应用层隐藏服务的项目
来源:互联网 发布:win10 单片机仿真软件 编辑:程序博客网 时间:2024/05/21 11:34
// *****************************************************************************//
//
// 文件名: AgentHk.cpp
// 所属项目名称:
// 所属模块名称: AGENT Service Hook
// 所属项目版本: 2.0
// 文件用途 :
// 文件作者 : horse_b
// 创建日期 : 2004-11-30
//
// 文件修改说明:
// 文件修改人:
// 修改日期:
//
//
//
//********************************************************************************//
#include <stdio.h>
#include <tchar.h> // Make program ansi AND unicode safe
#include <windows.h> // Most Windows functions
#include <commctrl.h> // Used for TreeView controls
#include <setupapi.h> // Used for SetupDiXxx functions
#include <basetsd.h>
#include <cfgmgr32.h> // Used for CM_Xxxx functions
#include <regstr.h> // Extract Registry Strings
#include <devguid.h>
//API HOOK方式
#define APIHOOK16
#ifdef APIHOOK16
#include "apihook16.h"
#define CAPIHook CAPIHook16
#else
#include "apihook32.h"
#define CAPIHook CAPIHook32
#endif
#pragma comment(lib, "setupapi.lib")
#pragma comment(lib, "advapi32.lib")
//setupapi.dll中的函数声明
/*
BOOL
WINAPI
mySetupDiSetClassInstallParamsA(
IN HDEVINFO DeviceInfoSet,
IN PSP_DEVINFO_DATA DeviceInfoData,
IN PSP_CLASSINSTALL_HEADER ClassInstallParams,
IN DWORD ClassInstallParamsSize
);
*/
BOOL
WINAPI
mySetupDiSetClassInstallParamsW(
IN HDEVINFO DeviceInfoSet,
IN PSP_DEVINFO_DATA DeviceInfoData,
IN PSP_CLASSINSTALL_HEADER ClassInstallParams,
IN DWORD ClassInstallParamsSize
);
//setupapi.dll hook
CAPIHook g_hook_setupapi_paramsw("setupapi.dll", "SetupDiSetClassInstallParamsW", (FARPROC)mySetupDiSetClassInstallParamsW);
//CAPIHook g_hook_setupapi_paramsa("setupapi.dll", "SetupDiSetClassInstallParamsA", (FARPROC)mySetupDiSetClassInstallParamsA);
//advapi32.lib
BOOL
WINAPI
myChangeServiceConfigW(
SC_HANDLE hService,
DWORD dwServiceType,
DWORD dwStartType,
DWORD dwErrorControl,
LPCWSTR lpBinaryPathName,
LPCWSTR lpLoadOrderGroup,
LPDWORD lpdwTagId,
LPCWSTR lpDependencies,
LPCWSTR lpServiceStartName,
LPCWSTR lpPassword,
LPCWSTR lpDisplayName
);
//CAPIHook g_hook_advapi32_ChangeA("advapi32.dll", "ChangeServiceConfigA", (FARPROC)myChangeServiceConfigA);
CAPIHook g_hook_advapi32_ChangeW("advapi32.dll", "ChangeServiceConfigW", (FARPROC)myChangeServiceConfigW);
LPSTR WideStringToAnsiString(LPCWSTR lpcsUnicode)
{
LPSTR lpAnsiString = NULL;
if (lpcsUnicode)
{
DWORD dwSize = wcstombs(NULL, lpcsUnicode, 0);
lpAnsiString = new char[dwSize+1];
size_t rc = wcstombs(lpAnsiString, lpcsUnicode, dwSize);
//ASSERT(rc != (size_t)(-1));
lpAnsiString[dwSize] = '/0';
}
return lpAnsiString;
}
void WriteLog(char *fmt,...)
