2,643
社区成员
发帖
与我相关
我的任务
分享how to manually launch a process from the file on disk ( it uses only native API not CreateProcess)
如何人工启动一个进程?
不使用 CreateProcess WinExec ShellExecute之类的
这篇文章看到过 找不到了
哪位知道 ?
不使用 CreateProcess WinExec ShellExecute之类的
这篇文章看到过 找不到了
哪位知道 ?
...全文
请发表友善的回复…
发表回复
billy145533 2005-10-29
- 打赏
- 举报
为什么要这样做??hook??
masterz 2005-10-29
- 打赏
- 举报
There is also a sample in Windows 2000 Native API (source code)\ntdll\ex06_1.cpp
#include "ntdll.h"
#include <stdio.h>
namespace NT {
extern "C" {
NTSTATUS
NTAPI
CsrClientCallServer(
IN PVOID Message,
IN PVOID,
IN ULONG Opcode,
IN ULONG Size
);
}
}
VOID InheritAll()
{
ULONG n = 0x1000;
PULONG p = new ULONG[n];
while (NT::ZwQuerySystemInformation(NT::SystemHandleInformation, p, n * sizeof *p, 0)
== STATUS_INFO_LENGTH_MISMATCH)
delete [] p, p = new ULONG[n *= 2];
NT::PSYSTEM_HANDLE_INFORMATION h = NT::PSYSTEM_HANDLE_INFORMATION(p + 1);
ULONG pid = GetCurrentProcessId();
for (ULONG i = 0; i < *p; i++)
if (h[i].ProcessId == pid)
SetHandleInformation(HANDLE(h[i].Handle), HANDLE_FLAG_INHERIT, HANDLE_FLAG_INHERIT);
delete [] p;
}
VOID InformCsrss(HANDLE hProcess, HANDLE hThread, ULONG pid, ULONG tid)
{
struct CSRSS_MESSAGE {
ULONG Unknown1;
ULONG Opcode;
ULONG Status;
ULONG Unknown2;
};
struct {
NT::PORT_MESSAGE PortMessage;
CSRSS_MESSAGE CsrssMessage;
PROCESS_INFORMATION ProcessInformation;
NT::CLIENT_ID Debugger;
ULONG CreationFlags;
ULONG VdmInfo[2];
} csrmsg = {{0}, {0}, {hProcess, hThread, pid, tid}, {0}, 0, {0}};
NT::CsrClientCallServer(&csrmsg, 0, 0x10000, 0x24);
}
__declspec(naked) int child()
{
typedef BOOL (WINAPI *CsrpConnectToServer)(PWSTR);
// CsrpConnectToServer(0x77F68CC0)(L"\\Windows");
// CsrpConnectToServer(0x77F8F65D)(L"\\Windows");
CsrpConnectToServer(0x77F922F5)(L"\\Windows");
__asm mov eax, 0
__asm mov esp, ebp
__asm pop ebp
__asm ret
}
#pragma optimize("y", off) // disable frame pointer omission
int fork()
{
HANDLE hProcess, hThread;
InheritAll();
NT::OBJECT_ATTRIBUTES oa = {sizeof oa};
NT::ZwCreateProcess(&hProcess, PROCESS_ALL_ACCESS, &oa, NtCurrentProcess(), TRUE, 0, 0, 0);
NT::CONTEXT context = {CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS | CONTEXT_FLOATING_POINT};
NT::ZwGetContextThread(NtCurrentThread(), &context);
context.Eip = ULONG(child);
MEMORY_BASIC_INFORMATION mbi;
NT::ZwQueryVirtualMemory(NtCurrentProcess(), PVOID(context.Esp),
NT::MemoryBasicInformation, &mbi, sizeof mbi, 0);
NT::USER_STACK stack = {0, 0, PCHAR(mbi.BaseAddress) + mbi.RegionSize,
mbi.BaseAddress, mbi.AllocationBase};
NT::CLIENT_ID cid;
