通过API HOOK 创建SYSTEM用户进程
来源:互联网 发布:彻底删除软件注册表 编辑:程序博客网 时间:2024/05/19 15:23
clsHookInfo.cls
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
Persistable = 0 'NotPersistable
DataBindingBehavior = 0 'vbNone
DataSourceBehavior = 0 'vbNone
MTSTransactionMode = 0 'NotAnMTSObject
END
Attribute VB_Name = "clsHookInfo"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = True
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Private Declare Function MessageBoxA Lib "user32" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long
Private Declare Function MessageBoxW Lib "user32" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Const PROCESS_QUERY_INFORMATION As Long = (&H400)
Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Private Const SYNCHRONIZE As Long = &H100000
Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Private mbytOldCode(5) As Byte
Private mbytNewCode(5) As Byte
Private mlngFunAddr As Long
Private mhProcess As Long
Public Function HookApi(ByVal strDllName As String, ByVal strFunName As String, ByVal lngFunAddr As Long, ByVal hProcess As Long) As Boolean
Dim hModule As Long, dwJmpAddr As Long
mhProcess = hProcess
hModule = LoadLibrary(strDllName)
If hModule = 0 Then
HookApi = False
Exit Function
End If
mlngFunAddr = GetProcAddress(hModule, strFunName)
If mlngFunAddr = 0 Then
HookApi = False
Exit Function
End If
CopyMemory mbytOldCode(0), ByVal mlngFunAddr, 6
Debug.Print mbytOldCode(0); mbytOldCode(1); mbytOldCode(2); mbytOldCode(3); mbytOldCode(4)
mbytNewCode(0) = &HE9
dwJmpAddr = lngFunAddr - mlngFunAddr - 5
CopyMemory mbytNewCode(1), dwJmpAddr, 4
Debug.Print mbytNewCode(0); mbytNewCode(1); mbytNewCode(2); mbytNewCode(3); mbytNewCode(4)
HookStatus True
HookApi = True
End Function
Public Function HookStatus(ByVal blnIsHook As Boolean) As Boolean
If blnIsHook Then
If WriteProcessMemory(mhProcess, ByVal mlngFunAddr, mbytNewCode(0), 5, 0) <> 0 Then HookStatus = False '拦截
Else
If WriteProcessMemory(mhProcess, ByVal mlngFunAddr, mbytOldCode(0), 5, 0) <> 0 Then HookStatus = False '恢复
End If
End Function
Private Sub Class_Initialize()
' mhProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, GetCurrentProcessId)
End Sub
Private Sub Class_Terminate()
HookStatus False
' CloseHandle mhProcess
End Sub
frmMain.frm
VERSION 5.00
Begin VB.Form frmMain
BorderStyle = 1 'Fixed Single
Caption = "创建系统进程"
ClientHeight = 3090
ClientLeft = 45
ClientTop = 435
ClientWidth = 4680
LinkTopic = "Form1"
MaxButton = 0 'False
MinButton = 0 'False
ScaleHeight = 3090
ScaleWidth = 4680
StartUpPosition = 3 '窗口缺省
Begin VB.CommandButton cmdExit
Caption = "退出"
Default = -1 'True
Height = 375
Left = 3510
TabIndex = 3
Top = 2010
Width = 945
End
Begin VB.CommandButton cmdRun
Caption = "启动"
Height = 375
Left = 2190
TabIndex = 2
Top = 2010
Width = 945
End
Begin VB.TextBox txtPath
Height = 255
Left = 960
TabIndex = 1
Text = "notepad"
Top = 1020
Width = 3525
End
Begin VB.Label lblNote
AutoSize = -1 'True
Caption = "文件路径:"
Height = 180
Left = 90
TabIndex = 0
Top = 1050
Width = 810
End
End
Attribute VB_Name = "frmMain"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Private Const PROCESS_QUERY_INFORMATION As Long = (&H400)
Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Private Const SYNCHRONIZE As Long = &H100000
Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type
Private Type STARTUPINFO
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Byte
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type
Private Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Private Sub cmdExit_Click()
Unload Me
End Sub
Private Sub cmdRun_Click()
Dim lp As PROCESS_INFORMATION
Dim si As STARTUPINFO
si.cb = Len(si)
CreateProcess vbNullString, txtPath.Text, ByVal 0&, ByVal 0&, 0, 0, ByVal 0&, vbNullString, si, lp
