使用CreateRemoteThread将变量传递给函数

Question

HANDLE CreateRemoteThread(
  HANDLE                 hProcess,
  LPSECURITY_ATTRIBUTES  lpThreadAttributes,
  SIZE_T                 dwStackSize,
  LPTHREAD_START_ROUTINE lpStartAddress,
  LPVOID                 lpParameter,
  DWORD                  dwCreationFlags,
  LPDWORD                lpThreadId
);

lpParameter

指向要传递给线程函数的变量的指针。

int x = 0;
LPCWSTR foo = L"Hello World";

CreateRemoteThread(hProcess, 0, 0, pFunction, &x, 0, 0);

假设我需要将多个变量(如x和foo )传递给需要两个参数( example )的函数

LPCWSTR Test(int x, LPCWSTR foo) 
{
  //....
}

会是什么样子？

Answer 1

顾名思义，CreateRemoteThread()在外部进程中创建了一个新线程。因此，lpStartAddress参数必须指向目标进程中函数的内存地址，而lpParameter参数必须指向目标进程中存在的内存地址(除非它是一个指针转换的整数)。您不能传递一个指向在调用CreateRemoteThread()的进程中本地存在的内存的指针。您可以使用VirtualAllocEx()在另一个进程中分配内存，例如：

DWORD WINAPI MyThreadProc(LPVOID lpParameter)
{
    INT *x = (INT*) lpParameter;
    // use *x as needed...
    VirtualFree(x, 0, MEM_RELEASE);
    return 0;
}

...

LPTHREAD_START_ROUTINE pFunction = ...; // point to MyThreadProc() in hProcess

INT x = 0;

LPVOID param = VirtualAllocEx(hProcess, NULL, sizeof(x), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (!param) ...

SIZE_T numWritten;
if (!WriteProcessMemory(hProcess, param, &x, sizeof(x), &numWritten)) ...

if (!CreateRemoteThread(hProcess, 0, 0, pFunction, param, 0, 0)) ...

或者，您可以使用指针转换的整数，在这种情况下，您不需要分配任何内容：

DWORD WINAPI MyThreadProc(LPVOID lpParameter)
{
    INT x = INT(reinterpret_cast<INT_PTR>(lpParameter));
    // use x as needed...
    return 0;
}

...

LPTHREAD_START_ROUTINE pFunction = ...; // point to MyThreadProc() in hProcess

int x = 0;
LPVOID param = reinterpret_cast<LPVOID>(INT_PTR(x));

if (!CreateRemoteThread(hProcess, 0, 0, pFunction, param, 0, 0)) ...

如果需要向函数传递多个值，则必须在目标进程中分配一个struct来保存它们，例如：

#pragma pack(push, 1)
struct MyThreadData
{
    INT x;
    LPCWSTR foo; // points to fooData...
    //WCHAR fooData[]...
}; 
#pragma pack(pop)

...

DWORD WINAPI MyThreadProc(LPVOID lpParameter)
{
    MyThreadData *params = static_cast<MyThreadData*>(lpParameter);
    // use params->x and params->foo as needed...
    VirtualFree(params, 0, MEM_RELEASE);
    return 0;
}

...

LPTHREAD_START_ROUTINE pFunction = ...; // point to MyThreadProc() in hProcess

INT x = 0;
LPCWSTR foo = L"Hello World";
int foo_numBytes = (lstrlenW(foo) + 1) * sizeof(WCHAR);

MyThreadData *params = static_cast<MyThreadData*>(VirtualAllocEx(hProcess, NULL, sizeof(MyThreadData) + fooNumBytes, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE));
if (!params) ...

SIZE_T numWritten;
if (!WriteProcessMemory(hProcess, &(params->x), &x, sizeof(x), &numWritten)) ...

LPWSTR foo_data = reinterpret_cast<LPWSTR>(params + 1);
if (!WriteProcessMemory(hProcess, &(params->foo), &foo_data, sizeof(foo_data), &numWritten)) ...

if (!WriteProcessMemory(hProcess, fooDataPtr, foo, foo_numBytes, &numWritten)) ...

CreateRemoteThread(hProcess, 0, 0, pFunction, params, 0, 0);