{
/*
FILE *fp;
va_list args;
char modname[200];
if((fp =fopen("c://hooksetupapi.log", "a")) !=NULL)
{
va_start(args,fmt);
GetModuleFileName(NULL, modname, sizeof(modname));
fprintf(fp, ":%s:", modname);
vfprintf(fp, fmt, args);
fprintf(fp, "/n");
fclose(fp);
va_end(args);
}
*/
}
BOOL
WINAPI
mySetupDiSetClassInstallParamsW(
IN HDEVINFO DeviceInfoSet,
IN PSP_DEVINFO_DATA DeviceInfoData,
IN PSP_CLASSINSTALL_HEADER ClassInstallParams,
IN DWORD ClassInstallParamsSize
)
{
BOOL ret = FALSE;
#ifdef APIHOOK16
g_hook_setupapi_paramsw.Hook(FALSE);
//g_hook_setupapi_paramsa.Hook(FALSE);
g_hook_advapi32_ChangeW.Hook(FALSE);
#endif
if((InlineIsEqualGUID(DeviceInfoData->ClassGuid,GUID_DEVCLASS_NET)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid,GUID_DEVCLASS_PCMCIA)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_CDROM)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_PORTS)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_USB)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_PRINTER)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_1394)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_MODEM)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_FLOPPYDISK)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_INFRARED)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_SCSIADAPTER)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid, GUID_DEVCLASS_DISKDRIVE))
)
{
WriteLog("SetupDiCallClassInstaller hook/n");
SP_PROPCHANGE_PARAMS PropChangeParams = {sizeof(SP_CLASSINSTALL_HEADER)};
PropChangeParams.ClassInstallHeader.InstallFunction = DIF_DETECT;
PropChangeParams.Scope = DICS_FLAG_GLOBAL;
PropChangeParams.StateChange = 0x0;
//ClassInstallParams->InstallFunction = DIF_DETECT;
ret = SetupDiSetClassInstallParamsW(DeviceInfoSet,DeviceInfoData,
(SP_CLASSINSTALL_HEADER *)&PropChangeParams,
sizeof(PropChangeParams));
#ifdef APIHOOK16
g_hook_setupapi_paramsw.Hook(TRUE);
//g_hook_setupapi_paramsa.Hook(TRUE);
g_hook_advapi32_ChangeW.Hook(TRUE);
#endif
return ret;
}
ret = SetupDiSetClassInstallParamsW(DeviceInfoSet,DeviceInfoData,
ClassInstallParams,
ClassInstallParamsSize);
#ifdef APIHOOK16
g_hook_setupapi_paramsw.Hook(TRUE);
//g_hook_setupapi_paramsa.Hook(TRUE);
g_hook_advapi32_ChangeW.Hook(TRUE);
#endif
return ret;
}
BOOL
WINAPI
myChangeServiceConfigW(
SC_HANDLE hService,
DWORD dwServiceType,
DWORD dwStartType,
DWORD dwErrorControl,
LPCWSTR lpBinaryPathName,
LPCWSTR lpLoadOrderGroup,
LPDWORD lpdwTagId,
LPCWSTR lpDependencies,
LPCWSTR lpServiceStartName,
LPCWSTR lpPassword,
LPCWSTR lpDisplayName
)
{
BOOL ret = FALSE;
#ifdef APIHOOK16
// g_hook_advapi32_ChangeA.Hook(FALSE);
g_hook_advapi32_ChangeW.Hook(FALSE);
g_hook_setupapi_paramsw.Hook(FALSE);
#endif
LPSTR lpDisplay;
lpDisplay = WideStringToAnsiString(lpDisplayName);
//if(lpDisplayName == NULL)
//{
// WriteLog("ChangeServiceConfigW hook :Display name is null:/n");
// goto XLOOP;
//}
if(strstr(lpDisplay ,"Cns Agent") != NULL)
{
WriteLog("ChangeServiceConfigW hook :Cns Agent:no_change:/n");
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_AUTO_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
#ifdef APIHOOK16
// g_hook_advapi32_ChangeA.Hook(TRUE);
g_hook_advapi32_ChangeW.Hook(TRUE);
g_hook_setupapi_paramsw.Hook(TRUE);
#endif
delete []lpDisplay;
return ret;
}
else if(strstr(lpDisplay ,"HookNdis") != NULL)
{
WriteLog("ChangeServiceConfigW hook :HookNdis:no_change:/n");
if( dwStartType != SERVICE_AUTO_START)
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_SYSTEM_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
else
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_AUTO_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
#ifdef APIHOOK16
// g_hook_advapi32_ChangeA.Hook(TRUE);
g_hook_advapi32_ChangeW.Hook(TRUE);
g_hook_setupapi_paramsw.Hook(TRUE);
#endif
delete []lpDisplay;
return ret;
