我想把Python代码注入到一个进程中，当它注入时，它似乎会使我的进程崩溃。我没有在我自己的程序中得到任何错误，但目标进程停止工作。被调用的非托管api没有给我任何错误，并且似乎已经正确地执行了它们的执行。在[DllImport("kernel32")]

public static extern IntPtr CreateRemoteThread(IntPtr hProcess,IntPtr lpThreadAttributes,uint dwStackSize, IntPtr lpStartAddress,IntPtr lpParameter,uint dwCreationFlags, out uint lpThreadId);

[Flags]

enum ProcessAccessFlags : uint

{

All = 0x001F0FFF,

Terminate = 0x00000001,

CreateThread = 0x00000002,

VMOperation = 0x00000008,

VMRead = 0x00000010,

VMWrite = 0x00000020,

DupHandle = 0x00000040,

SetInformation = 0x00000200,

QueryInformation = 0x00000400,

Synchronize = 0x00100000

}

[DllImport("kernel32.dll")]

static extern IntPtr OpenProcess(ProcessAccessFlags dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId);

[Flags]

public enum AllocationType

{

Commit = 0x1000,

Reserve = 0x2000,

Decommit = 0x4000,

Release = 0x8000,

Reset = 0x80000,

Physical = 0x400000,

TopDown = 0x100000,

WriteWatch = 0x200000,

LargePages = 0x20000000,

VIRTUAL_MEM = (0x1000 | 0x2000)

}

[Flags]

public enum MemoryProtection

{

Execute = 0x10,

ExecuteRead = 0x20,

ExecuteReadWrite = 0x40,

ExecuteWriteCopy = 0x80,

NoAccess = 0x01,

ReadOnly = 0x02,

ReadWrite = 0x04,

WriteCopy = 0x08,

GuardModifierflag = 0x100,

NoCacheModifierflag = 0x200,

WriteCombineModifierflag = 0x400,

PAGE_EXECUTE_READWRITE = 0x00000040

}

[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]

static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, AllocationType flAllocationType, MemoryProtection flProtect);

[DllImport("kernel32.dll", SetLastError = true)]

static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);

[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]

static extern bool VirtualFreeEx(IntPtr hProcess, IntPtr lpAddress, UIntPtr dwSize, uint dwFreeType);

[DllImport("kernel32", SetLastError = true, ExactSpelling = true)]

internal static extern Int32 WaitForSingleObject( IntPtr handle,Int32 milliseconds);

[DllImport("kernel32.dll")]

public static extern Int32 CloseHandle(IntPtr hObject);

private void InjectCode(string shellcode = "print('Hello, World!')")

{

foreach (Process proc in Process.GetProcesses())

{

if (proc.ProcessName == "Toontown")

{

int shellcode_length = shellcode.Length;

IntPtr h_process = OpenProcess(ProcessAccessFlags.All, false, (int)proc.Id);

IntPtr shellcode_address = (IntPtr)VirtualAllocEx(h_process, (IntPtr)0, (uint)shellcode_length, AllocationType.VIRTUAL_MEM, MemoryProtection.PAGE_EXECUTE_READWRITE);

byte[] bytes = new byte[shellcode.Length * sizeof(char)];

Buffer.BlockCopy(shellcode.ToCharArray(), 0, bytes, 0, bytes.Length);

UIntPtr bytesout;

uint t_id;

bool Written = WriteProcessMemory(h_process, shellcode_address, bytes, (uint)shellcode_length, out bytesout);

IntPtr hThread = (IntPtr)CreateRemoteThread(h_process, (IntPtr)null, 0, (IntPtr)shellcode_length, (IntPtr)shellcode_address, 0, out t_id);

int Result = WaitForSingleObject(hThread, 10 * 1000);

if (Result == 0x00000080L || Result == 0x00000102L || Result == 0xFFFFFFFF)

{

if (hThread != null)

{

CloseHandle(hThread);

}

}

Thread.Sleep(1000);

VirtualFreeEx(h_process, shellcode_address, (UIntPtr)0, 0x8000);

if (hThread != null)

{

CloseHandle(hThread);

}

}

}

}

如您所见，我已经将非托管API的返回值保存到变量中，这些变量用于查看它是否正常工作，它似乎运行良好，但它会导致目标进程崩溃，日志中没有记录任何与之相关的错误。

托管程序能否注入非托管进程？我投错变量类型了吗？外壳代码是否被错误地转换成字节数组？请告诉我，谢谢。在

编辑：它在CreateRemoteThread崩溃