End Sub
Private Sub Form_Load()
EnablePrivilege
'注意这里不能马上把句柄关闭掉
glngSystemHandle = OpenProcess(PROCESS_ALL_ACCESS, 0, GetSystemProcessId)
If glngSystemHandle = 0 Then
MsgBox "获取系统进程句柄出错!!", vbCritical, "错误"
Exit Sub
End If
Set gclsHookNtCreateProcess = New clsHookInfo
Set gclsHookNtCreateProcessEx = New clsHookInfo
glngProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, GetCurrentProcessId)
gclsHookNtCreateProcessEx.HookApi "ntdll.dll", "NtCreateProcessEx", GetFunAddr(AddressOf NtCreateProcessExCallback), glngProcess
gclsHookNtCreateProcess.HookApi "ntdll.dll", "NtCreateProcess", GetFunAddr(AddressOf NtCreateProcessCallback), glngProcess
End Sub
Private Sub Form_Unload(Cancel As Integer)
Set gclsHookNtCreateProcess = Nothing
Set gclsHookNtCreateProcessEx = Nothing
CloseHandle glngSystemHandle
CloseHandle glngProcess
End Sub
modEnablePrivilege.bas
Attribute VB_Name = "modEnablePrivilege"
Option Explicit
Private Const STANDARD_RIGHTS_REQUIRED = &HF0000
Private Const TOKEN_ASSIGN_PRIMARY = &H1
Private Const TOKEN_DUPLICATE = (&H2)
Private Const TOKEN_IMPERSONATE = (&H4)
Private Const TOKEN_QUERY = (&H8)
Private Const TOKEN_QUERY_SOURCE = (&H10)
Private Const TOKEN_ADJUST_PRIVILEGES = (&H20)
Private Const TOKEN_ADJUST_GROUPS = (&H40)
Private Const TOKEN_ALL_ACCESS = 983551
Private Const SE_PRIVILEGE_ENABLED = &H2
Private Const ANYSIZE_ARRAY = 1
Private Const SE_DEBUG_NAME = "SeDebugPrivilege"
Private Type LUID
lowpart As Long
highpart As Long
End Type
Private Type LUID_AND_ATTRIBUTES
pLuid As LUID
Attributes As Long
End Type
Private Type TOKEN_PRIVILEGES
PrivilegeCount As Long
Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES
End Type
Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPriv As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long 'Used to adjust your program's security privileges, can't restore without it!
Private Declare Function LookupPrivilegeValue Lib "advapi32.dll" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As Any, ByVal lpName As String, lpLuid As LUID) As Long
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long '获取当前进程句柄
Public Function EnablePrivilege() As Boolean
Dim hdlProcessHandle As Long
Dim hdlTokenHandle As Long
Dim tmpLuid As LUID
Dim tkp As TOKEN_PRIVILEGES
Dim tkpNewButIgnored As TOKEN_PRIVILEGES
Dim lBufferNeeded As Long
Dim lp As Long
hdlProcessHandle = GetCurrentProcess()
lp = OpenProcessToken(hdlProcessHandle, TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, hdlTokenHandle)
lp = LookupPrivilegeValue(vbNullString, "SeDebugPrivilege", tmpLuid)
tkp.PrivilegeCount = 1
tkp.Privileges(0).pLuid = tmpLuid
tkp.Privileges(0).Attributes = SE_PRIVILEGE_ENABLED
EnablePrivilege = AdjustTokenPrivileges(hdlTokenHandle, False, tkp, Len(tkpNewButIgnored), tkpNewButIgnored, lBufferNeeded)
End Function
modHook.bas
Attribute VB_Name = "modHook"
Private Declare Function NtCreateProcessEx Lib "NTDLL.DLL" (ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long, ByVal reserv As Long) As Long
Private Declare Function NtCreateProcess Lib "NTDLL.DLL" (ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As Long
Private Const PROCESS_QUERY_INFORMATION As Long = (&H400)
Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Private Const SYNCHRONIZE As Long = &H100000
Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Private Type OBJECT_ATTRIBUTES
Length As Long
RootDirectory As Long
ObjectName As Long
Attributes As Long
SecurityDescriptor As Long
SecurityQualityOfService As Long
End Type
Public gclsHookNtCreateProcessEx As clsHookInfo
Public gclsHookNtCreateProcess As clsHookInfo
Public glngProcess As Long
Public glngSystemHandle As Long
Public Function NtCreateProcessExCallback(ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long, ByVal reserv As Long) As Long
