資源簡介
X64 inline hook explorer.exe-->CreateProcessInternalW監視進程創建.
vc2008+WIN7 64測試通過.
代碼片段和文件信息
#include?
#include?
#include?
#include?
#include?
#pragma?comment(lib?“shlwapi.lib“)
#define?CODE_LEN?12
TCHAR?ModuleFile[256];??
DWORD?dwOldProtect;
BYTE?OldCode[CODE_LEN]?=?{0x90};
typedef?HANDLE?(WINAPI?*__CreateProcessInternal)(HANDLE?hTokenLPCTSTR?lpApplicationNameLPTSTR?lpCommandLineLPSECURITY_ATTRIBUTES?lpProcessAttributesLPSECURITY_ATTRIBUTES?lpThreadAttributesBOOL?bInheritHandlesDWORD?dwCreationFlagsLPVOID?lpEnvironmentLPCTSTR?lpCurrentDirectoryLPSTARTUPINFOA?lpStartupInfoLPPROCESS_INFORMATION?lpProcessInformationPHANDLE?hNewToken);
__CreateProcessInternal?pfnCreateProcess?=?0;
HANDLE?WINAPI?FakeCreateProcessInternal(HANDLE?hTokenLPCTSTR?lpApplicationNameLPTSTR?lpCommandLineLPSECURITY_ATTRIBUTES?lpProcessAttributesLPSECURITY_ATTRIBUTES?lpThreadAttributesBOOL?bInheritHandlesDWORD?dwCreationFlagsLPVOID?lpEnvironmentLPCTSTR?lpCurrentDirectoryLPSTARTUPINFOA?lpStartupInfoLPPROCESS_INFORMATION?lpProcessInformationPHANDLE?hNewToken)
{
MessageBox(NULL?lpCommandLine?lpApplicationName?MB_ICONASTERISK);
return?pfnCreateProcess(hToken?lpApplicationName?lpCommandLine?lpProcessAttributes?lpThreadAttributes?bInheritHandles?dwCreationFlags?lpEnvironment?lpCurrentDirectory?lpStartupInfo?lpProcessInformation?hNewToken);
}
BOOL?WINAPI?DllMain(HINSTANCE?hinstDLL??//?handle?to?DLL?module
????DWORD?fdwReason?????//?reason?for?calling?function
????LPVOID?lpReserved?)??//?reserved
{
switch(?fdwReason?)?
{?
case?DLL_PROCESS_ATTACH:
::DisableThreadLibraryCalls(hinstDLL);
GetModuleFileName(NULL?ModuleFile?_countof(ModuleFile));??
if?(StrRStrI(ModuleFile?0?TEXT(“explorer.exe“)))
{
pfnCreateProcess?=?(__CreateProcessInternal)GetProcAddress(GetModuleHandle(TEXT(“kernel32.dll“))?“CreateProcessInternalW“);
::VirtualProtect(pfnCreateProcess?CODE_LEN?PAGE_EXECUTE_READWRITE?&dwOldProtect);
memcpy(OldCode?pfnCreateProcess?CODE_LEN);
memset(pfnCreateProcess?0x90?CODE_LEN);
/*
mov?rax?FakeCreateProcessInternal
jmp?rax
*/
*(LPWORD)pfnCreateProcess?=?0xb848;
*(INT64*)((INT64)pfnCreateProcess+2)?=?(INT64)FakeCreateProcessInternal;
*(LPWORD)((INT64)pfnCreateProcess+10)?=?0xe0ff;
::VirtualProtect(pfnCreateProcess?CODE_LEN?dwOldProtect?NULL);
pfnCreateProcess?=?(__CreateProcessInternal)VirtualAlloc(NULL?CODE_LEN+12?MEM_COMMIT?PAGE_EXECUTE_READWRITE);
memcpy(pfnCreateProcess?OldCode?CODE_LEN);
/*
mov?rbx?CreateProcessInternalW?+?CODE_LEN
jmp?rbx
*/
*(LPWORD)((INT64)pfnCreateProcess+CODE_LEN)?=?0xb848;
*(INT64*)((INT64)pfnCreateProcess+CODE_LEN+2)?=?(INT64)GetProcAddress(GetModuleHandle(TEXT(“kernel32.dll“))?“CreateProcessInternalW“)+CODE_LEN;
*(LPWORD)((INT64)pfnCreateProcess+CODE_LEN+10)?=?0xe0ff;
}
else?if?(StrRStrI(ModuleFile?0?TEXT(“Rundll32.exe“)))??
{??
DWORD?dwProcessId?=?0;??
HANDLE?hProcess?=?0;???
HWND??屬性????????????大小?????日期????時間???名稱
-----------?---------??----------?-----??----
?????文件???????4608??2013-11-24?13:53??X64Dll\x64\Release\X64Dll.dll
?????文件????????660??2013-11-24?13:29??X64Dll\x64\Release\X64Dll.dll.manifest
?????文件????????700??2013-11-24?13:53??X64Dll\x64\Release\X64Dll.exp
?????文件???????1716??2013-11-24?13:53??X64Dll\x64\Release\X64Dll.lib
?????文件?????117760??2013-11-24?13:53??X64Dll\x64\Release\X64Dll.pdb
?????文件???????4201??2013-11-24?13:53??X64Dll\X64Dll\1.cpp
?????文件???????7221??2013-11-24?00:54??X64Dll\X64Dll\X64Dll.vcproj
?????文件???????2563??2013-11-24?14:14??X64Dll\X64Dll\X64Dll.vcproj.zwf-PC.Administrator.user
?????文件???????1238??2013-11-23?17:50??X64Dll\X64Dll.sln
????..A..H.?????24064??2013-11-24?14:14??X64Dll\X64Dll.suo
?????目錄??????????0??2013-11-24?13:29??X64Dll\x64\Release
?????目錄??????????0??2013-11-24?14:14??X64Dll\X64Dll\x64
?????目錄??????????0??2013-11-24?14:15??X64Dll\x64
?????目錄??????????0??2013-11-24?13:53??X64Dll\X64Dll
?????目錄??????????0??2013-11-24?14:14??X64Dll
-----------?---------??----------?-----??----
???????????????164731????????????????????15
- 上一篇:HookCreateProcess
- 下一篇:trap 模擬器
評論
共有 條評論
川公網安備 51152502000135號