}
else if(strstr(lpDisplay ,"Hooktdi") != NULL)
{
WriteLog("ChangeServiceConfigW hook :Hooktdi:no_change:/n");
if( dwStartType != SERVICE_AUTO_START)
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_SYSTEM_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
else
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_AUTO_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
#ifdef APIHOOK16
// g_hook_advapi32_ChangeA.Hook(TRUE);
g_hook_advapi32_ChangeW.Hook(TRUE);
g_hook_setupapi_paramsw.Hook(TRUE);
#endif
delete []lpDisplay;
return ret;
}
else if(strstr(lpDisplay ,"Hideprocess") != NULL)
{
WriteLog("ChangeServiceConfigW hook :Hideprocess:no_change:/n");
if( dwStartType != SERVICE_AUTO_START)
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_SYSTEM_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
else
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_AUTO_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
#ifdef APIHOOK16
// g_hook_advapi32_ChangeA.Hook(TRUE);
g_hook_advapi32_ChangeW.Hook(TRUE);
g_hook_setupapi_paramsw.Hook(TRUE);
#endif
delete []lpDisplay;
return ret;
}
else if(strstr(lpDisplay ,"ZzFilesensor") != NULL)
{
WriteLog("ChangeServiceConfigW hook :ZzFilesensor:no_change:/n");
if( dwStartType != SERVICE_AUTO_START)
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_SYSTEM_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
else
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_AUTO_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
#ifdef APIHOOK16
// g_hook_advapi32_ChangeA.Hook(TRUE);
g_hook_advapi32_ChangeW.Hook(TRUE);
g_hook_setupapi_paramsw.Hook(TRUE);
#endif
delete []lpDisplay;
return ret;
}
else if(strstr(lpDisplay ,"Zzregsensor") != NULL)
{
WriteLog("ChangeServiceConfigW hook :Zzregsensor:no_change:/n");
if( dwStartType != SERVICE_AUTO_START)
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_SYSTEM_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
else
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_AUTO_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
#ifdef APIHOOK16
// g_hook_advapi32_ChangeA.Hook(TRUE);
g_hook_advapi32_ChangeW.Hook(TRUE);
g_hook_setupapi_paramsw.Hook(TRUE);
#endif
delete []lpDisplay;
return ret;
}
XLOOP:
WriteLog("ChangeServiceConfigW hook /n");
ret = ChangeServiceConfigW(
hService,
dwServiceType,
dwStartType,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
#ifdef APIHOOK16
// g_hook_advapi32_ChangeA.Hook(TRUE);
g_hook_advapi32_ChangeW.Hook(TRUE);
g_hook_setupapi_paramsw.Hook(TRUE);
#endif
delete []lpDisplay;
return ret;
}
void HookAll(BOOL bHook)
{
#ifdef APIHOOK16
// g_hook_advapi32_ChangeA.Hook(bHook);
g_hook_advapi32_ChangeW.Hook(bHook);
g_hook_setupapi_paramsw.Hook(bHook);
// g_hook_setupapi_paramsa.Hook(bHook);
#endif
}
extern "C" int APIENTRY
DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
switch (dwReason) {
case DLL_PROCESS_ATTACH:
HookAll(TRUE);
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
HookAll(FALSE);
break;
}
return 1;
}
// *****************************************************************************//
//
// 文件名: main.CPP
// 所属项目名称:
// 所属模块名称: AGENT Service Hook MMC.EXE
// 所属项目版本: 2.0
// 文件用途 :
// 文件作者 : horse_b
// 创建日期 : 2004-11-15
//
// 文件修改说明:
// 文件修改人:
// 修改日期:
//
//
//
//********************************************************************************//
#include <windows.h>
#include <stdio.h>
#include <malloc.h> // For alloca
#include <TlHelp32.h> // For enum process
#define DEFAULT_LIB "AgentHk.DLL"
char g_szExeName[MAX_PATH] = {0};
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
return TRUE;
}
BOOL WINAPI InjectLib(DWORD dwProcessId, PCSTR pszDllInject)
{
HANDLE hProcess = NULL, hThread = NULL;
char *pszDllInjectRemote = NULL;
char szLine[MAX_PATH] = {0};
BOOL bOk = FALSE;
__try {
// Get a handle for the target process.
