/// <summary>
/// 执行远程进程上的系统函数
/// </summary>
/// <param name="processId">进程id</param>
/// <param name="moduleName">系统模块名称</param>
/// <param name="functionName">函数名称</param>
/// <param name="param"></param>
/// <returns></returns>
public static bool ExcuteRemoteSystemFunction(int processId, string moduleName, string functionName, byte[] param)
{
var hndProc = OpenProcessWithRemoteExcute(processId);
if (hndProc == IntPtr.Zero)
{
return(false);
}
try
{
//查找当前应用系统函数地址,本机上所有应用的系统函数地址都是相同的
var lpFuncAddress = ProcessAPI.GetProcAddress(ProcessAPI.GetModuleHandle(moduleName), functionName);
if (lpFuncAddress == IntPtr.Zero)
{
return(false);
}
var lpAddress = CopyToRemoteMemory(hndProc, param);
if (lpAddress == IntPtr.Zero)
{
return(false);
}
return(ExcuteRemoteFunction(hndProc, lpFuncAddress, lpAddress));
}
finally
{
ProcessAPI.CloseHandle(hndProc);
}
}
public static bool ExcuteRemoteFunction(int processId, IntPtr lpFuncAddress, byte[] param)
{
var hndProc = ProcessAPI.OpenProcess(
ProcessAPI.ProcessAccessFlags.CreateThread | ProcessAPI.ProcessAccessFlags.VirtualMemoryOperation |
ProcessAPI.ProcessAccessFlags.VirtualMemoryRead | ProcessAPI.ProcessAccessFlags.VirtualMemoryWrite
| ProcessAPI.ProcessAccessFlags.QueryInformation
, true, processId);
if (hndProc == IntPtr.Zero)
{
return(false);
}
var lpAddress = MemoryAPI.VirtualAllocEx(hndProc, (IntPtr)null, (IntPtr)param.Length, (0x1000 | 0x2000), 0X40);
if (lpAddress == IntPtr.Zero)
{
ProcessAPI.CloseHandle(hndProc);
return(false);
}
if (MemoryAPI.WriteProcessMemory(hndProc, lpAddress, param, (uint)param.Length, 0) == 0)
{
ProcessAPI.CloseHandle(hndProc);
return(false);
}
if (ProcessAPI.CreateRemoteThread(hndProc, (IntPtr)null, IntPtr.Zero, lpFuncAddress, lpAddress, 0, (IntPtr)null) == IntPtr.Zero)
{
ProcessAPI.CloseHandle(hndProc);
return(false);
}
return(true);
}
public static IntPtr OpenProcessWithRemoteExcute(int processId)
{
return(ProcessAPI.OpenProcess(
ProcessAPI.ProcessAccessFlags.CreateThread | ProcessAPI.ProcessAccessFlags.VirtualMemoryOperation |
ProcessAPI.ProcessAccessFlags.VirtualMemoryRead | ProcessAPI.ProcessAccessFlags.VirtualMemoryWrite
| ProcessAPI.ProcessAccessFlags.QueryInformation
, true, processId));
}
/// <summary>
/// 执行远程进程上的函数
/// </summary>
/// <typeparam name="T"></typeparam>
/// <param name="hndProc">进程句柄</param>
/// <param name="moduleName">模块名称</param>
/// <param name="lpFuncAddress">远程函数地址</param>
/// <param name="lpParamAddress">远程参数地址</param>
/// <param name="param"></param>
/// <returns></returns>
public static bool ExcuteRemoteFunction(IntPtr hndProc, IntPtr lpFuncAddress, IntPtr lpParamAddress)
{
if (hndProc == IntPtr.Zero)
{
return(false);
}
if (lpFuncAddress == IntPtr.Zero)
{
return(false);
}
return(ProcessAPI.CreateRemoteThread(hndProc, (IntPtr)null, IntPtr.Zero, lpFuncAddress, lpParamAddress, 0, (IntPtr)null) != IntPtr.Zero);
}
/// <summary>
/// 执行远程进程上的函数
/// </summary>
/// <typeparam name="T"></typeparam>
/// <param name="processId">线程ID</param>
/// <param name="moduleName">模块名称</param>
/// <param name="lpFuncAddress">远程函数地址</param>
/// <param name="GetParamAddress">传入进程句柄,返回参数地址委托</param>
/// <returns></returns>
public static bool ExcuteRemoteFunction(int processId, IntPtr lpFuncAddress, Func <IntPtr, IntPtr> GetParamAddress)
{
IntPtr hndProc = OpenProcessWithRemoteExcute(processId);
try
{
if (hndProc == IntPtr.Zero)
{
return(false);
}
if (lpFuncAddress == IntPtr.Zero)
{
return(false);
}
return(ExcuteRemoteFunction(hndProc, lpFuncAddress, GetParamAddress(hndProc)));
}
finally
{
ProcessAPI.CloseHandle(hndProc);
}
}
/// <summary>
/// 执行远程进程上的函数
/// </summary>
/// <param name="processId">进程id</param>
/// <param name="lpFuncAddress">函数地址</param>
/// <param name="param"></param>
/// <returns></returns>
public static bool ExcuteRemoteFunction(int processId, IntPtr lpFuncAddress, byte[] param)
{
IntPtr hndProc = OpenProcessWithRemoteExcute(processId);
try
{
if (hndProc == IntPtr.Zero)
{
return(false);
}
var lpAddress = CopyToRemoteMemory(hndProc, param);
if (lpAddress == IntPtr.Zero)
{
return(false);
}
return(ExcuteRemoteFunction(hndProc, lpFuncAddress, lpAddress));
}
finally
{
ProcessAPI.CloseHandle(hndProc);
}
}
public static bool ExcuteRemoteSystemFunction(int processId, string moduleName, string functionName, byte[] param)
{
var hndProc = ProcessAPI.OpenProcess(
ProcessAPI.ProcessAccessFlags.CreateThread | ProcessAPI.ProcessAccessFlags.VirtualMemoryOperation |
ProcessAPI.ProcessAccessFlags.VirtualMemoryRead | ProcessAPI.ProcessAccessFlags.VirtualMemoryWrite
| ProcessAPI.ProcessAccessFlags.QueryInformation
, true, processId);
if (hndProc == IntPtr.Zero)
{
return(false);
}
//查找当前应用系统函数地址,本机上所有应用的系统函数地址都是相同的
var lpFuncAddress = ProcessAPI.GetProcAddress(ProcessAPI.GetModuleHandle(moduleName), functionName);
ProcessAPI.CloseHandle(hndProc);
if (lpFuncAddress == IntPtr.Zero)
{
return(false);
}
return(ExcuteRemoteFunction(processId, lpFuncAddress, param));
}