15,471
社区成员
发帖
与我相关
我的任务
分享64位的hook CreateProcessInternal,帮我改一下成为32能用的,谢谢!!
#include "stdafx.h"
#include <stdio.h>
#include <tchar.h>
#include <windows.h>
#include <shlwapi.h>
#include "ntdll.h"
#pragma comment(lib, "shlwapi.lib")
#pragma comment(lib, "ntdll.lib")
#define CODE_LEN 12
TCHAR ModuleFile[256];
DWORD dwOldProtect;
BYTE OldCode[CODE_LEN] = {0x90};
typedef HANDLE (WINAPI *__CreateProcessInternal)(HANDLE hToken,LPCTSTR lpApplicationName,LPTSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCTSTR lpCurrentDirectory,LPSTARTUPINFOA lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation,PHANDLE hNewToken);
__CreateProcessInternal pfnCreateProcess = 0;
HANDLE WINAPI FakeCreateProcessInternal(HANDLE hToken,LPCTSTR lpApplicationName,LPTSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCTSTR lpCurrentDirectory,LPSTARTUPINFOA lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation,PHANDLE hNewToken)
{
MessageBox(NULL, lpCommandLine, lpApplicationName, MB_ICONASTERISK);
return pfnCreateProcess(hToken, lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, hNewToken);
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, // handle to DLL module
DWORD fdwReason, // reason for calling function
LPVOID lpReserved ) // reserved
{
switch( fdwReason )
{
case DLL_PROCESS_ATTACH:
::DisableThreadLibraryCalls(hinstDLL);
GetModuleFileName(NULL, ModuleFile, _countof(ModuleFile));
if (StrRStrI(ModuleFile, 0, TEXT("explorer.exe")))
{
pfnCreateProcess = (__CreateProcessInternal)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "CreateProcessInternalW");
::VirtualProtect(pfnCreateProcess, CODE_LEN, PAGE_EXECUTE_READWRITE, &dwOldProtect);
memcpy(OldCode, pfnCreateProcess, CODE_LEN);
memset(pfnCreateProcess, 0x90, CODE_LEN);
/*
mov rax, FakeCreateProcessInternal
jmp rax
*/
*(LPWORD)pfnCreateProcess = 0xb848;
*(INT64*)((INT64)pfnCreateProcess+2) = (INT64)FakeCreateProcessInternal;
*(LPWORD)((INT64)pfnCreateProcess+10) = 0xe0ff;
::VirtualProtect(pfnCreateProcess, CODE_LEN, dwOldProtect, NULL);
pfnCreateProcess = (__CreateProcessInternal)VirtualAlloc(NULL, CODE_LEN+12, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(pfnCreateProcess, OldCode, CODE_LEN);
/*
mov rbx, CreateProcessInternalW + CODE_LEN
jmp rbx
*/
*(LPWORD)((INT64)pfnCreateProcess+CODE_LEN) = 0xb848;
*(INT64*)((INT64)pfnCreateProcess+CODE_LEN+2) = (INT64)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "CreateProcessInternalW")+CODE_LEN;
*(LPWORD)((INT64)pfnCreateProcess+CODE_LEN+10) = 0xe0ff;
}
else if (StrRStrI(ModuleFile, 0, TEXT("Rundll32.exe")))
{
DWORD dwProcessId = 0;
HANDLE hProcess = 0;
HWND hwndDeskTop;
hwndDeskTop = FindWindow(TEXT("ProgMan"), NULL);
GetModuleFileName(hinstDLL, ModuleFile, _countof(ModuleFile));
GetWindowThreadProcessId(hwndDeskTop, &dwProcessId);
BOOLEAN bEnable;
::RtlAdjustPrivilege(0x13, 1, 0, &bEnable);
if (dwProcessId)
{
hProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, NULL, dwProcessId);
}
LPVOID Param = VirtualAllocEx(hProcess, NULL, 256, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess, Param, (LPVOID)ModuleFile, 256, NULL);
HANDLE hThread = CreateRemoteThread(hProcess,
NULL,
NULL,
(LPTHREAD_START_ROUTINE)LoadLibraryW,
Param,
NULL,
NULL);
if (hThread)
{
WaitForSingleObject(hThread, INFINITE);
}
VirtualFreeEx(hProcess, Param , 0, MEM_RELEASE);
CloseHandle(hThread);
CloseHandle(hProcess);
}
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
int _stdcall Setup(void)
{
return 1;
}
#include <stdio.h>
#include <tchar.h>
#include <windows.h>
#include <shlwapi.h>