Dim hReturn As Long
gclsHookNtCreateProcessEx.HookStatus False
hReturn = NtCreateProcessEx(ProcessHandle, AccessMask, ObjectAttributes, glngSystemHandle, InheritHandles, hSection, hDebugPort, hExceptionPort, reserv)
gclsHookNtCreateProcessEx.HookStatus True
NtCreateProcessExCallback = hReturn
End Function
Public Function NtCreateProcessCallback(ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long) As Long
Dim hReturn As Long
gclsHookNtCreateProcess.HookStatus False
hReturn = NtCreateProcess(ProcessHandle, AccessMask, ObjectAttributes, glngSystemHandle, InheritHandles, hSection, hDebugPort, hExceptionPort)
gclsHookNtCreateProcess.HookStatus True
NtCreateProcessCallback = hReturn
End Function
Public Function GetFunAddr(lngFunAddr As Long) As Long
GetFunAddr = lngFunAddr
End Function
modProcess.bas
Attribute VB_Name = "modProcess"
Option Explicit
Private Declare Function CloseHandle Lib "kernel32.dll" (ByVal Handle As Long) As Long
Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As Long
Private Declare Function EnumProcesses Lib "PSAPI.DLL" (ByRef lpidProcess As Long, ByVal cb As Long, ByRef cbNeeded As Long) As Long
Private Declare Function GetModuleFileNameExA Lib "PSAPI.DLL" (ByVal hProcess As Long, ByVal hModule As Long, ByVal ModuleName As String, ByVal nSize As Long) As Long
Private Declare Function EnumProcessModules Lib "PSAPI.DLL" (ByVal hProcess As Long, ByRef lphModule As Long, ByVal cb As Long, ByRef cbNeeded As Long) As Long
Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long '获取当前进程句柄
Private Declare Function GetLastError Lib "kernel32" () As Long
Private Declare Function GetModuleBaseName Lib "PSAPI.DLL" Alias "GetModuleBaseNameA" (ByVal hProcess As Long, ByVal hModule As Long, ByVal lpBaseName As String, ByVal nSize As Long) As Long
Private Const PROCESS_QUERY_INFORMATION = &H400
Private Const PROCESS_VM_READ = &H10
'Private Const PROCESS_QUERY_INFORMATION As Long = (&H400)
Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Private Const SYNCHRONIZE As Long = &H100000
Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Public Function GetSystemProcessId() As Long
Dim lngCbNeeded As Long
Dim lngNumElements As Long
Dim lngProcessIDArray() As Long
Dim lngCbNeeded2 As Long
Dim lngNumElements2 As Long
Dim Modules(0 To 1023) As Long
Dim lngRet As Long
Dim lngSize As Long
Dim hProcess As Long
Dim i As Long, strModuleName As String
Dim lngModules As Long, hLen As Long
ReDim lngProcessIDArray(1024)
lngRet = EnumProcesses(lngProcessIDArray(0), 4 * 1024, lngCbNeeded)
lngNumElements = lngCbNeeded / 4
ReDim Preserve lngProcessIDArray(lngNumElements - 1)
On Error Resume Next
For i = 0 To lngNumElements - 1
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, False, lngProcessIDArray(i))
If hProcess <> 0 And lngProcessIDArray(i) <> 4 Then
lngRet = EnumProcessModules(hProcess, Modules(0), 1024, lngCbNeeded2)
If lngRet <> 0 Then
strModuleName = String(260, "*")
lngRet = GetModuleFileNameExA(hProcess, Modules(0), strModuleName, 260)
strModuleName = Left(strModuleName, lngRet)
End If
If InStr(LCase(strModuleName), "system32/smss.exe") Then
'If InStr(LCase(strModuleName), "system32/winlogon.exe") Then
GetSystemProcessId = lngProcessIDArray(i)
lngRet = CloseHandle(hProcess)
Exit Function
End If
End If
lngRet = CloseHandle(hProcess)
Next
End Function
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
Persistable = 0 'NotPersistable
DataBindingBehavior = 0 'vbNone
DataSourceBehavior = 0 'vbNone
MTSTransactionMode = 0 'NotAnMTSObject
END
Attribute VB_Name = "clsHookInfo"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = True
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Private Declare Function MessageBoxA Lib "user32" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long
