DLL注入工作原理
简介
我最近研究了一个问题,Winlogon中两个线程的交互导致错误检查。一个线程是初始化GDI的Winlogon线程。这个场景的有趣之处在于另一个线程是如何在这个进程中结束的。
线程在干什么?
下面是线程堆栈的用户一半。线程试图加载DLL
ChildEBP RetAddr Args to Child
0058eaec 773901ad 773901d9 0058eafc00240022 ntdll!KiFastSystemCallRet
0058eb0c 775d96f3 775d180800000000 77e6f032 USER32!NtUserRegisterWindowMessage+0xc0058ed24 775e475500000000 00000001 7c837512 comctl32!InitGlobalMetrics+0x440058ed3c 775e426a00000031 0058ed68 7763490c comctl32!_ProcessAttach+0x980058ed48 7763490c 775d000000000001 00000000 comctl32!DllMain+0x210058ed68 7c81a352 775d000000000001 00000000 comctl32!_DllMainCRTStartup+0x520058ed88 7c833465 776348ba 775d000000000001 ntdll!LdrpCallInitRoutine+0x140058ee90 7c83431100000000 00000000 7c8e2e58 ntdll!LdrpRunInitializeRoutines+0x3670058f124 7c83406500000000 00080e98 0058f3ec ntdll!LdrpLoadDll+0x3cd0058f3a0 77e41bf3 00080e98 0058f3ec 0058f3cc ntdll!LdrLoadDll+0x1980058f408 77e5c70b 7c8e2e5800000000 00000000 kernel32!LoadLibraryExW+0x1b20058f41c 7c92a6a1 7c8e2e5800000000 7c8e2e58 kernel32!LoadLibraryW+0x110058f454 7c92a65f 7c8e2e58 7c8d0000 7c9297b6 SHELL32!SHFusionLoadLibrary+0x2a0058f460 7c9297b600000020 00000008 0058f6a8 SHELL32!DelayLoadCC+0x150058f694 7c929728 0058f6a8 0000007c00000001 SHELL32!SHFusionInitializeIDCC+0x920058f8b4 7c92966f 7c8d0000 0000007c00000001 SHELL32!SHFusionInitializeFromModuleID+0x3a0058f8c8 7c92962c 7c8d000000000001 0058f8f8 SHELL32!_ProcessAttach+0x340058f8d8 7c92bb63 7c8d000000000001 00000000 SHELL32!DllMain+0x270058f8f8 7c81a352 7c8d000000000001 00000000 SHELL32!_DllMainCRTStartup+0x520058f918 7c833465 7c92bb1b 7c8d000000000001 ntdll!LdrpCallInitRoutine+0x140058fa20 7c83431100000000 00000000 00000004 ntdll!LdrpRunInitializeRoutines+0x367
- 上一篇: 仅通过转储来排除内存泄漏
- 下一篇: 使用Java中的InputStream读取文件数据