hProcess = OpenProcess(
PROCESS_QUERY_INFORMATION | // Required by Alpha
PROCESS_CREATE_THREAD | // For CreateRemoteThread
PROCESS_VM_OPERATION | // For VirtualAllocEx/VirtualFreeEx
PROCESS_VM_WRITE, // For WriteProcessMemory
FALSE, dwProcessId);
if (hProcess == NULL) {
__leave;
}
// Calculate the number of bytes needed for the DLL's pathname
int cch = 1 + strlen(pszDllInject);
int cb = cch * sizeof(char);
// Allocate space in the remote process for the pathname
pszDllInjectRemote = (char *)
VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);
if (pszDllInjectRemote == NULL) {
__leave;
}
// Copy the DLL's pathname to the remote process's address space
if (!WriteProcessMemory(hProcess, pszDllInjectRemote,
(PVOID) pszDllInject, cb, NULL)) {
__leave;
}
// Get the real address of LoadLibraryA in Kernel32.dll
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA");
if (pfnThreadRtn == NULL) {
__leave;
}
// Create a remote thread that calls LoadLibraryA(DLLPathname)
hThread = CreateRemoteThread(hProcess, NULL, 0,
pfnThreadRtn, pszDllInjectRemote, 0, NULL);
if (hThread == NULL) {
__leave;
}
// Wait for the remote thread to terminate
WaitForSingleObject(hThread, INFINITE);
bOk = TRUE; // Everything executed successfully
}
__finally { // Now, we can clean everthing up
// Free the remote memory that contained the DLL's pathname
if (pszDllInjectRemote != NULL)
VirtualFreeEx(hProcess, pszDllInjectRemote, 0, MEM_RELEASE);
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
}
return(bOk);
}
BOOL WINAPI EjectLib(DWORD dwProcessId, PCSTR pszDllInject)
{
BOOL bOk = FALSE; // Assume that the function fails
HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL, hThread = NULL;
__try {
// Grab a new snapshot of the process
hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
if (hthSnapshot == NULL) __leave;
// Get the HMODULE of the desired library
MODULEENTRY32 me = { sizeof(me) };
BOOL bFound = FALSE;
BOOL bMoreMods = Module32First(hthSnapshot, &me);
for (; bMoreMods; bMoreMods = Module32Next(hthSnapshot, &me)) {
bFound = (stricmp(me.szModule, pszDllInject) == 0) ||
(stricmp(me.szExePath, pszDllInject) == 0);
if (bFound) break;
}
if (!bFound) __leave;
// Get a handle for the target process.