#include "ntdll.h"
#pragma comment(lib, "shlwapi.lib")
#pragma comment(lib, "ntdll.lib")
#define CODE_LEN 12
TCHAR ModuleFile[256];
DWORD dwOldProtect;
BYTE OldCode[CODE_LEN] = {0x90};
typedef HANDLE (WINAPI *__CreateProcessInternal)(HANDLE hToken,LPCTSTR lpApplicationName,LPTSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCTSTR lpCurrentDirectory,LPSTARTUPINFOA lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation,PHANDLE hNewToken);
__CreateProcessInternal pfnCreateProcess = 0;
HANDLE WINAPI FakeCreateProcessInternal(HANDLE hToken,LPCTSTR lpApplicationName,LPTSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCTSTR lpCurrentDirectory,LPSTARTUPINFOA lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation,PHANDLE hNewToken)
{
MessageBox(NULL, lpCommandLine, lpApplicationName, MB_ICONASTERISK);
return pfnCreateProcess(hToken, lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, hNewToken);
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, // handle to DLL module
DWORD fdwReason, // reason for calling function
LPVOID lpReserved ) // reserved
{
switch( fdwReason )
{
case DLL_PROCESS_ATTACH:
::DisableThreadLibraryCalls(hinstDLL);
GetModuleFileName(NULL, ModuleFile, _countof(ModuleFile));
if (StrRStrI(ModuleFile, 0, TEXT("explorer.exe")))
{
pfnCreateProcess = (__CreateProcessInternal)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "CreateProcessInternalW");
::VirtualProtect(pfnCreateProcess, CODE_LEN, PAGE_EXECUTE_READWRITE, &dwOldProtect);
memcpy(OldCode, pfnCreateProcess, CODE_LEN);
memset(pfnCreateProcess, 0x90, CODE_LEN);
/*
mov rax, FakeCreateProcessInternal
jmp rax
*/
*(LPWORD)pfnCreateProcess = 0xb848;
*(INT64*)((INT64)pfnCreateProcess+2) = (INT64)FakeCreateProcessInternal;
*(LPWORD)((INT64)pfnCreateProcess+10) = 0xe0ff;
::VirtualProtect(pfnCreateProcess, CODE_LEN, dwOldProtect, NULL);
pfnCreateProcess = (__CreateProcessInternal)VirtualAlloc(NULL, CODE_LEN+12, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(pfnCreateProcess, OldCode, CODE_LEN);
/*
mov rbx, CreateProcessInternalW + CODE_LEN
jmp rbx
*/
*(LPWORD)((INT64)pfnCreateProcess+CODE_LEN) = 0xb848;
*(INT64*)((INT64)pfnCreateProcess+CODE_LEN+2) = (INT64)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "CreateProcessInternalW")+CODE_LEN;
*(LPWORD)((INT64)pfnCreateProcess+CODE_LEN+10) = 0xe0ff;
}
else if (StrRStrI(ModuleFile, 0, TEXT("Rundll32.exe")))
{
DWORD dwProcessId = 0;
HANDLE hProcess = 0;
HWND hwndDeskTop;
hwndDeskTop = FindWindow(TEXT("ProgMan"), NULL);
GetModuleFileName(hinstDLL, ModuleFile, _countof(ModuleFile));
GetWindowThreadProcessId(hwndDeskTop, &dwProcessId);
BOOLEAN bEnable;
::RtlAdjustPrivilege(0x13, 1, 0, &bEnable);
if (dwProcessId)
{
hProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, NULL, dwProcessId);
}
LPVOID Param = VirtualAllocEx(hProcess, NULL, 256, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess, Param, (LPVOID)ModuleFile, 256, NULL);
HANDLE hThread = CreateRemoteThread(hProcess,
NULL,
NULL,
(LPTHREAD_START_ROUTINE)LoadLibraryW,
Param,
NULL,
NULL);
if (hThread)
{
WaitForSingleObject(hThread, INFINITE);
}
VirtualFreeEx(hProcess, Param , 0, MEM_RELEASE);
CloseHandle(hThread);
CloseHandle(hProcess);
}
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
int _stdcall Setup(void)
{
return 1;
}
...全文
请发表友善的回复…
发表回复
wzswgbx 2015-10-29
- 打赏
- 举报
32位的偏移量可以查,但是jump是留几个byte?留多了回不回出事
赵4老师 2015-10-29
- 打赏
- 举报
WinAPIOverridehttp://jacquelin.potier.free.fr/winapioverride32/
oyljerry 2015-10-29
- 打赏
- 举报
主要是各种偏移量,然后就是先用编译器32bit编译,然后还要研究一下
