001 #include <windows.h>
002
003 DWORD dwMyProcessId;
004 DWORD dwImageBase;
005 DWORD dwImageSize;
006 DWORD dwMsgThread;
007 wchar_t dbgBuffer[8192];
008
009 #define DBG_MSG(format,...) {\
010 wsprintfW(dbgBuffer,format,__VA_ARGS__);\
011 OutputDebugString(dbgBuffer);\
012 }
013
014 typedef struct
015 {
016 LPARAM lparam;
017 WNDPROC orgiProc;
018 }WndData;
019
020 BOOL EnableSpecificPrivilege(BOOL bEnable,LPCTSTR Name)
021 {
022 BOOL bResult = FALSE;
023 HANDLE hToken;
024 TOKEN_PRIVILEGES TokenPrivileges;
025
026 if(OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,&hToken) == 0)
027 {
028 return FALSE;
029 }
030
031 TokenPrivileges.PrivilegeCount = 1;
032 TokenPrivileges.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
033 bResult = LookupPrivilegeValue(NULL,Name,&TokenPrivileges.Privileges[0].Luid);
034 if(!bResult)
035 {
036 CloseHandle(hToken);
037 return FALSE;
038 }
039
040 bResult = AdjustTokenPrivileges(hToken,FALSE,&TokenPrivileges,sizeof(TOKEN_PRIVILEGES),NULL,NULL);
041 if(GetLastError() != ERROR_SUCCESS || !bResult)
042 {
043 CloseHandle(hToken);
044 return FALSE;
045 }
046
047 CloseHandle(hToken);
048 return TRUE;
049 }
050
051 DWORD EnableAllPrivilege(BOOL bEnable)
052 {
053 DWORD count=0;
054 ///
055 count+=EnableSpecificPrivilege(bEnable,SE_ASSIGNPRIMARYTOKEN_NAME);
056 count+=EnableSpecificPrivilege(bEnable,SE_AUDIT_NAME);
057 count+=EnableSpecificPrivilege(bEnable,SE_BACKUP_NAME);
058 count+=EnableSpecificPrivilege(bEnable,SE_CHANGE_NOTIFY_NAME);
059 count+=EnableSpecificPrivilege(bEnable,SE_CREATE_PAGEFILE_NAME);
060 count+=EnableSpecificPrivilege(bEnable,SE_CREATE_PERMANENT_NAME);
061 count+=EnableSpecificPrivilege(bEnable,SE_CREATE_TOKEN_NAME);
062 count+=EnableSpecificPrivilege(bEnable,SE_DEBUG_NAME);
063 count+=EnableSpecificPrivilege(bEnable,SE_INC_BASE_PRIORITY_NAME);
064 count+=EnableSpecificPrivilege(bEnable,SE_INCREASE_QUOTA_NAME);
065 count+=EnableSpecificPrivilege(bEnable,SE_LOAD_DRIVER_NAME);
066 count+=EnableSpecificPrivilege(bEnable,SE_LOCK_MEMORY_NAME);
067 count+=EnableSpecificPrivilege(bEnable,SE_PROF_SINGLE_PROCESS_NAME);
068 count+=EnableSpecificPrivilege(bEnable,SE_REMOTE_SHUTDOWN_NAME);
069 count+=EnableSpecificPrivilege(bEnable,SE_RESTORE_NAME);
070 count+=EnableSpecificPrivilege(bEnable,SE_SECURITY_NAME);
071 count+=EnableSpecificPrivilege(bEnable,SE_SHUTDOWN_NAME);
072 count+=EnableSpecificPrivilege(bEnable,SE_SYSTEM_ENVIRONMENT_NAME);
073 count+=EnableSpecificPrivilege(bEnable,SE_SYSTEM_PROFILE_NAME);
074 count+=EnableSpecificPrivilege(bEnable,SE_SYSTEMTIME_NAME);
075 count+=EnableSpecificPrivilege(bEnable,SE_TAKE_OWNERSHIP_NAME);
076 count+=EnableSpecificPrivilege(bEnable,SE_TCB_NAME);
077 count+=EnableSpecificPrivilege(bEnable,SE_UNSOLICITED_INPUT_NAME);
078 count+=EnableSpecificPrivilege(bEnable,SE_MACHINE_ACCOUNT_NAME);
079
080 return count;
081 }
082
083 BOOL GetMouduleRanage(wchar_t* pModName,DWORD *pdwBase,DWORD *size)
084 {
085 PIMAGE_DOS_HEADER pDosHeader;
086 PIMAGE_NT_HEADERS pNtHeaders;
