0047FA40 /$ 55 PUSH EBP
0047FA41 |. 8BEC MOV EBP,ESP
0047FA43 |. 81EC 3C010000 SUB ESP,13C
0047FA49 |. A1 A0526F00 MOV EAX,DWORD PTR DS:[6F52A0]
0047FA4E |. 33C5 XOR EAX,EBP
0047FA50 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0047FA53 |. 837D 0C 00 CMP DWORD PTR SS:[EBP+C],0
0047FA57 |. 75 07 JNZ SHORT LWLaunch.0047FA60
0047FA59 |. 33C0 XOR EAX,EAX
0047FA5B |. E9 30010000 JMP LWLaunch.0047FB90
0047FA60 |> C785 CCFEFFFF>MOV DWORD PTR SS:[EBP-134],0
0047FA6A |. C785 C8FEFFFF>MOV DWORD PTR SS:[EBP-138],0
0047FA74 |. C785 D0FEFFFF>MOV DWORD PTR SS:[EBP-130],0
0047FA7E |. 68 24010000 PUSH 124
0047FA83 |. 6A 00 PUSH 0
0047FA85 |. 8D85 D4FEFFFF LEA EAX,DWORD PTR SS:[EBP-12C]
0047FA8B |. 50 PUSH EAX
0047FA8C |. E8 5F1F0600 CALL LWLaunch.004E19F0
0047FA91 |. 83C4 0C ADD ESP,0C
0047FA94 |. 6A 00 PUSH 0 ; /ProcessID = 0
0047FA96 |. 6A 02 PUSH 2 ; |Flags = TH32CS_SNAPPROCESS
0047FA98 |. E8 97C80800 CALL LWLaunch.0050C334 ; \CreateToolhelp32Snapshot
0047FA9D |. 8985 CCFEFFFF MOV DWORD PTR SS:[EBP-134],EAX
0047FAA3 |. 83BD CCFEFFFF>CMP DWORD PTR SS:[EBP-134],-1
0047FAAA |. 75 07 JNZ SHORT LWLaunch.0047FAB3
0047FAAC |. 33C0 XOR EAX,EAX
0047FAAE |. E9 DD000000 JMP LWLaunch.0047FB90
0047FAB3 |> C785 D0FEFFFF>MOV DWORD PTR SS:[EBP-130],128
0047FABD |. 8D8D D0FEFFFF LEA ECX,DWORD PTR SS:[EBP-130]
0047FAC3 |. 51 PUSH ECX ; /pProcessentry
0047FAC4 |. 8B95 CCFEFFFF MOV EDX,DWORD PTR SS:[EBP-134] ; |
0047FACA |. 52 PUSH EDX ; |hSnapshot
0047FACB |. E8 5EC80800 CALL LWLaunch.0050C32E ; \Process32First
0047FAD0 |. 85C0 TEST EAX,EAX
0047FAD2 |. 0F84 9B000000 JE LWLaunch.0047FB73
0047FAD8 |> 8B45 0C /MOV EAX,DWORD PTR SS:[EBP+C]
0047FADB |. 50 |PUSH EAX
0047FADC |. E8 212B0600 |CALL LWLaunch.004E2602
0047FAE1 |. 83C4 04 |ADD ESP,4
0047FAE4 |. 50 |PUSH EAX
0047FAE5 |. 8D8D F4FEFFFF |LEA ECX,DWORD PTR SS:[EBP-10C]
0047FAEB |. 51 |PUSH ECX
0047FAEC |. E8 112B0600 |CALL LWLaunch.004E2602
0047FAF1 |. 83C4 04 |ADD ESP,4
0047FAF4 |. 50 |PUSH EAX
0047FAF5 |. E8 566C0600 |CALL LWLaunch.004E6750
0047FAFA |. 83C4 08 |ADD ESP,8
0047FAFD |. 85C0 |TEST EAX,EAX
0047FAFF |. 75 4B |JNZ SHORT LWLaunch.0047FB4C
0047FB01 |. 8B95 D8FEFFFF |MOV EDX,DWORD PTR SS:[EBP-128]
0047FB07 |. 52 |PUSH EDX ; /ProcessId
0047FB08 |. 6A 00 |PUSH 0 ; |Inheritable = FALSE
0047FB0A |. 68 00040000 |PUSH 400 ; |Access = QUERY_INFORMATION
0047FB0F |. FF15 10656700 |CALL NEAR DWORD PTR DS:[676510] ; \OpenProcess
0047FB15 |. 8985 C4FEFFFF |MOV DWORD PTR SS:[EBP-13C],EAX
0047FB1B |. 8B45 08 |MOV EAX,DWORD PTR SS:[EBP+8]
0047FB1E |. 50 |PUSH EAX ; /phToken
