Status = LdrGetDllHandle(
AllocatedPath_U.Buffer,
NULL,
DllName_U,
(PVOID *)hModule
);
if (NT_SUCCESS( Status )) {
#ifdef WX86
NtCurrentTeb()-Wx86Thread.UseKnownWx86Dll = Wx86KnownDll;
#endif
goto alreadyLoaded;
}
Status = BasepLoadLibraryAsDataFile( AllocatedPath_U.Buffer,
DllName_U,
(PVOID *)hModule
);
}
else {
alreadyLoaded:
Status = LdrLoadDll(
AllocatedPath_U.Buffer,
DllCharacteristics,
DllName_U,
(PVOID *)hModule
);
}
if ( TrimmedDllName ) {
RtlFreeHeap(RtlProcessHeap(), 0, TrimmedDllName);
TrimmedDllName = NULL;
}
RtlFreeHeap(RtlProcessHeap(), 0, AllocatedPath);
}
except (EXCEPTION_EXECUTE_HANDLER) {
Status = GetExceptionCode();
if ( TrimmedDllName ) {
RtlFreeHeap(RtlProcessHeap(), 0, TrimmedDllName);
}
RtlFreeHeap(RtlProcessHeap(), 0, AllocatedPath);
}
bail:
if (gDoDllRedirection) {
// We would have bailed had we not been able to allocate this buffer in re-direction case.
RtlFreeHeap(RtlProcessHeap(), 0, AppPathDllName_U.Buffer);
}
if (!NT_SUCCESS(Status) ) {
BaseSetLastNTError(Status);
return NULL;
}
else {
return hModule;
}
}
NTSTATUS
BasepLoadLibraryAsDataFile(
IN PWSTR DllPath OPTIONAL,
IN PUNICODE_STRING DllName,
OUT PVOID *DllHandle
)
{
WCHAR FullPath[ MAX_PATH ];
PWSTR FilePart;
HANDLE FileHandle;
HANDLE MappingHandle;
LPVOID DllBase;
PIMAGE_NT_HEADERS NtHeaders;
PTEB Teb;
Teb = NtCurrentTeb();
*DllHandle = NULL;
if (!SearchPathW( DllPath,
DllName-Buffer,
L".DLL",
MAX_PATH,
FullPath,
FilePart
)
) {
return Teb-LastStatusValue;
}
FileHandle = CreateFileW( FullPath,
GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_DELETE,
NULL,
OPEN_EXISTING,
0,
NULL
);
if (FileHandle == INVALID_HANDLE_VALUE) {
return Teb-LastStatusValue;
}
MappingHandle = CreateFileMappingW( FileHandle,
NULL,
PAGE_READONLY,
0,
0,
NULL
);
CloseHandle( FileHandle );
if (MappingHandle == NULL) {
return Teb-LastStatusValue;
}
DllBase = MapViewOfFileEx( MappingHandle,
FILE_MAP_READ,
0,
0,
0,
NULL
);
CloseHandle( MappingHandle );
if (DllBase == NULL) {
return Teb-LastStatusValue;
}
NtHeaders = RtlImageNtHeader( DllBase );
if (NtHeaders == NULL) {
UnmapViewOfFile( DllBase );
return STATUS_INVALID_IMAGE_FORMAT;
}
*DllHandle = (HANDLE)((ULONG_PTR)DllBase | 0x00000001);
LdrLoadAlternateResourceModule(*DllHandle, FullPath);
return STATUS_SUCCESS;
}
NTSTATUS
LdrLoadDll (
IN PWSTR DllPath OPTIONAL,
IN PULONG DllCharacteristics OPTIONAL,
IN PUNICODE_STRING DllName,
OUT PVOID *DllHandle
){
return LdrpLoadDll(DllPath,DllCharacteristics,DllName,DllHandle,TRUE);
}
C# 无法动态加载C语言的dll
那个应该是给你调用.net程序集DLL用的不是给你调用这种非托管DLL用的吧?
如果不确定非托管DLL是否可以用这种方式加载,
那么用DllImport从kernel32.dll引入LoadLibraryW和GetProcAddress
用这两个API去获取函数指针
举个例子
using?System;
using?System.Text;
using?System.Runtime.InteropServices;
class?Program
{
????[DllImport("kernel32.dll",?CallingConvention?=?CallingConvention.StdCall,?EntryPoint?=?"LoadLibraryW",?CharSet=CharSet.Unicode)]
????extern?static?IntPtr?LoadLibrary(string?file);
????[DllImport("kernel32.dll",?CallingConvention?=?CallingConvention.StdCall,?EntryPoint?=?"GetProcAddress")]
????extern?static?IntPtr?GetProcAddress(IntPtr?hMod,?byte[]?pName);
????[UnmanagedFunctionPointer(CallingConvention.StdCall)]
????delegate?void?DeleSleep(UInt32?time);
????static?void?Main(string[]?args)
????{
????????DeleSleep?sleep;
????????IntPtr?hk32?=?LoadLibrary("kernel32.dll");
????????IntPtr?pSleep?=?GetProcAddress(hk32,?Encoding.UTF8.GetBytes("Sleep"));
????????sleep?=?(DeleSleep)?Marshal.GetDelegateForFunctionPointer(pSleep,?typeof(DeleSleep));
????????sleep(3000);
????}
}
LoadLibrary 问题 VC++
::WriteProcessMemory(hHandle,lpDate,(LPTHREAD_START_ROUTINE)str,strlen(str)+4,NULL);
改成:
::WriteProcessMemory(hHandle,lpDate,str,strlen(str)+4,NULL);
一个问题:为什么是 strlen(str)+4 ? 不是 strlen(str)+1 ?
另一个问题:0x7C80AEEB 是 LoadLibraryA 的地址还是 LoadLibraryW 的地址。因为传娣的参数是 str ,所以必须使用相应的 LoadLibraryA 函数。
另外:VOID Load(LPVOID) 和 LPTHREAD_START_ROUTINE 定义的函数是不匹配的,你的远程进程执行 Load 返回时不会挂掉吗?
LPTHREAD_START_ROUTINE 要求返回一个 DWORD ,而你的函数没有返回值,因此,调用堆栈会相差四个字节,而且 LPTHREAD_START_ROUTINE 要求函数是__stdcall ,你的 Load 未声明调用约定,在 VS 环境下,VS 默认用 __cdecl 来编译的,这样也会时函数执行返回时,调用堆栈产生不平衡的。
Load 函数应该这样声明: DWORD WINAPI Load(LPVOID)
Load 函数中只是简单调用了 LoadLibrary 函数,楼主既然已经知道 LoadLibrary 的地址了,那么 CreateRemoteThread 可以直接让线程执行 LoadLibrary 了:
::CreateRemoteThread(hHandle,NULL,0,(LPTHREAD_START_ROUTINE)0x5F42FEF5,lpDate,0,lj);