寻求大伙帮忙，如何重新构造这款辅助的DLL注入补丁文件

lyrong2008

[C++] 纯文本查看 复制代码

<火山程序 类型 = "通常" 版本 = 1 />

包 火山.程序

类 启动类 <公开 基础类 = 程序类 @视窗.外部头文件 = "TlHelp32.h">
{
    方法 启动方法 <公开 类型 = 整数>
    {
        注入DLL到进程 ("2021小可爱.exe", "Lism.dll")
        返回 (1)
    }

    方法 注入DLL到进程 <公开 静态 类型 = 逻辑型 @禁止流程检查 = 真>
    参数 目标进程名 <类型 = 文本型>
    参数 DLL路径 <类型 = 文本型>
    {
        @ // 1. 获取目标进程PID
        @ DWORD dwPID = 0;
        @ HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
        @ if (hSnap != INVALID_HANDLE_VALUE) {
        @     PROCESSENTRY32W pe = { sizeof(PROCESSENTRY32W) };
        @     if (Process32FirstW(hSnap, &pe)) {
        @         do {
        @             if (_wcsicmp(pe.szExeFile, @<目标进程名>.GetText()) == 0) {
        @                 dwPID = pe.th32ProcessID;
        @                 break;
        @             }
        @         } while (Process32NextW(hSnap, &pe));
        @     }
        @     CloseHandle(hSnap);
        @ }
        @ if (dwPID == 0) return FALSE;

        @ // 2. 打开目标进程
        @ HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
        @ if (hProcess == NULL) return FALSE;

        @ // 3. 分配内存 + 写入DLL路径
        @ size_t dllPathSize = (wcslen(@<DLL路径>.GetText()) + 1) * sizeof(WCHAR);
        @ LPVOID pRemoteMem = VirtualAllocEx(hProcess, NULL, dllPathSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
        @ if (pRemoteMem == NULL) { CloseHandle(hProcess); return FALSE; }
        @ WriteProcessMemory(hProcess, pRemoteMem, @<DLL路径>.GetText(), dllPathSize, NULL);

        @ // 4. 获取LoadLibraryW地址
        @ HMODULE hKernel32 = GetModuleHandleW(L"kernel32.dll");
        @ FARPROC pLoadLibrary = GetProcAddress(hKernel32, "LoadLibraryW");

        @ // ===== 修正关键:在此块内声明所有局部变量 =====
        @ // 5. 创建远程线程加载Lism.dll,并等待完成
        @ HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pLoadLibrary, pRemoteMem, 0, NULL);
        @ if (hRemoteThread == NULL) { VirtualFreeEx(hProcess, pRemoteMem, 0, MEM_RELEASE); CloseHandle(hProcess); return FALSE; }
        @ WaitForSingleObject(hRemoteThread, INFINITE);

        @ // 6. 获取Lism.dll在目标进程中的模块句柄
        @ DWORD dwExitCode = 0;
        @ GetExitCodeThread(hRemoteThread, &dwExitCode);
        @ CloseHandle(hRemoteThread);
        @ HMODULE hLismDllRemote = (HMODULE)dwExitCode;
        @ if (hLismDllRemote == NULL) { VirtualFreeEx(hProcess, pRemoteMem, 0, MEM_RELEASE); CloseHandle(hProcess); return FALSE; }

        @ // 7. 本地加载Lism.dll,计算jss函数的RVA
        @ HMODULE hLocalLism = LoadLibraryW(L"Lism.dll");
        @ if (hLocalLism == NULL) { VirtualFreeEx(hProcess, pRemoteMem, 0, MEM_RELEASE); CloseHandle(hProcess); return FALSE; }
        @ FARPROC pJssLocal = GetProcAddress(hLocalLism, "jss");
        @ if (pJssLocal == NULL) { FreeLibrary(hLocalLism); VirtualFreeEx(hProcess, pRemoteMem, 0, MEM_RELEASE); CloseHandle(hProcess); return FALSE; }
        @ UINT_PTR rva = (UINT_PTR)pJssLocal - (UINT_PTR)hLocalLism;
        @ UINT_PTR pJssRemote = (UINT_PTR)hLismDllRemote + rva;
        @ FreeLibrary(hLocalLism);

        @ // 8. 创建远程线程调用jss函数(无参数,返回整数)
        @ HANDLE hCallThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pJssRemote, NULL, 0, NULL);
        @ if (hCallThread == NULL) { VirtualFreeEx(hProcess, pRemoteMem, 0, MEM_RELEASE); CloseHandle(hProcess); return FALSE; }
        @ WaitForSingleObject(hCallThread, INFINITE);
        @ CloseHandle(hCallThread);

        @ // 9. 清理
        @ VirtualFreeEx(hProcess, pRemoteMem, 0, MEM_RELEASE);
        @ CloseHandle(hProcess);
        @ return TRUE;
    }
}

火山创建一个“空窗口程序”，然后复制上面的代码并编译(添加火山模块+内存模块库)，已经设定好了源码属性：32位+以管理员身份运行，
但是当启动辅助程序并运行火山创建的源码程序后，发现补丁后的辅助会自动退出，如果不执行Lism.dll的jss函数，
只是注入Lism.dll，辅助会成功注入DLL，在辅助的进程模块中会有Lism.dll模块，
希望大伙有这方面经验的帮忙看下，为啥原版的补丁能正常注入Lism.dll并执行jss，而我写的火山应用却无法安全执行jss函数呢？
注：因为这款补丁好像运行后，会导致我的网络问题！

辅助下载地址：
https://lyrong5000.lanzouv.com/inLo33qap5wh