0047FB1F |. 68 FF010F00 |PUSH 0F01FF ; |DesiredAccess = STANDARD_RIGHTS_REQUIRED|TOKEN_ASSIGN_PRIMARY|TOKEN_DUPLICATE|TOKEN_IMPERSONATE|TOKEN_QUERY|TOKEN_QUERY_SOURCE|TOKEN_ADJUST_PRIVILEGES|TOKEN_ADJUST_GROUPS|TOKEN_ADJUST_DEFAULT|100
0047FB24 |. 8B8D C4FEFFFF |MOV ECX,DWORD PTR SS:[EBP-13C] ; |
0047FB2A |. 51 |PUSH ECX ; |hProcess
0047FB2B |. FF15 3C606700 |CALL NEAR DWORD PTR DS:[67603C] ; \OpenProcessToken
0047FB31 |. 8985 C8FEFFFF |MOV DWORD PTR SS:[EBP-138],EAX
0047FB37 |. 8B95 CCFEFFFF |MOV EDX,DWORD PTR SS:[EBP-134]
0047FB3D |. 52 |PUSH EDX ; /hObject
0047FB3E |. FF15 34656700 |CALL NEAR DWORD PTR DS:[676534] ; \CloseHandle
0047FB44 |. 8B85 C8FEFFFF |MOV EAX,DWORD PTR SS:[EBP-138]
0047FB4A |. EB 44 |JMP SHORT LWLaunch.0047FB90
0047FB4C |> 8D85 D0FEFFFF |LEA EAX,DWORD PTR SS:[EBP-130]
0047FB52 |. 50 |PUSH EAX ; /pProcessentry
0047FB53 |. 8B8D CCFEFFFF |MOV ECX,DWORD PTR SS:[EBP-134] ; |
0047FB59 |. 51 |PUSH ECX ; |hSnapshot
0047FB5A |. E8 C9C70800 |CALL LWLaunch.0050C328 ; \Process32Next
0047FB5F |. 85C0 |TEST EAX,EAX
0047FB61 |.^ 0F85 71FFFFFF \JNZ LWLaunch.0047FAD8
0047FB67 |. C785 C8FEFFFF>MOV DWORD PTR SS:[EBP-138],1
0047FB71 |. EB 0A JMP SHORT LWLaunch.0047FB7D
0047FB73 |> C785 C8FEFFFF>MOV DWORD PTR SS:[EBP-138],0
0047FB7D |> 8B95 CCFEFFFF MOV EDX,DWORD PTR SS:[EBP-134]
0047FB83 |. 52 PUSH EDX ; /hObject
0047FB84 |. FF15 34656700 CALL NEAR DWORD PTR DS:[676534] ; \CloseHandle
0047FB8A |. 8B85 C8FEFFFF MOV EAX,DWORD PTR SS:[EBP-138]
0047FB90 |> 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
0047FB93 |. 33CD XOR ECX,EBP
0047FB95 |. E8 55240600 CALL LWLaunch.004E1FEF
0047FB9A |. 8BE5 MOV ESP,EBP
0047FB9C |. 5D POP EBP
0047FB9D \. C3 RETN
翻译后的代码:
HANDLE hProcess = NULL ;
HANDLE hProcessSnap = NULL ;
PROCESSENTRY32 pe32 = { 0 } ;
HANDLE hToken = NULL;
HANDLE hTokenDup = NULL;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS , 0 ) ;
if( hProcessSnap == INVALID_HANDLE_VALUE )
{
return NULL;
}
pe32.dwSize = sizeof( PROCESSENTRY32 ) ;
if( !Process32First( hProcessSnap, &pe32 ))
{
return NULL;
}
do {
if (strcmp("explorer.exe",pe32.szExeFile) == 0)
{
hProcess = OpenProcess(
0x400 ,
FALSE ,
pe32.th32ProcessID );
DWORD a = TOKEN_ASSIGN_PRIMARY|
TOKEN_DUPLICATE|
TOKEN_IMPERSONATE|
TOKEN_QUERY|
TOKEN_QUERY_SOURCE|
TOKEN_ADJUST_PRIVILEGES|
TOKEN_ADJUST_GROUPS|
TOKEN_ADJUST_DEFAULT;
OpenProcessToken( hProcess , TOKEN_ALL_ACCESS|STANDARD_RIGHTS_REQUIRED
, &hToken );
CloseHandle(hProcess);
CloseHandle(hProcessSnap);
return hToken;
}
} while( Process32Next( hProcessSnap, &pe32 )) ;
关键问题在于,我遍历到explorer.exe 进程后,使用,OpenProcess()打开进程这行代码。。
请各位帮忙指点一二!!!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课