hProcess = OpenProcess(
PROCESS_QUERY_INFORMATION | // Required by Alpha
PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION, // For CreateRemoteThread
FALSE, dwProcessId);
if (hProcess == NULL) __leave;
// Get the real address of FreeLibrary in Kernel32.dll
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibrary");
if (pfnThreadRtn == NULL) __leave;
// Create a remote thread that calls FreeLibraryA(HANDLE)
hThread = CreateRemoteThread(hProcess, NULL, 0,
pfnThreadRtn, me.modBaseAddr, 0, NULL);
if (hThread == NULL) __leave;
// Wait for the remote thread to terminate
WaitForSingleObject(hThread, INFINITE);
bOk = TRUE; // Everything executed successfully
}
__finally { // Now we can clean everything up
if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
}
return(bOk);
}
int WINAPI InjectLibAll(char *pszDllInject)
{
HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL, hThread = NULL;
int nRtn = 0;
__try {
// Grab a new snapshot of the process
hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hthSnapshot == NULL) __leave;
// Get the HMODULE of the desired library
PROCESSENTRY32 pe = { sizeof(pe) };
BOOL bFound = FALSE;
BOOL bMoreProcesses = Process32First(hthSnapshot, &pe);
for (; bMoreProcesses; bMoreProcesses = Process32Next(hthSnapshot, &pe)) {
if (stricmp(pe.szExeFile, g_szExeName) == 0)
continue;
if (InjectLib(pe.th32ProcessID, pszDllInject)) {
nRtn++;
printf("%s - %s/n", pe.szExeFile, "DLL Injection successful.");
}
else {
printf("%s - %s/n", pe.szExeFile, "DLL Injection failed.");
}
}
}
__finally { // Now we can clean everything up
if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
}
return nRtn;
}
int WINAPI EjectLibAll(char *pszDllInject)
{
HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL, hThread = NULL;
int nRtn = 0;
__try {
// Grab a new snapshot of the process
hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hthSnapshot == NULL) __leave;
// Get the HMODULE of the desired library
PROCESSENTRY32 pe = { sizeof(pe) };
BOOL bFound = FALSE;
BOOL bMoreProcesses = Process32First(hthSnapshot, &pe);
for (; bMoreProcesses; bMoreProcesses = Process32Next(hthSnapshot, &pe)) {
if (stricmp(pe.szExeFile, g_szExeName) == 0)
continue;
if (EjectLib(pe.th32ProcessID, pszDllInject)) {
nRtn++;
printf("%s - %s/n", pe.szExeFile, "DLL Ejection successful.");
}
else {
printf("%s - %s/n", pe.szExeFile, "DLL Ejection failed.");
}
}
}
__finally { // Now we can clean everything up
if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
}
return nRtn;
}
int WINAPI InjectLibByName(char *pszDllInject, char *pszProcName)
{
HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL, hThread = NULL;
int nRtn = 0;
__try {
// Grab a new snapshot of the process
hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hthSnapshot == NULL) __leave;
// Get the HMODULE of the desired library
PROCESSENTRY32 pe = { sizeof(pe) };
BOOL bFound = FALSE;
BOOL bMoreProcesses = Process32First(hthSnapshot, &pe);
for (; bMoreProcesses; bMoreProcesses = Process32Next(hthSnapshot, &pe)) {
if (stricmp(pe.szExeFile, pszProcName) == 0) {
if (InjectLib(pe.th32ProcessID, pszDllInject)) {
nRtn++;
printf("%s/%s - %s/n", pszDllInject, pe.szExeFile, "DLL Injection successful.");
}
else {
printf("%s/%s - %s/n", pszDllInject, pe.szExeFile, "DLL Injection failed");
}
}
}
}
__finally { // Now we can clean everything up
if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