NT::ZwCreateThread(&hThread, THREAD_ALL_ACCESS, &oa,
hProcess, &cid, &context, &stack, TRUE);
NT::THREAD_BASIC_INFORMATION tbi;
NT::ZwQueryInformationThread(NtCurrentThread(), NT::ThreadBasicInformation,
&tbi, sizeof tbi, 0);
NT::PNT_TIB tib = tbi.TebBaseAddress;
NT::ZwQueryInformationThread(hThread, NT::ThreadBasicInformation, &tbi, sizeof tbi, 0);
NT::ZwWriteVirtualMemory(hProcess, tbi.TebBaseAddress,
&tib->ExceptionList, sizeof tib->ExceptionList, 0);
InformCsrss(hProcess, hThread, ULONG(cid.UniqueProcess), ULONG(cid.UniqueThread));
NT::ZwResumeThread(hThread, 0);
NT::ZwClose(hThread);
NT::ZwClose(hProcess);
return int(cid.UniqueProcess);
}
#pragma optimize("", on)
int main()
{
int n = fork();
Sleep(n * 10);
Beep(100, 100);
printf("%d\n", n);
return 0;
}
#include "ntdll.h"
#include <stdio.h>
namespace NT {
extern "C" {
NTSTATUS
NTAPI
CsrClientCallServer(
IN PVOID Message,
IN PVOID,
IN ULONG Opcode,
IN ULONG Size
);
}
}
VOID InheritAll()
{
ULONG n = 0x1000;
PULONG p = new ULONG[n];
while (NT::ZwQuerySystemInformation(NT::SystemHandleInformation, p, n * sizeof *p, 0)
== STATUS_INFO_LENGTH_MISMATCH)
delete [] p, p = new ULONG[n *= 2];
NT::PSYSTEM_HANDLE_INFORMATION h = NT::PSYSTEM_HANDLE_INFORMATION(p + 1);
ULONG pid = GetCurrentProcessId();
for (ULONG i = 0; i < *p; i++)
if (h[i].ProcessId == pid)
SetHandleInformation(HANDLE(h[i].Handle), HANDLE_FLAG_INHERIT, HANDLE_FLAG_INHERIT);
delete [] p;
}
VOID InformCsrss(HANDLE hProcess, HANDLE hThread, ULONG pid, ULONG tid)
{
struct CSRSS_MESSAGE {
ULONG Unknown1;
ULONG Opcode;
ULONG Status;
ULONG Unknown2;
};
struct {
NT::PORT_MESSAGE PortMessage;
CSRSS_MESSAGE CsrssMessage;
PROCESS_INFORMATION ProcessInformation;
NT::CLIENT_ID Debugger;
ULONG CreationFlags;
ULONG VdmInfo[2];
} csrmsg = {{0}, {0}, {hProcess, hThread, pid, tid}, {0}, 0, {0}};
NT::CsrClientCallServer(&csrmsg, 0, 0x10000, 0x24);
}
__declspec(naked) int child()
{
typedef BOOL (WINAPI *CsrpConnectToServer)(PWSTR);
// CsrpConnectToServer(0x77F68CC0)(L"\\Windows");
// CsrpConnectToServer(0x77F8F65D)(L"\\Windows");
CsrpConnectToServer(0x77F922F5)(L"\\Windows");
__asm mov eax, 0
__asm mov esp, ebp
__asm pop ebp
__asm ret
}
#pragma optimize("y", off) // disable frame pointer omission
int fork()
{
HANDLE hProcess, hThread;
InheritAll();
NT::OBJECT_ATTRIBUTES oa = {sizeof oa};
NT::ZwCreateProcess(&hProcess, PROCESS_ALL_ACCESS, &oa, NtCurrentProcess(), TRUE, 0, 0, 0);
NT::CONTEXT context = {CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS | CONTEXT_FLOATING_POINT};
