-
-
[讨论]监控Explorer的进程创建
-
发表于: 2007-10-28 11:01
-
小弟得知 NT 下Explorer 不是通过CreateProcessW 来创建进程的 而是通过 CreateProcessInternalW来建的于似忽小弟想控制它。。。。 R3下的 R0下我也没那实力
#include <windows.h>
#include <stdio.h>
PROC m_lpHookFunc;
HANDLE m_hProc;
BYTE m_OldFunc[8];
BYTE m_NewFunc[8];
void HookOneAPI(LPCTSTR ModuleName, LPCTSTR ApiName, FARPROC lpNewFunc);
void WINAPI SetHookOn();
void WINAPI SetHookOff();
void WINAPI ExampleJmp();
typedef BOOL (* CreateProcessHH)(HANDLE hToken,
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation,
PHANDLE hNewToken);
int APIENTRY DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
UNREFERENCED_PARAMETER(lpReserved);
if (dwReason == DLL_PROCESS_ATTACH)
{
ExampleJmp();
}
else if (dwReason == DLL_PROCESS_DETACH)
{
SetHookOff();
}
return 1;
}
void HookOneAPI(LPCTSTR ModuleName, LPCTSTR ApiName, FARPROC lpNewFunc)
{
BYTE str[8] = { 0x0B8, 0x0, 0x0, 0x40, 0x0, 0x0FF, 0x0E0,0}; // mov eax,addr jmp eax
memcpy(m_NewFunc,str,8);
m_lpHookFunc = GetProcAddress(GetModuleHandle(ModuleName),ApiName);
m_hProc = GetCurrentProcess();
memcpy(m_OldFunc,(char *)m_lpHookFunc,8);
*(DWORD *)( m_NewFunc + 1 ) = (DWORD)lpNewFunc;
}
void WINAPI SetHookOn()
{
MEMORY_BASIC_INFORMATION mbi;
VirtualQuery(m_lpHookFunc,&mbi,sizeof(mbi));
VirtualProtect(m_lpHookFunc,sizeof(DWORD),PAGE_READWRITE,0);
DWORD dwOldFlag;
WriteProcessMemory(m_hProc, (void *)m_lpHookFunc,
(void *)m_NewFunc, 8,&dwOldFlag);
}
void WINAPI SetHookOff()
{
DWORD dwOldFlag;
WriteProcessMemory(m_hProc, (void *)m_lpHookFunc,
(void *)m_OldFunc, 8, &dwOldFlag);
}
BOOL WINAPI MyCreateProcess(HANDLE hToken,
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation,
PHANDLE hNewToken)
{
BOOL BReturn=TRUE;
SetHookOff();
CreateProcessHH CreateProcessHHH=(CreateProcessHH)GetProcAddress(GetModuleHandle("Kernel32.dll"),"CreateProcessInternalW");
BReturn=CreateProcessHHH(hToken,lpApplicationName,lpCommandLine,lpProcessAttributes
,lpThreadAttributes,bInheritHandles,dwCreationFlags,lpEnvironment,lpCurrentDirectory,
lpStartupInfo,lpProcessInformation,hNewToken);
SetHookOn();
return BReturn;
}
BOOL UpPrivilege(HANDLE hprocess,LPCTSTR lpname) //提升进程权限 debug
{
HANDLE hToken;
TOKEN_PRIVILEGES Privileges;
LUID luid;
OpenProcessToken(hprocess,TOKEN_ADJUST_PRIVILEGES,&hToken);
Privileges.PrivilegeCount=1;
LookupPrivilegeValue(NULL,lpname,&luid);
Privileges.Privileges[0].Luid=luid;
Privileges.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
if(AdjustTokenPrivileges(hToken,FALSE,&Privileges,NULL,NULL,NULL)!=0)
return TRUE;
return FALSE;
}
void WINAPI ExampleJmp()
{
char privilege[]=SE_DEBUG_NAME;
HANDLE hprocess;
hprocess=GetCurrentProcess();
if(!UpPrivilege(hprocess,privilege)) //开始提权
{
exit(-1);
}
HookOneAPI("Kernel32.dll","CreateProcessInternalW",(FARPROC)MyCreateProcess);
SetHookOn();
}
问题: 为什么这样一写 Explorer 就崩溃了呢
|
|
|---|---|