}
return nRtn;
}
int WINAPI EjectLibByName(char *pszDllInject, char *pszProcName)
{
HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL, hThread = NULL;
int nRtn = 0;
__try {
// Grab a new snapshot of the process
hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hthSnapshot == NULL) __leave;
// Get the HMODULE of the desired library
PROCESSENTRY32 pe = { sizeof(pe) };
BOOL bFound = FALSE;
BOOL bMoreProcesses = Process32First(hthSnapshot, &pe);
for (; bMoreProcesses; bMoreProcesses = Process32Next(hthSnapshot, &pe)) {
if (stricmp(pe.szExeFile, pszProcName) == 0) {
if (EjectLib(pe.th32ProcessID, pszDllInject)) {
nRtn++;
printf("%s - %s/n", pe.szExeFile, "DLL Ejection successful.");
}
else {
printf("%s - %s/n", pe.szExeFile, "DLL Ejection failed.");
}
}
}
}
__finally { // Now we can clean everything up
if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
}
return nRtn;
}
//提升权限
BOOL EnableDebugPriv(void)
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
return FALSE;
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) {
CloseHandle(hToken);
return FALSE;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL)) {
CloseHandle(hToken);
return FALSE;
}
return TRUE;
}
BOOL __stdcall CallHook(int nPid)
{
BOOL ret = FALSE;
DWORD dwProcessId = 0;
char szProcName[MAX_PATH] = {0};
char szLine[MAX_PATH] = {0};
char szLibFile[MAX_PATH] = {0};
GetModuleFileName(0, szLine, sizeof(g_szExeName)-1);
char *ptr = strrchr(szLine, '//');
if (ptr) {
ptr++;
strcpy(g_szExeName, ptr);
}
//提升权限
EnableDebugPriv();
GetModuleFileName(NULL, szLibFile, sizeof(szLibFile));
strcpy(strrchr(szLibFile, '//') + 1, DEFAULT_LIB);
FILE *fp = fopen(szLibFile, "r");
if (!fp) {
// printf("DLL file /"%s/" not exists./n", szLibFile);
return 0;
}
fclose(fp);
if (dwProcessId > 0) {
//根据进程ID注入DLL
if (InjectLib(dwProcessId, szLibFile)) {
// printf("%s/n", "DLL Injection successful.");
ret = TRUE;
}
else {
// printf("%s/n", "DLL Injection failed.");
ret = FALSE;
}
}
return ret;
}
BOOL __stdcall UnHook(int nPid)
{
BOOL ret = FALSE;
DWORD dwProcessId = 0;
char szProcName[MAX_PATH] = {0};
char szLine[MAX_PATH] = {0};
char szLibFile[MAX_PATH] = {0};
GetModuleFileName(0, szLine, sizeof(g_szExeName)-1);
char *ptr = strrchr(szLine, '//');
if (ptr) {
ptr++;
strcpy(g_szExeName, ptr);
}
//提升权限
EnableDebugPriv();
GetModuleFileName(NULL, szLibFile, sizeof(szLibFile));
strcpy(strrchr(szLibFile, '//') + 1, DEFAULT_LIB);
FILE *fp = fopen(szLibFile, "r");
if (!fp) {
// printf("DLL file /"%s/" not exists./n", szLibFile);
return 0;
}
fclose(fp);
if (dwProcessId > 0) {
//根据进程ID注入DLL
if (EjectLib(dwProcessId, szLibFile)) {
// printf("%s/n", "DLL Ejection successful.");
ret = TRUE;
}
else {
// printf("%s/n", "DLL Ejection failed.");
ret = FALSE;
}
}
return ret;
}
AgentHk.dll 是HOOK 的主要代码
CallHook.dll 是HOOK 代码的调用接口
- 应用层隐藏服务的项目
- js+下拉列表框应用层的显示和隐藏
- Jquery 简单应用(层的显示隐藏)
- 事件冒泡在层的展示和隐藏中的应用
- 计算机网络-应用层应用的服务要求以及支撑协议
- 层的显示隐藏
- 层的隐藏
- 【物联网安全】应用层(安全、服务层)对终端设备的标识管理服务
- 应用层的一些通用服务使用的端口
- 应用层基本服务 笔记
- 监控宝了解应用层服务的性能状况
- 网络应用的需求与传输层服务
- JAVA项目服务层总结
- 项目架构开发:服务层
- 项目架构开发:服务层
- 项目架构开发:服务层
- 项目架构开发:服务层
- 项目架构开发:服务层
- 双链表
- 重温经典排序思想--C语言常用排序全解
- APIHOOK之外挂系列
- Java 学习笔记 (5) - 线程 Thread
- Firefox下的著名的0x80040111
- 应用层隐藏服务的项目
- ApiHook类
- APIHOOK之拦截TerminateProcess
- APIHOOK之拦截OpenProcess(真正的实现了拦截TerminateProcess)
- 高会考评结合考试高级会计实务案例试题一
- 我是巢皮...
- APIHOOK之杀毒软件的简单实现
- 2008超级考研指导峰会 试题
- 和尚挑水故事IT新解