void APCKernelRoutine(PKAPC pKAPC,
PKNORMAL_ROUTINE pUserAPC,
PVOID pContext,
PVOID pSysArg1,
PVOID pSysArg2)
{
DbgPrint("APCKernelRoutine Entered\n");
ExFreePool(pKAPC);
}
NTSTATUS InjectDllByAPC(ULONG TargetPid, ULONG TargetTid, PUNICODE_STRING usDllPath, ULONG LdrMethodAddress)
{
ULONG size;
PKTHREAD TargetThread;
PEPROCESS TargetProcess;
KAPC_STATE ApcState; ULONG arg1 = 0;
ULONG arg2 = 0;
ULONG arg3 = 0;
DbgPrint("Inside InjectDllByAPC...\n"); size = (unsigned char*)APCMdlCodeEnd - (unsigned char*)APCMdlCode;
DbgPrint("Allocating MDL (1)...\n"); pMDLApcCode = IoAllocateMdl(APCMdlCode, size, FALSE, FALSE, NULL);
if (!pMDLApcCode)
{
return(STATUS_UNSUCCESSFUL);
}
MmProbeAndLockPages(pMDLApcCode, KernelMode, IoWriteAccess);
RtlZeroMemory(pAPCData, sizeof( pAPCData));
memcpy( (char*) pAPCData, usDllPath->Buffer, usDllPath->Length);
unicodeLengthInfo = *(ULONG*) usDllPath;
pMDLApcData = IoAllocateMdl (pAPCData, sizeof(pAPCData), FALSE,FALSE,NULL);
if (!pMDLApcData)
{
return STATUS_UNSUCCESSFUL;
}
MmProbeAndLockPages(pMDLApcData, KernelMode, IoWriteAccess); PsLookupProcessByProcessId((HANDLE)TargetPid, &TargetProcess);
DbgPrint("Pid: %d, PEPROCESS: 0X%X\n", TargetPid, TargetProcess);
PsLookupThreadByThreadId ((PVOID) TargetTid, &TargetThread);
DbgPrint("Tid: %d, PKTHREAD: 0X%X\n", TargetTid, TargetThread); KeStackAttachProcess((PKPROCESS) TargetProcess, &ApcState);
pMappedCode = (PVOID*) MmMapLockedPagesSpecifyCache(pMDLApcCode, UserMode, MmCached, NULL, FALSE, NormalPagePriority);
pMappedData = (PVOID*) MmMapLockedPagesSpecifyCache(pMDLApcData, UserMode, MmCached, NULL, FALSE, NormalPagePriority); KeUnstackDetachProcess (&ApcState);
arg1 = (ULONG) LdrMethodAddress;
arg2 = (ULONG) pMappedData;
arg3 = (ULONG) unicodeLengthInfo;
pKAPC = (PKAPC) ExAllocatePool( NonPagedPool, sizeof(KAPC) );
RtlZeroMemory(pKAPC, sizeof(KAPC));
KeInitializeApc(pKAPC, TargetThread, OriginalApcEnvironment,
(PKKERNEL_ROUTINE)APCKernelRoutine, NULL,
(PKNORMAL_ROUTINE) pMappedCode,
UserMode, (PVOID)arg1); KeInsertQueueApc(pKAPC, (PVOID)arg2, (PVOID)arg3, 0);
//KETHREAD.ApcState.UserApcPending = 1
//*((unsigned char *)TargetThread + 0x4a) = 1; //XP, 2K3 RTM
//*((unsigned char *)TargetThread + 0x3e) = 1; //2K3 SP1, SP2
//*((unsigned char *)TargetThread + 0x4e) = 1; //Vista
*((unsigned char *)TargetThread + 0x56) = 1; //Win 7
if (pMDLApcCode)
{
MmUnlockPages(pMDLApcCode);
IoFreeMdl(pMDLApcCode);
} if (pMDLApcData)
{
MmUnlockPages(pMDLApcData);
IoFreeMdl(pMDLApcData);
}
ObDereferenceObject(TargetProcess);
ObDereferenceObject(TargetThread); return STATUS_SUCCESS;
}
void APCMdlCode(PVOID lpLdrLoadDll, PVOID pwsDllPath, PVOID pwsDllPathLength)
{
UNICODE_STRING usDllName;
ULONG DllCharacteristics = 0;
PVOID DllHandle = 0;
usDllName.Length = (USHORT) pwsDllPathLength;
usDllName.MaximumLength = usDllName.Length + 2;
usDllName.Buffer = (WCHAR*) pwsDllPath;
__asm
{
pushad lea eax, DllHandle
push eax
lea eax, usDllName
push eax
lea eax, DllCharacteristics
push eax
push 0
call [lpLdrLoadDll] nop
nop
popad }
}
void APCMdlCodeEnd()
{
}
APC注入DLL(win7下有问题)
最新推荐文章于 2024-07-10 01:01:34 发布