// CheckHosts.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <windows.h>
#include <stdlib.h>
#define ProcessBasicInformation 0
typedef struct
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct
{
ULONG AllocationSize;
ULONG ActualSize;
ULONG Flags;
ULONG Unknown1;
UNICODE_STRING Unknown2;
HANDLE InputHandle;
HANDLE OutputHandle;
HANDLE ErrorHandle;
UNICODE_STRING CurrentDirectory;
HANDLE CurrentDirectoryHandle;
UNICODE_STRING SearchPaths;
UNICODE_STRING ApplicationName;
UNICODE_STRING CommandLine;
PVOID EnvironmentBlock;
ULONG Unknown[9];
UNICODE_STRING Unknown3;
UNICODE_STRING Unknown4;
UNICODE_STRING Unknown5;
UNICODE_STRING Unknown6;
} PROCESS_PARAMETERS, *PPROCESS_PARAMETERS;
typedef struct
{
ULONG AllocationSize;
ULONG Unknown1;
HINSTANCE ProcessHinstance;
PVOID ListDlls;
PPROCESS_PARAMETERS ProcessParameters;
ULONG Unknown2;
HANDLE Heap;
} PEB, *PPEB;
typedef struct
{
DWORD ExitStatus;
PPEB PebBaseAddress;
DWORD AffinityMask;
DWORD BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION;
typedef LONG (WINAPI *PROCNTQSIP)(HANDLE,UINT,PVOID,ULONG,PULONG);
PROCNTQSIP NtQueryInformationProcess;
BOOL GetProcessCmdLine(DWORD dwId,LPWSTR wBuf,DWORD dwBufLen);
bool AdjustProcessTokenPrivilege()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
return false;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
{
MessageBox(NULL, "LookupPrivilegeValue fail" ,"fail", MB_OK | MB_ICONINFORMATION);
CloseHandle(hToken);
return false;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
{
CloseHandle(hToken);
return false;
}
return true;
}
void IsDisplayParameter()
{
system("cls");
puts("---------------------------------------------");
puts("- 1 查看当前hosts文件名 -");
puts("- 2 恢复hosts原来文件名 -");
puts("---------------------------------------------");
}
void main(int argc, char* argv[])
{
system("color 0a & title 半斤八兩");
DWORD dwIndex = 0;
IsDisplayParameter();
while(TRUE)
{
scanf("%d", &dwIndex);
if(dwIndex == 1 || dwIndex == 2)
{
break;
}
else
{
IsDisplayParameter();
}
// fflush
while((dwIndex = getchar()) != '\n');
}
NtQueryInformationProcess = (PROCNTQSIP)GetProcAddress(
GetModuleHandle("ntdll"),
"NtQueryInformationProcess"
);
if (!NtQueryInformationProcess)
return;
AdjustProcessTokenPrivilege();
WCHAR wstr[MAXBYTE] = {0};
for(int i = 4; i < 0x270f; i += 4)
{
// get program parameter
if (GetProcessCmdLine(i, wstr, sizeof(wstr)))
{
wprintf(L"PID: [%lu]\r\nparameter: [%s]\r\n\r\n", i, wstr);
}
// check hosts process parameter
if(NULL != wcsstr(wstr, L"-k NetworkService"))
{
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, i);
if (!hProcess)
{
puts("if (!hProcess)");
return;
}
MEMORY_BASIC_INFORMATION tagMemoryInfo = {0};
PBYTE pAddress = NULL;
BYTE *lpBuf = new BYTE[1];
DWORD dwBufSize = 1;
while(TRUE)
{
if(sizeof(tagMemoryInfo) !=
VirtualQueryEx(hProcess, pAddress, &tagMemoryInfo, sizeof(tagMemoryInfo)))
{
break;
}
if (MEM_COMMIT != tagMemoryInfo.State || 0 == tagMemoryInfo.Protect
|| (PAGE_GUARD & tagMemoryInfo.Protect) != 0
|| (PAGE_NOACCESS & tagMemoryInfo.Protect) != 0)
{
pAddress = ((PBYTE)tagMemoryInfo.BaseAddress + tagMemoryInfo.RegionSize);
continue;
}
if (tagMemoryInfo.RegionSize > dwBufSize)
{
delete [] lpBuf;
dwBufSize = tagMemoryInfo.RegionSize;
lpBuf = new BYTE[dwBufSize];
}
if (FALSE == ReadProcessMemory(hProcess, tagMemoryInfo.BaseAddress,
lpBuf, (DWORD)tagMemoryInfo.RegionSize, NULL))
{
pAddress = ((PBYTE)tagMemoryInfo.BaseAddress + tagMemoryInfo.RegionSize);
continue ;
}
DWORD dwSearchSize = strlen("drivers\\etc\\");
SIZE_T nMax = tagMemoryInfo.RegionSize - dwSearchSize;
for (SIZE_T i = 0; i <= nMax; i++)
{
// check hosts value
if (0 == memcmp("drivers\\etc\\", &lpBuf[i], dwSearchSize - 1))
{
DWORD dwAddress = (DWORD)tagMemoryInfo.BaseAddress + i;
// if(dwIndex == 3)
// {
// WriteProcessMemory(hProcess, (PVOID)dwAddress, "drivers\\etc\\bjbl", strlen("drivers\\etc\\bjbl"), NULL);
//
// puts("恭喜, 修改成功!!!");
//
// system("pause");
//
// return;
// }
if(dwIndex == 2)
{
WriteProcessMemory(hProcess, (PVOID)dwAddress, "drivers\\etc\\hosts", strlen("drivers\\etc\\hosts"), NULL);
puts("恭喜, 恢復成功!!!");
system("pause");
return;
}
else if(dwIndex == 1)
{
char szBuf[MAXBYTE] = {0};
sprintf(szBuf, "----====found: [%s]===---", &lpBuf[i]);
puts(szBuf);
system("pause");
return;
}
i += dwSearchSize - 1;
}
}
pAddress = ((PBYTE)tagMemoryInfo.BaseAddress + tagMemoryInfo.RegionSize);
}
CloseHandle (hProcess);
puts("ok");
}
}
}
BOOL GetProcessCmdLine(DWORD dwId,LPWSTR wBuf,DWORD dwBufLen)
{
LONG status;
HANDLE hProcess;
PROCESS_BASIC_INFORMATION pbi;
PEB Peb;
PROCESS_PARAMETERS ProcParam;
DWORD dwDummy;
DWORD dwSize;
LPVOID lpAddress;
BOOL bRet = FALSE;
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,dwId);
if (!hProcess)
return FALSE;
status = NtQueryInformationProcess( hProcess,
ProcessBasicInformation,
(PVOID)&pbi,
sizeof(PROCESS_BASIC_INFORMATION),
NULL
);
if (status)
goto cleanup;
if (!ReadProcessMemory( hProcess,
pbi.PebBaseAddress,
&Peb,
sizeof(PEB),
&dwDummy
)
)
goto cleanup;
if (!ReadProcessMemory( hProcess,
Peb.ProcessParameters,
&ProcParam,
sizeof(PROCESS_PARAMETERS),
&dwDummy
)
)
goto cleanup;
lpAddress = ProcParam.CommandLine.Buffer;
dwSize = ProcParam.CommandLine.Length;
if (dwBufLen<dwSize)
goto cleanup;
if (!ReadProcessMemory( hProcess,
lpAddress,
wBuf,
dwSize,
&dwDummy
)
)
goto cleanup;
bRet = TRUE;
cleanup:
CloseHandle (hProcess);
return bRet;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
