freedom_wings4
freedom_wings4
采纳率19.8%
2016-09-05 12:01 阅读 1.5k
已采纳

win32API GetProcAddress() 返回了null,但是找不到问题所在?

我的代码如下

 #include<stdio.h>
    #include<stdlib.h>
    #include<windows.h>
    #include<TlHelp32.h>


    typedef struct 
    {
    FARPROC farproc[2];
    wchar_t wRemoteBuffer[5][60];              //3rd is "kernel32.dll",4th is "CreateFile",5th is "WriteFile"
    }THREAD_PARAM;


    typedef HMODULE (WINAPI *PFNLIBRARY)(LPCSTR lpLibraryName);  //get the address of LoadLibrary() function

    typedef FARPROC (WINAPI *PFNGETADDRESS)(HMODULE hModule,LPCSTR lpProcName);    //get the address of GetProcAddress()  function

    typedef HANDLE  (WINAPI *PFNCREATEFILE)(LPCWSTR lpFileName,DWORD dwDesiredAccess,DWORD dwSharedMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationFlags,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile);     //get the address of CreateFile() function

    typedef BOOL (WINAPI *PFNWRITEFILE)(HANDLE hFile,LPVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPDWORD lpNumberOfBytesWrite,LPOVERLAPPED lpOverlapped);      //get the address of WriteFile() function


    void WINAPI create(THREAD_PARAM ta)                  
    {
    HMODULE hModule=((PFNLIBRARY)ta.farproc[0])((LPCSTR)ta.wRemoteBuffer[2]);

    PFNCREATEFILE pfnCreateFile=(PFNCREATEFILE)((PFNGETADDRESS)ta.farproc[1])(hModule,(LPCSTR)ta.wRemoteBuffer[3]);       



    PFNWRITEFILE pfnWriteFile=(PFNWRITEFILE)((PFNGETADDRESS)ta.farproc[1])(hModule,(LPCSTR)ta.wRemoteBuffer[4]);

    LPCWSTR lpFileName=ta.wRemoteBuffer[0];

    HANDLE hFile=pfnCreateFile(lpFileName,GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_ALWAYS,NULL,NULL);


    LPCWSTR lpBuffer=ta.wRemoteBuffer[1];


    //这里有2行代码,但是在提问这里变红色了,我还是把这2行代码截图发出来,图片下面的代码是紧接着图片的2行代码的

图片说明

 }

    int main()
    {
    HMODULE hMod=GetModuleHandle(L"kernel32.dll");
    THREAD_PARAM ta;
    ta.farproc[0]=GetProcAddress(hMod,"LoadLibraryW");
    ta.farproc[1]=GetProcAddress(hMod,"GetProcAddress");
    wcscpy_s(ta.wRemoteBuffer[0],L"C:\\CodeInjectTest.txt");
    wcscpy_s(ta.wRemoteBuffer[1],L"if you see this file,then the CodeInjectTest has succeeded\n");
    wcscpy_s(ta.wRemoteBuffer[2],L"kernel32.dll");
    wcscpy_s(ta.wRemoteBuffer[3],L"CreateFileW");        //here may be error ,about the address of createfile
    wcscpy_s(ta.wRemoteBuffer[4],L"WriteFile");


    create(ta);

    system("PAUSE");
    return 1;
    }

在create()函数的这行代码中

  PFNCREATEFILE pfnCreateFile=(PFNCREATEFILE)((PFNGETADDRESS)ta.farproc[1])(hModule,(LPCSTR)ta.wRemoteBuffer[3]); 

这里返回了null,在ollydbg中查看,这句中的ta.farproc[1]就是GetProcAddress的入口地址,其传入的参数也是和预想中的相符,但是执行完这个call 指令,返回之后,EAX的值为0x0,这意味着返回值为null,不知哪里出错了,求大神指点

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享

1条回答 默认 最新

  • 已采纳
    coding_hello 野男孩 2016-09-06 12:59

    GetProcAddress接受的是const char*,不是wchar_t*

    点赞 评论 复制链接分享

相关推荐