-
-
[讨论]监控Explorer的进程创建
-
发表于: 2007-10-28 11:01
-
小弟得知 NT 下Explorer 不是通过CreateProcessW 来创建进程的 而是通过 CreateProcessInternalW来建的于似忽小弟想控制它。。。。 R3下的 R0下我也没那实力
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 | #include <windows.h>#include <stdio.h>PROC m_lpHookFunc; HANDLE m_hProc;BYTE m_OldFunc[8]; BYTE m_NewFunc[8];void HookOneAPI(LPCTSTR ModuleName, LPCTSTR ApiName, FARPROC lpNewFunc);void WINAPI SetHookOn();void WINAPI SetHookOff();void WINAPI ExampleJmp();typedef BOOL (* CreateProcessHH)(HANDLE hToken, LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation, PHANDLE hNewToken);int APIENTRY DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved){ UNREFERENCED_PARAMETER(lpReserved); if (dwReason == DLL_PROCESS_ATTACH) { ExampleJmp(); } else if (dwReason == DLL_PROCESS_DETACH) { SetHookOff(); } return 1; } void HookOneAPI(LPCTSTR ModuleName, LPCTSTR ApiName, FARPROC lpNewFunc){ BYTE str[8] = { 0x0B8, 0x0, 0x0, 0x40, 0x0, 0x0FF, 0x0E0,0}; // mov eax,addr jmp eax memcpy(m_NewFunc,str,8); m_lpHookFunc = GetProcAddress(GetModuleHandle(ModuleName),ApiName); m_hProc = GetCurrentProcess(); memcpy(m_OldFunc,(char *)m_lpHookFunc,8); *(DWORD *)( m_NewFunc + 1 ) = (DWORD)lpNewFunc; }void WINAPI SetHookOn(){ MEMORY_BASIC_INFORMATION mbi; VirtualQuery(m_lpHookFunc,&mbi,sizeof(mbi)); VirtualProtect(m_lpHookFunc,sizeof(DWORD),PAGE_READWRITE,0); DWORD dwOldFlag; WriteProcessMemory(m_hProc, (void *)m_lpHookFunc, (void *)m_NewFunc, 8,&dwOldFlag); }void WINAPI SetHookOff(){ DWORD dwOldFlag; WriteProcessMemory(m_hProc, (void *)m_lpHookFunc, (void *)m_OldFunc, 8, &dwOldFlag);}BOOL WINAPI MyCreateProcess(HANDLE hToken, LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation, PHANDLE hNewToken){ BOOL BReturn=TRUE; SetHookOff(); CreateProcessHH CreateProcessHHH=(CreateProcessHH)GetProcAddress(GetModuleHandle("Kernel32.dll"),"CreateProcessInternalW"); BReturn=CreateProcessHHH(hToken,lpApplicationName,lpCommandLine,lpProcessAttributes ,lpThreadAttributes,bInheritHandles,dwCreationFlags,lpEnvironment,lpCurrentDirectory, lpStartupInfo,lpProcessInformation,hNewToken); SetHookOn(); return BReturn;} BOOL UpPrivilege(HANDLE hprocess,LPCTSTR lpname) //提升进程权限 debug{ HANDLE hToken; TOKEN_PRIVILEGES Privileges; LUID luid; OpenProcessToken(hprocess,TOKEN_ADJUST_PRIVILEGES,&hToken); Privileges.PrivilegeCount=1; LookupPrivilegeValue(NULL,lpname,&luid); Privileges.Privileges[0].Luid=luid; Privileges.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; if(AdjustTokenPrivileges(hToken,FALSE,&Privileges,NULL,NULL,NULL)!=0) return TRUE; return FALSE;}void WINAPI ExampleJmp(){ char privilege[]=SE_DEBUG_NAME; HANDLE hprocess; hprocess=GetCurrentProcess(); if(!UpPrivilege(hprocess,privilege)) //开始提权 { exit(-1); } HookOneAPI("Kernel32.dll","CreateProcessInternalW",(FARPROC)MyCreateProcess); SetHookOn();} |
问题: 为什么这样一写 Explorer 就崩溃了呢
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
