能力值:
(RANK:650 )
|
-
-
2 楼
SetWindowsHookEx
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
// inject.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <windows.h>
#include <tlhelp32.h>
int main(int argc, char* argv[])
{
HANDLE hToken,hProcess;
TOKEN_PRIVILEGES tp;
char *pSEDEBUG="SeDebugPrivilege";
hProcess=GetCurrentProcess();
OpenProcessToken(hProcess,TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken);
LookupPrivilegeValue(NULL,pSEDEBUG,&tp.Privileges[0].Luid);
tp.PrivilegeCount=1;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken,FALSE,&tp,NULL,NULL,NULL);
DWORD pid;
HANDLE hSnapshot = NULL;
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
PROCESSENTRY32 pe;
pe.dwSize = sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe);
do
{
if(stricmp(pe.szExeFile,"winlogon.exe")==0) //.......
{
pid = pe.th32ProcessID;
break;
}
}
while(Process32Next(hSnapshot,&pe)==TRUE);
CloseHandle (hSnapshot);
////////////////////////////////////////////////////////////
// 把dll注入explorer.exe进程 //
////////////////////////////////////////////////////////////
PWSTR pszLibFileRemote = NULL;
HANDLE hRemoteProcess = NULL,hRemoteThread = NULL;
hRemoteProcess = OpenProcess(
PROCESS_QUERY_INFORMATION | // Required by Alpha
PROCESS_CREATE_THREAD | // For CreateRemoteThread
PROCESS_VM_OPERATION | // For VirtualAllocEx/VirtualFreeEx
PROCESS_VM_WRITE, // For WriteProcessMemory
FALSE, pid);
char CurPath[256]={0};
//strcpy(CurPath,argv[1]);
//GetSystemDirectory(CurPath,256);
GetCurrentDirectory(256,CurPath);
lstrcat(CurPath,"\\dll1.dll");
int len = (strlen(CurPath)+1)*2;
WCHAR wCurPath[256];
MultiByteToWideChar(CP_ACP,0,CurPath,-1,wCurPath,256);
pszLibFileRemote = (PWSTR)
VirtualAllocEx(hRemoteProcess, NULL, len, MEM_COMMIT, PAGE_READWRITE);
bool ret=WriteProcessMemory(hRemoteProcess, pszLibFileRemote,
(PVOID) wCurPath, len, NULL);
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
hRemoteThread = CreateRemoteThread(hRemoteProcess, NULL, 0, pfnThreadRtn, pszLibFileRemote, 0, NULL);
if(!hRemoteThread)
MessageBox(NULL,"ERROR","",0);
else
MessageBox(NULL,"OK","",0);
Sleep(4000);
return 0;
}
////////http://virvir.bolgbus.com
/////414947531
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
无法断在CreateRemoteThread中.
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
无法断在CreateRemoteThread中.是否EncryptPE不使用该注入方法.
|
能力值:
( LV9,RANK:170 )
|
-
-
6 楼
看二楼的~~
|
能力值:
( LV2,RANK:10 )
|
-
-
7 楼
也断不下来,不是说不用全局钩子了吗?
|
能力值:
( LV2,RANK:10 )
|
-
-
8 楼
V22006以后的版本好象都是使用SetwindowshookEx来注入EPE模块的.呵呵,具体方法可以参见《核心编程》中的DLL注入方法。上面甚至有例子,同样是注入exeplorer.我怀疑老王直接从上面copy代码。哈哈。
|