Private Declare Function MessageBoxW Lib "user32" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Const PROCESS_QUERY_INFORMATION As Long = (&H400)
Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Private Const SYNCHRONIZE As Long = &H100000
Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Private mbytOldCode(5) As Byte
Private mbytNewCode(5) As Byte
Private mlngFunAddr As Long
Private mhProcess As Long
Public Function HookApi(ByVal strDllName As String, ByVal strFunName As String, ByVal lngFunAddr As Long, ByVal hProcess As Long) As Boolean
Dim hModule As Long, dwJmpAddr As Long
mhProcess = hProcess
hModule = LoadLibrary(strDllName)
If hModule = 0 Then
HookApi = False
Exit Function
End If
mlngFunAddr = GetProcAddress(hModule, strFunName)
If mlngFunAddr = 0 Then
HookApi = False
Exit Function
End If
CopyMemory mbytOldCode(0), ByVal mlngFunAddr, 6
Debug.Print mbytOldCode(0); mbytOldCode(1); mbytOldCode(2); mbytOldCode(3); mbytOldCode(4)
mbytNewCode(0) = &HE9
dwJmpAddr = lngFunAddr - mlngFunAddr - 5
CopyMemory mbytNewCode(1), dwJmpAddr, 4
Debug.Print mbytNewCode(0); mbytNewCode(1); mbytNewCode(2); mbytNewCode(3); mbytNewCode(4)
HookStatus True
HookApi = True
End Function
Public Function HookStatus(ByVal blnIsHook As Boolean) As Boolean
If blnIsHook Then
If WriteProcessMemory(mhProcess, ByVal mlngFunAddr, mbytNewCode(0), 5, 0) <> 0 Then HookStatus = False '拦截
Else
If WriteProcessMemory(mhProcess, ByVal mlngFunAddr, mbytOldCode(0), 5, 0) <> 0 Then HookStatus = False '恢复
End If
End Function
Private Sub Class_Initialize()
' mhProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, GetCurrentProcessId)
End Sub
Private Sub Class_Terminate()
HookStatus False
' CloseHandle mhProcess
End Sub
frmMain.frm
VERSION 5.00
Begin VB.Form frmMain
BorderStyle = 1 'Fixed Single
Caption = "创建系统进程"
ClientHeight = 3090
ClientLeft = 45
ClientTop = 435
ClientWidth = 4680
LinkTopic = "Form1"
MaxButton = 0 'False
MinButton = 0 'False
ScaleHeight = 3090
ScaleWidth = 4680
StartUpPosition = 3 '窗口缺省
Begin VB.CommandButton cmdExit
Caption = "退出"
Default = -1 'True
Height = 375
Left = 3510
TabIndex = 3
Top = 2010
Width = 945
End
Begin VB.CommandButton cmdRun
Caption = "启动"
Height = 375
Left = 2190
TabIndex = 2
Top = 2010
Width = 945
End
Begin VB.TextBox txtPath
Height = 255
Left = 960
TabIndex = 1
Text = "notepad"
Top = 1020
Width = 3525
End
Begin VB.Label lblNote
AutoSize = -1 'True
Caption = "文件路径:"
Height = 180
Left = 90
TabIndex = 0
Top = 1050
Width = 810
End
End
Attribute VB_Name = "frmMain"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Private Const PROCESS_QUERY_INFORMATION As Long = (&H400)
Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Private Const SYNCHRONIZE As Long = &H100000
Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type
Private Type STARTUPINFO
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Byte
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type
Private Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Private Sub cmdExit_Click()
Unload Me
End Sub
Private Sub cmdRun_Click()
Dim lp As PROCESS_INFORMATION
Dim si As STARTUPINFO
si.cb = Len(si)
CreateProcess vbNullString, txtPath.Text, ByVal 0&, ByVal 0&, 0, 0, ByVal 0&, vbNullString, si, lp
End Sub
Private Sub Form_Load()
EnablePrivilege
'注意这里不能马上把句柄关闭掉
glngSystemHandle = OpenProcess(PROCESS_ALL_ACCESS, 0, GetSystemProcessId)
If glngSystemHandle = 0 Then
MsgBox "获取系统进程句柄出错!!", vbCritical, "错误"
Exit Sub
End If
Set gclsHookNtCreateProcess = New clsHookInfo
Set gclsHookNtCreateProcessEx = New clsHookInfo
glngProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, GetCurrentProcessId)
