为了截取发送给打印机的数据,通过HOOK去拦截,现在已经做好HOOK了,但是在注入到进程的时候出现了问题,也是通过网上远程线程注入的办法注入DLL。
开始的时候,一直是权限不够,后来我提升了权限,也不会失败了,每一步都是返回成功,但是用工具查看,发现spoolsv.exe一直都没被注入我的DLL,但是换成别的EXE都可以成功注入。
我有2个问题:1 注入的进程我做的事spoolsv是否对? 2 提升权限后应该没问题了,但是工具还是查看不到相应DLL,是哪的错?代码我也贴过来
#include <windows.h>
#include <winsvc.h>
#include <tlhelp32.h>
#include <stdio.h>
// DLL注入函数
bool LoadLib(DWORD dwProcessId, LPWSTR lpszLibName)
{
HANDLE hProcess = NULL;
HANDLE hThread = NULL;
LPWSTR lpszRemoteFile = NULL;
int error = 0;
// 打开远程进程
hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE,dwProcessId);
if (hProcess == NULL)
{
error = GetLastError();
MessageBox(NULL, "OpenProcess failed with error " , "Error", MB_ICONINFORMATION + MB_OK);
return FALSE;
}
// 在远程进程中分配存贮DLL文件名的空间
lpszRemoteFile = (LPWSTR)VirtualAllocEx(hProcess, NULL, sizeof(WCHAR) * lstrlenW(lpszLibName) + 1,MEM_COMMIT, PAGE_READWRITE);
if (lpszRemoteFile == NULL)
{
error = GetLastError();
MessageBox(NULL, "VirtualAllocEx failed with error " , "Error", MB_ICONINFORMATION + MB_OK);
return FALSE;
}
// 复制DLL文件名到远程刚分配的进程空间
if (!WriteProcessMemory(hProcess, lpszRemoteFile,(PVOID)lpszLibName, sizeof(WCHAR) * lstrlenW(lpszLibName) + 1,NULL))
{
error = GetLastError();
MessageBox(NULL, "WriteProcessMemory failed with error " , "Error",MB_ICONINFORMATION + MB_OK);
return FALSE;
}
// 取得LoadLibrary函数在Kennel32.dll中的地址
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("Kernel32.dll"),"LoadLibraryW");
if (pfnThreadRtn == NULL)
{
error = GetLastError();
MessageBox(NULL, "GetProcAddress failed with error " , "Error", MB_ICONINFORMATION + MB_OK);
return FALSE;
}
// 创建远程线程 c,0髛jgeJ.
hThread = CreateRemoteThread(hProcess,
NULL,
0,
pfnThreadRtn, // LoadLibrary地址
lpszRemoteFile, // 要加载的DLL名
0,
NULL);
if (hThread == NULL)
{
error = GetLastError();
MessageBox(NULL, "CreateRemoteThread failed with error " , "Error", MB_ICONINFORMATION + MB_OK);
return FALSE;
}
// 等待线程返回
WaitForSingleObject(hThread, INFINITE);
// 释放进程空间中的内存
VirtualFreeEx(hProcess, lpszRemoteFile, 0, MEM_RELEASE);
// 关闭句柄
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}
bool SetPrivilege()
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
TOKEN_PRIVILEGES tpPrevious;
DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
if(!LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &luid ))
{
return false;
}
// 1) Get current privilege setting
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = 0;
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), &tpPrevious, &cbPrevious);
if (GetLastError() != ERROR_SUCCESS)
{
return false;
}
// 2) Set privilege based on previous setting
tpPrevious.PrivilegeCount = 1;
tpPrevious.Privileges[0].Luid = luid;
//if (bEnablePrivilege)
//{
tpPrevious.Privileges[0].Attributes |= (SE_PRIVILEGE_ENABLED);
//}
//else
//{
// tpPrevious.Privileges[0].Attributes ^= (SE_PRIVILEGE_ENABLED & tpPrevious.Privileges[0].Attributes);
//}
AdjustTokenPrivileges( hToken, FALSE, &tpPrevious, cbPrevious, NULL, NULL );
if (GetLastError() != ERROR_SUCCESS)
{
return false;
}
}
return TRUE;
}
void main()
{
LPWSTR m_szDllFile = L"C:\\inject\\Debug\\hookxxx.dll";
DWORD m_dwProcessId = 0;
PROCESSENTRY32 pe;
// 创建快照句柄
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
// 先搜索系统中第一个进程的信息
Process32First(hSnapshot, &pe);
// 下面对系统中的所有进程进行枚举,并保存其信息
do{
if(strcmp(pe.szExeFile,"explorer.exe") == 0 )
{
m_dwProcessId =pe.th32ProcessID;
break;
}
}
while (Process32Next(hSnapshot, &pe));
// 关闭快照句柄
CloseHandle(hSnapshot);
//提高本程序的权限
if( TRUE == SetPrivilege() )
{
LoadLib(m_dwProcessId, m_szDllFile);
}
getchar();
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