087 *pdwBase = (DWORD)GetModuleHandleW(pModName);
088 if(!*pdwBase)
089 return FALSE;
090 pDosHeader = (PIMAGE_DOS_HEADER) *pdwBase;
091 pNtHeaders = (PIMAGE_NT_HEADERS) (PIMAGE_NT_HEADERS)(((DWORD) *pdwBase) + pDosHeader->e_lfanew);
092 *size = pNtHeaders->OptionalHeader.SizeOfImage;
093 return TRUE;
094 }
095
096 LRESULT CALLBACK MyProcessMsgA(HWND hWnd, UINT nId, WPARAM wparam, LPARAM lparam)
097 {
098
099 }
100
101 LRESULT CALLBACK MyProcessMsgW(HWND hWnd, UINT nId, WPARAM wparam, LPARAM lparam)
102 {
103 WndData *pWndData;
104 DBG_MSG(L"MSG id:0x%08x\n",nId);
105 switch(nId)
106 {
107 case WM_KEYDOWN:
108 {
109 DBG_MSG(L"Key down !\n");
110 }
111 case WM_CHAR:
112 {
113
114 }
115 break;
116 case WM_COMMAND:
117 {
118
119 }
120 break;
121 default:
122 break;
123 }
124 pWndData = (WndData *)GetWindowLongPtrW(hWnd,GWL_USERDATA);
125 if(pWndData == NULL)
126 {
127 DBG_MSG(L"ERROR : hwnd: %d last error:%u\n",hWnd,GetLastError());
128 return DefWindowProc(hWnd,nId,wparam,lparam);
129 }
130 SetWindowLongPtrW(hWnd,GWL_USERDATA,(LONG)pWndData->lparam);
131 pWndData->orgiProc(hWnd,nId,wparam,lparam);
132 SetWindowLongPtrW(hWnd,GWL_USERDATA,(LONG)pWndData);
133 return DefWindowProc(hWnd,nId,wparam,lparam);
134 }
135
136
137 BOOL CALLBACK EnumWindowsProc(HWND hwnd,LPARAM lParam )
138 {
139 DWORD dwProcessId;
140 DWORD dwThreadId;
141 WndData *pWndData;
142 dwThreadId = GetWindowThreadProcessId(hwnd,&dwProcessId);
143 if(dwProcessId == dwMyProcessId)//窗口是本进程创建的
144 {
145 DBG_MSG(L"is unicode :%d ,hwnd :%d\n",IsWindowUnicode(hwnd),hwnd);
146 pWndData = (WndData *)malloc(sizeof(WndData));
147 if(pWndData == NULL)
148 {
149 DBG_MSG(L"ERROR !!! malloc failed..\n");
150 return TRUE;
151 }
152 SetLastError(0);
153 pWndData->lparam = (LPARAM)SetWindowLongPtrW(hwnd,GWL_USERDATA,(LONG)pWndData);
154 if(pWndData->lparam == NULL && GetLastError())
155 {
156 DBG_MSG(L"SetWindowLongPtrW failed...\n");
157 free(pWndData);
158 return TRUE;
159 }
160 pWndData->orgiProc = (WNDPROC)SetWindowLongPtrW(hwnd,GWLP_WNDPROC,(LONG)MyProcessMsgW);
161 if(pWndData->orgiProc == NULL)
162 {
163 DBG_MSG(L"Hook Failed!!\n");
164 }
165 }
166 return TRUE;
167 }
168
169 void HookWindowProc()
170 {
171 EnumWindows(EnumWindowsProc,NULL);
172 }
173
174
175
176 BOOL WINAPI DllMain(
177 HANDLE hinstDLL,
178 DWORD dwReason,
179 LPVOID lpvReserved
180 )
181 {
182 switch(dwReason)
183 {
184 case DLL_PROCESS_ATTACH:
185 {
186 DisableThreadLibraryCalls(hinstDLL);
187 EnableAllPrivilege(TRUE);
188 dwMyProcessId = GetProcessId(OpenProcess(PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId()));
189 DBG_MSG(L"My process id :%u \n",dwMyProcessId);
190 if(dwMyProcessId)
191 HookWindowProc();
192 }
193 break;
194 default:
195 break;
196 }
197 return TRUE;
198 }
002
003 DWORD dwMyProcessId;
004 DWORD dwImageBase;
005 DWORD dwImageSize;
006 DWORD dwMsgThread;
007 wchar_t dbgBuffer[8192];
008
009 #define DBG_MSG(format,...) {\
010 wsprintfW(dbgBuffer,format,__VA_ARGS__);\
011 OutputDebugString(dbgBuffer);\
012 }
013