gclsHookNtCreateProcessEx.HookApi "ntdll.dll", "NtCreateProcessEx", GetFunAddr(AddressOf NtCreateProcessExCallback), glngProcess
gclsHookNtCreateProcess.HookApi "ntdll.dll", "NtCreateProcess", GetFunAddr(AddressOf NtCreateProcessCallback), glngProcess
End Sub
Private Sub Form_Unload(Cancel As Integer)
Set gclsHookNtCreateProcess = Nothing
Set gclsHookNtCreateProcessEx = Nothing
CloseHandle glngSystemHandle
CloseHandle glngProcess
End Sub
modEnablePrivilege.bas
Attribute VB_Name = "modEnablePrivilege"
Option Explicit
Private Const STANDARD_RIGHTS_REQUIRED = &HF0000
Private Const TOKEN_ASSIGN_PRIMARY = &H1
Private Const TOKEN_DUPLICATE = (&H2)
Private Const TOKEN_IMPERSONATE = (&H4)
Private Const TOKEN_QUERY = (&H8)
Private Const TOKEN_QUERY_SOURCE = (&H10)
Private Const TOKEN_ADJUST_PRIVILEGES = (&H20)
Private Const TOKEN_ADJUST_GROUPS = (&H40)
Private Const TOKEN_ALL_ACCESS = 983551
Private Const SE_PRIVILEGE_ENABLED = &H2
Private Const ANYSIZE_ARRAY = 1
Private Const SE_DEBUG_NAME = "SeDebugPrivilege"
Private Type LUID
lowpart As Long
highpart As Long
End Type
Private Type LUID_AND_ATTRIBUTES
pLuid As LUID
Attributes As Long
End Type
Private Type TOKEN_PRIVILEGES
PrivilegeCount As Long
Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES
End Type
Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPriv As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long 'Used to adjust your program's security privileges, can't restore without it!
Private Declare Function LookupPrivilegeValue Lib "advapi32.dll" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As Any, ByVal lpName As String, lpLuid As LUID) As Long
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long '获取当前进程句柄
Public Function EnablePrivilege() As Boolean
Dim hdlProcessHandle As Long
Dim hdlTokenHandle As Long
Dim tmpLuid As LUID
Dim tkp As TOKEN_PRIVILEGES
Dim tkpNewButIgnored As TOKEN_PRIVILEGES
Dim lBufferNeeded As Long
Dim lp As Long
hdlProcessHandle = GetCurrentProcess()
lp = OpenProcessToken(hdlProcessHandle, TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, hdlTokenHandle)
lp = LookupPrivilegeValue(vbNullString, "SeDebugPrivilege", tmpLuid)
tkp.PrivilegeCount = 1
tkp.Privileges(0).pLuid = tmpLuid
tkp.Privileges(0).Attributes = SE_PRIVILEGE_ENABLED
EnablePrivilege = AdjustTokenPrivileges(hdlTokenHandle, False, tkp, Len(tkpNewButIgnored), tkpNewButIgnored, lBufferNeeded)
End Function
modHook.bas
Attribute VB_Name = "modHook"
Private Declare Function NtCreateProcessEx Lib "NTDLL.DLL" (ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long, ByVal reserv As Long) As Long
Private Declare Function NtCreateProcess Lib "NTDLL.DLL" (ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As Long
Private Const PROCESS_QUERY_INFORMATION As Long = (&H400)
Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Private Const SYNCHRONIZE As Long = &H100000
Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Private Type OBJECT_ATTRIBUTES
Length As Long
RootDirectory As Long
ObjectName As Long
Attributes As Long
SecurityDescriptor As Long
SecurityQualityOfService As Long
End Type
Public gclsHookNtCreateProcessEx As clsHookInfo
Public gclsHookNtCreateProcess As clsHookInfo
Public glngProcess As Long
Public glngSystemHandle As Long
Public Function NtCreateProcessExCallback(ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long, ByVal reserv As Long) As Long
Dim hReturn As Long
gclsHookNtCreateProcessEx.HookStatus False
hReturn = NtCreateProcessEx(ProcessHandle, AccessMask, ObjectAttributes, glngSystemHandle, InheritHandles, hSection, hDebugPort, hExceptionPort, reserv)
gclsHookNtCreateProcessEx.HookStatus True
NtCreateProcessExCallback = hReturn
End Function
Public Function NtCreateProcessCallback(ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long) As Long
