资源简介
X64 inline hook explorer.exe-->CreateProcessInternalW监视进程创建.
vc2008+WIN7 64测试通过.
代码片段和文件信息
#include
#include
#include
#include
#include
#pragma comment(lib “shlwapi.lib“)
#define CODE_LEN 12
TCHAR ModuleFile[256];
DWORD dwOldProtect;
BYTE OldCode[CODE_LEN] = {0x90};
typedef HANDLE (WINAPI *__CreateProcessInternal)(HANDLE hTokenLPCTSTR lpApplicationNameLPTSTR lpCommandLineLPSECURITY_ATTRIBUTES lpProcessAttributesLPSECURITY_ATTRIBUTES lpThreadAttributesBOOL bInheritHandlesDWORD dwCreationFlagsLPVOID lpEnvironmentLPCTSTR lpCurrentDirectoryLPSTARTUPINFOA lpStartupInfoLPPROCESS_INFORMATION lpProcessInformationPHANDLE hNewToken);
__CreateProcessInternal pfnCreateProcess = 0;
HANDLE WINAPI FakeCreateProcessInternal(HANDLE hTokenLPCTSTR lpApplicationNameLPTSTR lpCommandLineLPSECURITY_ATTRIBUTES lpProcessAttributesLPSECURITY_ATTRIBUTES lpThreadAttributesBOOL bInheritHandlesDWORD dwCreationFlagsLPVOID lpEnvironmentLPCTSTR lpCurrentDirectoryLPSTARTUPINFOA lpStartupInfoLPPROCESS_INFORMATION lpProcessInformationPHANDLE hNewToken)
{
MessageBox(NULL lpCommandLine lpApplicationName MB_ICONASTERISK);
return pfnCreateProcess(hToken lpApplicationName lpCommandLine lpProcessAttributes lpThreadAttributes bInheritHandles dwCreationFlags lpEnvironment lpCurrentDirectory lpStartupInfo lpProcessInformation hNewToken);
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL // handle to DLL module
DWORD fdwReason // reason for calling function
LPVOID lpReserved ) // reserved
{
switch( fdwReason )
{
case DLL_PROCESS_ATTACH:
::DisableThreadLibraryCalls(hinstDLL);
GetModuleFileName(NULL ModuleFile _countof(ModuleFile));
if (StrRStrI(ModuleFile 0 TEXT(“explorer.exe“)))
{
pfnCreateProcess = (__CreateProcessInternal)GetProcAddress(GetModuleHandle(TEXT(“kernel32.dll“)) “CreateProcessInternalW“);
::VirtualProtect(pfnCreateProcess CODE_LEN PAGE_EXECUTE_READWRITE &dwOldProtect);
memcpy(OldCode pfnCreateProcess CODE_LEN);
memset(pfnCreateProcess 0x90 CODE_LEN);
/*
mov rax FakeCreateProcessInternal
jmp rax
*/
*(LPWORD)pfnCreateProcess = 0xb848;
*(INT64*)((INT64)pfnCreateProcess+2) = (INT64)FakeCreateProcessInternal;
*(LPWORD)((INT64)pfnCreateProcess+10) = 0xe0ff;
::VirtualProtect(pfnCreateProcess CODE_LEN dwOldProtect NULL);
pfnCreateProcess = (__CreateProcessInternal)VirtualAlloc(NULL CODE_LEN+12 MEM_COMMIT PAGE_EXECUTE_READWRITE);
memcpy(pfnCreateProcess OldCode CODE_LEN);
/*
mov rbx CreateProcessInternalW + CODE_LEN
jmp rbx
*/
*(LPWORD)((INT64)pfnCreateProcess+CODE_LEN) = 0xb848;
*(INT64*)((INT64)pfnCreateProcess+CODE_LEN+2) = (INT64)GetProcAddress(GetModuleHandle(TEXT(“kernel32.dll“)) “CreateProcessInternalW“)+CODE_LEN;
*(LPWORD)((INT64)pfnCreateProcess+CODE_LEN+10) = 0xe0ff;
}
else if (StrRStrI(ModuleFile 0 TEXT(“Rundll32.exe“)))
{
DWORD dwProcessId = 0;
HANDLE hProcess = 0;
HWND
属性 大小 日期 时间 名称
----------- --------- ---------- ----- ----
文件 4608 2013-11-24 13:53 X64Dll\x64\Release\X64Dll.dll
文件 660 2013-11-24 13:29 X64Dll\x64\Release\X64Dll.dll.manifest
文件 700 2013-11-24 13:53 X64Dll\x64\Release\X64Dll.exp
文件 1716 2013-11-24 13:53 X64Dll\x64\Release\X64Dll.lib
文件 117760 2013-11-24 13:53 X64Dll\x64\Release\X64Dll.pdb
文件 4201 2013-11-24 13:53 X64Dll\X64Dll\1.cpp
文件 7221 2013-11-24 00:54 X64Dll\X64Dll\X64Dll.vcproj
文件 2563 2013-11-24 14:14 X64Dll\X64Dll\X64Dll.vcproj.zwf-PC.Administrator.user
文件 1238 2013-11-23 17:50 X64Dll\X64Dll.sln
..A..H. 24064 2013-11-24 14:14 X64Dll\X64Dll.suo
目录 0 2013-11-24 13:29 X64Dll\x64\Release
目录 0 2013-11-24 14:14 X64Dll\X64Dll\x64
目录 0 2013-11-24 14:15 X64Dll\x64
目录 0 2013-11-24 13:53 X64Dll\X64Dll
目录 0 2013-11-24 14:14 X64Dll
----------- --------- ---------- ----- ----
164731 15
- 上一篇:HookCreateProcess
- 下一篇:trap 模拟器
相关资源
- HookCreateProcess
- LED点阵屏源码32X64中英混合
- 基于API-HOOK的数据文件透明加解密系统
- QT vs2013编译 x64 patch
- GFSDK_Aftermath_Lib.x64.rar
-
Axure7.0教程部件详解 Inline fr
ame 内部 - 16x64点阵左移右移多字滚动源代码
- luasocket_lua5.2.4 X64.zip
- jdk-8u11-linux-x64.tar.gz
- zbar_lib_x64_86_DLL
- OPC运行环境一键配置支持32位和64位系
- libzmq + jzmq Windows x64发布文件
- Easyhook教程
- cn_visio_2010_x64_516562.exe
- 英特尔(R)显示器音频_10.23.0.567_9-
- e语言-阿里旺旺客户端HOOK监控消息源
- x64环境下,Armadillo + Vs2013的安装和配
- HFSS15.0_WINx64完美破解版_详细图文破解
- 易语言的DX11 HOOK
- QT后台监控鼠标侧键
- cuda_11.1.0_456.43_win10.exe和cudnn-11.1-wind
- x64内存读写驱动
- pyHook-1.5.1-cp37-cp37m-win_amd64.whl
- libcrypto-1_1-x64.dll、libssl-1_1-x64.dll.rar
- UniversalTermsrvPatch-x64
- multikey18.2.4 win7 X64
- PSCAD4.2.1在win7_X64下的安装说明
- linux x64 readline-devel-all 安装rpm介质
- 易语言 拦截文件读写 APIhook
- SystemHooksCompiledOnly
评论
共有 条评论