NT::ZwGetContextThread(NtCurrentThread(), &context);
context.Eip = ULONG(child);
MEMORY_BASIC_INFORMATION mbi;
NT::ZwQueryVirtualMemory(NtCurrentProcess(), PVOID(context.Esp),
NT::MemoryBasicInformation, &mbi, sizeof mbi, 0);
NT::USER_STACK stack = {0, 0, PCHAR(mbi.BaseAddress) + mbi.RegionSize,
mbi.BaseAddress, mbi.AllocationBase};
NT::CLIENT_ID cid;
NT::ZwCreateThread(&hThread, THREAD_ALL_ACCESS, &oa,
hProcess, &cid, &context, &stack, TRUE);
NT::THREAD_BASIC_INFORMATION tbi;
NT::ZwQueryInformationThread(NtCurrentThread(), NT::ThreadBasicInformation,
&tbi, sizeof tbi, 0);
NT::PNT_TIB tib = tbi.TebBaseAddress;
NT::ZwQueryInformationThread(hThread, NT::ThreadBasicInformation, &tbi, sizeof tbi, 0);
NT::ZwWriteVirtualMemory(hProcess, tbi.TebBaseAddress,
&tib->ExceptionList, sizeof tib->ExceptionList, 0);
InformCsrss(hProcess, hThread, ULONG(cid.UniqueProcess), ULONG(cid.UniqueThread));
NT::ZwResumeThread(hThread, 0);
NT::ZwClose(hThread);
NT::ZwClose(hProcess);
return int(cid.UniqueProcess);
}
#pragma optimize("", on)
int main()
{
int n = fork();
Sleep(n * 10);
Beep(100, 100);
printf("%d\n", n);
return 0;
}
masterz 2005-10-29
- 打赏
- 举报
ZwCreateSection/ZwCreateProcess/ZwCreateThread
http://www.phrack.org/phrack/62/p62-0x06_Kernel_Mode_Backdoors_for_Windows_NT.txt
http://www.phrack.org/phrack/62/p62-0x06_Kernel_Mode_Backdoors_for_Windows_NT.txt
summer54 2005-10-29
- 打赏
- 举报
mark
DrSmart 2005-10-29
- 打赏
- 举报
你也可以参考一下pjf的原理,具体的还是我上面说的那样了
Kudeet 2005-10-28
- 打赏
- 举报
NtCreateProcess .....
Kudeet 2005-10-28
- 打赏
- 举报
http://www.codeproject.com/system/soviet_protector.asp
saliors 2005-10-28
- 打赏
- 举报
楼主的问题都比较奇怪,帮顶一下吧
teli_eurydice 2005-10-28
- 打赏
- 举报
帮你up
CodeProject-Jerry 2005-10-28
- 打赏
- 举报
ZwCreateProcess ??
怎么用的
怎么用的
tfp 2005-10-27
- 打赏
- 举报
??!
DrSmart 2005-10-27
- 打赏
- 举报
可以啊,以下是ZwCreateProcess的结构体
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN HANDLE InheritFromProcessHandle,
IN BOOLEAN InheritHandles,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL
);
这是一个未公开的api,ddk中没有,不过自己可以用softice跟踪,调用安全问题自己解决了(未公开啊)
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN HANDLE InheritFromProcessHandle,
IN BOOLEAN InheritHandles,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL
);
这是一个未公开的api,ddk中没有,不过自己可以用softice跟踪,调用安全问题自己解决了(未公开啊)
laofang 2005-10-27
- 打赏
- 举报
“人工启动一个进程”,那还不简单,鼠标双击嘛,哈哈:)
欣赏你的名字,帮你UP
欣赏你的名字,帮你UP
The requested URL was not found on the server. If you entered the URL manually please check your spe vncserver Can't find file /root/.vnc/192.168.1.3:1.pid You'll have to kill the Xvnc process manually