/
/
直接GetServicePid(
"dnscache"
)返回dnscache服务进程
ID
,然后进行注入就行了
DWORD GetServicePid(LPCSTR lpSrvName)
{
sizeof(HOOKDATA);
SC_HANDLE hSrv;
SERVICE_STATUS_PROCESS InfoLevel;
DWORD dwBytesNeed;
SC_HANDLE hSCManager
=
OpenSCManagerA(
0
,
0
, SC_MANAGER_ALL_ACCESS);
if
((INT64)hSCManager <
=
0
)
return
0
;
hSrv
=
OpenServiceA(hSCManager, lpSrvName, SERVICE_QUERY_STATUS);
if
(hSrv
=
=
NULL)
{
return
0
;
}
if
(!QueryServiceStatusEx(hSrv, SC_STATUS_PROCESS_INFO, (LPBYTE)&InfoLevel, sizeof(SERVICE_STATUS_PROCESS), &dwBytesNeed))
{
CloseServiceHandle(hSrv);
return
0
;
}
CloseServiceHandle(hSrv);
CloseServiceHandle(hSCManager);
return
InfoLevel.dwProcessId;
}
typedef ULONG64 (WINAPI
*
Query_MainT)(PULONG64 a1, ULONG64 a2, ULONG64 a3, ULONG64 a4);
Query_MainT oldQuery_Main;
ULONG64 WINAPI NewQuery_Main(PULONG64 a1
/
*
rcx
*
/
, ULONG64 a2, ULONG64 a3, ULONG64 a4)
{
const wchar_t
*
url
=
L
"baidu.com"
;
const wchar_t
*
newurl
=
L
"pediy.com"
;
if
(wcsstr((wchar_t
*
)a1[
0
], url))
{
/
/
RCX传进来的参数,有三个一样的指针数据,就是指向的网址
/
/
WIN7系统在
+
0
,系统不一样,偏移不一样
a1[
0
]
=
(ULONG64)newurl ;
a1[
1
]
=
(ULONG64)newurl ;
a1[
2
]
=
(ULONG64)newurl ;
return
0
;
}
return
oldQuery_Main(a1, a2, a3, a4);
}
void HOOK_Query_Main()
{
HMODULE dnsapi
=
GetModuleHandleA(
"dnsapi.dll"
);
PULONG64 dnsrslvr
=
(PULONG64) GetModuleHandleA(
"dnsrslvr.DLL"
);
oldQuery_Main
=
(Query_MainT) GetProcAddress(dnsapi,
"Query_Main"
);
for
(size_t i
=
0
; i <
0x1000000
; i
+
+
)
/
/
直接遍历整个dnsrslvr模块
{
if
(IsBadReadPtr(dnsrslvr
+
i,
8
))
{
break
;
}
if
(dnsrslvr[i]
=
=
(ULONG64)oldQuery_Main)
/
/
如果找到oldQuery_Main,直接替换,会有兼容性问题,能用就行
{
ULONG oldProtect
=
0
;
VirtualProtect(dnsrslvr
+
i,
100
, PAGE_READWRITE, &oldProtect);
dnsrslvr[i]
=
(ULONG64)NewQuery_Main;
break
;
}
}
}