Dim hReturn As Long
gclsHookNtCreateProcess.HookStatus False
hReturn = NtCreateProcess(ProcessHandle, AccessMask, ObjectAttributes, glngSystemHandle, InheritHandles, hSection, hDebugPort, hExceptionPort)
gclsHookNtCreateProcess.HookStatus True
NtCreateProcessCallback = hReturn
End Function
Public Function GetFunAddr(lngFunAddr As Long) As Long
GetFunAddr = lngFunAddr
End Function
modProcess.bas
Attribute VB_Name = "modProcess"
Option Explicit
Private Declare Function CloseHandle Lib "kernel32.dll" (ByVal Handle As Long) As Long
Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As Long
Private Declare Function EnumProcesses Lib "PSAPI.DLL" (ByRef lpidProcess As Long, ByVal cb As Long, ByRef cbNeeded As Long) As Long
Private Declare Function GetModuleFileNameExA Lib "PSAPI.DLL" (ByVal hProcess As Long, ByVal hModule As Long, ByVal ModuleName As String, ByVal nSize As Long) As Long
Private Declare Function EnumProcessModules Lib "PSAPI.DLL" (ByVal hProcess As Long, ByRef lphModule As Long, ByVal cb As Long, ByRef cbNeeded As Long) As Long
Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long '获取当前进程句柄
Private Declare Function GetLastError Lib "kernel32" () As Long
Private Declare Function GetModuleBaseName Lib "PSAPI.DLL" Alias "GetModuleBaseNameA" (ByVal hProcess As Long, ByVal hModule As Long, ByVal lpBaseName As String, ByVal nSize As Long) As Long
Private Const PROCESS_QUERY_INFORMATION = &H400
Private Const PROCESS_VM_READ = &H10
'Private Const PROCESS_QUERY_INFORMATION As Long = (&H400)
Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Private Const SYNCHRONIZE As Long = &H100000
Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Public Function GetSystemProcessId() As Long
Dim lngCbNeeded As Long
Dim lngNumElements As Long
Dim lngProcessIDArray() As Long
Dim lngCbNeeded2 As Long
Dim lngNumElements2 As Long
Dim Modules(0 To 1023) As Long
Dim lngRet As Long
Dim lngSize As Long
Dim hProcess As Long
Dim i As Long, strModuleName As String
Dim lngModules As Long, hLen As Long
ReDim lngProcessIDArray(1024)
lngRet = EnumProcesses(lngProcessIDArray(0), 4 * 1024, lngCbNeeded)
lngNumElements = lngCbNeeded / 4
ReDim Preserve lngProcessIDArray(lngNumElements - 1)
On Error Resume Next
For i = 0 To lngNumElements - 1
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, False, lngProcessIDArray(i))
If hProcess <> 0 And lngProcessIDArray(i) <> 4 Then
lngRet = EnumProcessModules(hProcess, Modules(0), 1024, lngCbNeeded2)
If lngRet <> 0 Then
strModuleName = String(260, "*")
lngRet = GetModuleFileNameExA(hProcess, Modules(0), strModuleName, 260)
strModuleName = Left(strModuleName, lngRet)
End If
If InStr(LCase(strModuleName), "system32/smss.exe") Then
'If InStr(LCase(strModuleName), "system32/winlogon.exe") Then
GetSystemProcessId = lngProcessIDArray(i)
lngRet = CloseHandle(hProcess)
Exit Function
End If
End If
lngRet = CloseHandle(hProcess)
Next
End Function
- 通过API HOOK 创建SYSTEM用户进程
- "SYSTEM"用户创建进程
- VB 创建SYSTEM用户进程
- 通过HOOK控制进程的创建
- 通过Hook SSDT (System Service Dispath Table) 隐藏进程
- Linux 通过 ptrace 和 plt 实现用户态 API Hook
- 通过Hook API调用打造进程监控程序
- API 通过HOOK OpenProcess() 实现进程防杀
- hook api 保护进程
- system 用户创建的进程创建当前用户(如Administrator)的进程。
- 八、用户进程:TSS、用户进程的创建、用户进程的执行(通过调度函数)
- hook其他进程的API
- hook其他进程的API
- hook其他进程的API
- VB创建SYSTEM用户进程(第一种方法)
- VB创建SYSTEM用户进程(第二种方法)
- 在SYSTEM权限下创建用户进程方法
- Linux 2.6 下通过 ptrace 和 plt 实现用户态 API Hook
- 如何把纵向显示的结果变成横向显示?
- "创建控件时出错/lm/w3svc/... 不是一个有效的iis应用程序" 的解决办法
- 谈谈snprintf
- Everything can be out of control
- 一个容易误解的小问题:TextBox的EnableViewState为false为什么无效
- 通过API HOOK 创建SYSTEM用户进程
- 对与项目中的扫描效果问题的一些想法
- 单选按钮的值
- 水煮coreutils 之二 hash
- 在Visual Studio 2005中调试SQL Server 2005的存储过程
- SQL Server中删除重复数据的几个方法
- 硬盘主&扩展分区,基本&动态磁盘等概念
- 圈
- DZ 结构分析