15,471
社区成员
发帖
与我相关
我的任务
分享
//权限调整
BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
TOKEN_PRIVILEGES tp;
HANDLE hToken;
LUID luid;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
CString err;
err.Format(L"打开进程令牌 error: %u\n", GetLastError());
AfxMessageBox(err);
return FALSE;
}
if (!LookupPrivilegeValue(NULL, lpszPrivilege, &luid))
{
CString err;
err.Format(L"查找特权值 error: %u\n", GetLastError());
AfxMessageBox(err);
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
// Enable the privilege or disable all privileges.
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
{
CString err;
err.Format(L"调整令牌特权: %u\n", GetLastError());
AfxMessageBox(err);
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
CString err;
err.Format(L"令牌没有指定特权. \n");
AfxMessageBox(err);
return FALSE;
}
//4. 关闭令牌句柄
CloseHandle(hToken);
return TRUE;
}
void CMFCAppDlg::OnBnClickedOk()
{
CString str;//从控件获得的目标进程PID
UpdateData(TRUE);
m_cEdit.GetWindowText(str);
if (str.IsEmpty()) {
MessageBox(_T("请选择进程!"), _T("错误!"));
return;
}
CString szDllPath; //DLL路径
GetModuleFileName(NULL, szDllPath.GetBufferSetLength(MAX_PATH + 1), MAX_PATH);
szDllPath.ReleaseBuffer();
int nPos;
nPos = szDllPath.ReverseFind('\\');
szDllPath = szDllPath.Left(nPos);
szDllPath += "\\Hooker.dll";
HANDLE m_hProcess = NULL;
HANDLE m_hThread = NULL;
FARPROC pFunc = NULL;
FARPROC pThreadProc = NULL;
LPVOID pRemoteBuf = NULL;
DWORD dwBufSize = (DWORD)(_tcslen(szDllPath) + 1) * sizeof(TCHAR);
DWORD dwWritten = 0;
if (SetPrivilege(SE_DEBUG_NAME, TRUE))
{
m_hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, _wtoi(str));
if (!m_hProcess) {
CString err;
err.Format(L"获取目标进程句柄失败!!! [%d]\n", GetLastError());
AfxMessageBox(err);
return;
}
pRemoteBuf = VirtualAllocEx(m_hProcess, NULL, dwBufSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (pRemoteBuf == NULL)
{
CString err;
err.Format(L"申请分配内存空间失败!!! [%d]\n", GetLastError());
AfxMessageBox(err);
}
BOOL bw = WriteProcessMemory(m_hProcess, pRemoteBuf, (LPVOID)(&szDllPath), dwBufSize, &dwWritten);
if (!bw || dwWritten != dwBufSize)
{
CString err;
err.Format(L"写入分配的内存失败!!! [%d]\n", GetLastError());
AfxMessageBox(err);
return;
}
HINSTANCE hInst = GetModuleHandle(L"kernel32.dll");
if (hInst == NULL)
{
CString err;
err.Format(L" 获取kernel32失败!! [%d]\n", GetLastError());
AfxMessageBox(err);
return;
}
//m_hThread = MyNtCreateThreadEx(m_hProcess, hInst, pRemoteBuf);
pThreadProc = GetProcAddress(hInst, "LoadLibraryW");
if (pThreadProc == NULL)
{
CString err;
err.Format(L"打开LoadLibraryW失败!! [%d]\n", GetLastError());
AfxMessageBox(err);
return;
}
HINSTANCE hInsts = GetModuleHandle(L"ntdll.dll");
if (hInsts == NULL)
{
CString err;
err.Format(L"获得ntdll失败!! [%d]\n", GetLastError());
AfxMessageBox(err);
return;
}
pFunc = GetProcAddress(hInsts,"NtCreateThreadEx");
if(pFunc == NULL)
{
CString err;
err.Format(L"打开NtCreateThreadEx失败!! [%d]\n", GetLastError());
AfxMessageBox(err);
return;
}
((PFNTCREATETHREADEX)pFunc)(&m_hThread,
0x1FFFFF,
NULL,
m_hProcess,
(LPTHREAD_START_ROUTINE)pThreadProc,
pRemoteBuf,
FALSE,
NULL,
NULL,
NULL,
NULL);
if (m_hThread == NULL)
{
CString err;
err.Format(L"创建远程线程失败!! [%d]\n", GetLastError());
AfxMessageBox(err);
return;
}
//WaitForSingleObject(m_hThread, INFINITE);
if (WAIT_FAILED == WaitForSingleObject(m_hThread, INFINITE))
{
CString err;
err.Format(L"等待线程结束调用失败!!! [%d]\n", GetLastError());
AfxMessageBox(err);
return;
}
if (WAIT_TIMEOUT == WaitForSingleObject(m_hThread, INFINITE))
{
CString err;
err.Format(L"等待线程结束超时! [%d]\n", GetLastError());
AfxMessageBox(err);
return;
}
if (WAIT_OBJECT_0 == WaitForSingleObject(m_hThread, INFINITE))
{
CString err;
err.Format(L"等待线程对象的状态被置为信号状态! [%d]\n", GetLastError());
AfxMessageBox(err);
return;
}
if (WAIT_ABANDONED == WaitForSingleObject(m_hThread, INFINITE))
{
CString err;
err.Format(L"指定对象是互斥对象,在线程被终止前,线程没有释放互斥对象! [%d]\n", GetLastError());
AfxMessageBox(err);
return;
}
VirtualFreeEx(m_hProcess, pRemoteBuf, dwBufSize, MEM_DECOMMIT);
CloseHandle(m_hThread);
CloseHandle(m_hProcess);
SetPrivilege(SE_DEBUG_NAME, FALSE);
}
//CDialogEx::OnOK();
}