014 typedef struct
015 {
016 LPARAM lparam;
017 WNDPROC orgiProc;
018 }WndData;
019
020 BOOL EnableSpecificPrivilege(BOOL bEnable,LPCTSTR Name)
021 {
022 BOOL bResult = FALSE;
023 HANDLE hToken;
024 TOKEN_PRIVILEGES TokenPrivileges;
025
026 if(OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,&hToken) == 0)
027 {
028 return FALSE;
029 }
030
031 TokenPrivileges.PrivilegeCount = 1;
032 TokenPrivileges.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
033 bResult = LookupPrivilegeValue(NULL,Name,&TokenPrivileges.Privileges[0].Luid);
034 if(!bResult)
035 {
036 CloseHandle(hToken);
037 return FALSE;
038 }
039
040 bResult = AdjustTokenPrivileges(hToken,FALSE,&TokenPrivileges,sizeof(TOKEN_PRIVILEGES),NULL,NULL);
041 if(GetLastError() != ERROR_SUCCESS || !bResult)
042 {
043 CloseHandle(hToken);
044 return FALSE;
045 }
046
047 CloseHandle(hToken);
048 return TRUE;
049 }
050
051 DWORD EnableAllPrivilege(BOOL bEnable)
052 {
053 DWORD count=0;
054 ///
055 count+=EnableSpecificPrivilege(bEnable,SE_ASSIGNPRIMARYTOKEN_NAME);
056 count+=EnableSpecificPrivilege(bEnable,SE_AUDIT_NAME);
057 count+=EnableSpecificPrivilege(bEnable,SE_BACKUP_NAME);
058 count+=EnableSpecificPrivilege(bEnable,SE_CHANGE_NOTIFY_NAME);
059 count+=EnableSpecificPrivilege(bEnable,SE_CREATE_PAGEFILE_NAME);
060 count+=EnableSpecificPrivilege(bEnable,SE_CREATE_PERMANENT_NAME);
061 count+=EnableSpecificPrivilege(bEnable,SE_CREATE_TOKEN_NAME);
062 count+=EnableSpecificPrivilege(bEnable,SE_DEBUG_NAME);
063 count+=EnableSpecificPrivilege(bEnable,SE_INC_BASE_PRIORITY_NAME);
064 count+=EnableSpecificPrivilege(bEnable,SE_INCREASE_QUOTA_NAME);
065 count+=EnableSpecificPrivilege(bEnable,SE_LOAD_DRIVER_NAME);
066 count+=EnableSpecificPrivilege(bEnable,SE_LOCK_MEMORY_NAME);
067 count+=EnableSpecificPrivilege(bEnable,SE_PROF_SINGLE_PROCESS_NAME);
068 count+=EnableSpecificPrivilege(bEnable,SE_REMOTE_SHUTDOWN_NAME);
069 count+=EnableSpecificPrivilege(bEnable,SE_RESTORE_NAME);
070 count+=EnableSpecificPrivilege(bEnable,SE_SECURITY_NAME);
071 count+=EnableSpecificPrivilege(bEnable,SE_SHUTDOWN_NAME);
072 count+=EnableSpecificPrivilege(bEnable,SE_SYSTEM_ENVIRONMENT_NAME);
073 count+=EnableSpecificPrivilege(bEnable,SE_SYSTEM_PROFILE_NAME);
074 count+=EnableSpecificPrivilege(bEnable,SE_SYSTEMTIME_NAME);
075 count+=EnableSpecificPrivilege(bEnable,SE_TAKE_OWNERSHIP_NAME);
076 count+=EnableSpecificPrivilege(bEnable,SE_TCB_NAME);
077 count+=EnableSpecificPrivilege(bEnable,SE_UNSOLICITED_INPUT_NAME);
078 count+=EnableSpecificPrivilege(bEnable,SE_MACHINE_ACCOUNT_NAME);
079
080 return count;
081 }
082
083 BOOL GetMouduleRanage(wchar_t* pModName,DWORD *pdwBase,DWORD *size)
084 {
085 PIMAGE_DOS_HEADER pDosHeader;
086 PIMAGE_NT_HEADERS pNtHeaders;
087 *pdwBase = (DWORD)GetModuleHandleW(pModName);
088 if(!*pdwBase)
089 return FALSE;
090 pDosHeader = (PIMAGE_DOS_HEADER) *pdwBase;
091 pNtHeaders = (PIMAGE_NT_HEADERS) (PIMAGE_NT_HEADERS)(((DWORD) *pdwBase) + pDosHeader->e_lfanew);
092 *size = pNtHeaders->OptionalHeader.SizeOfImage;
093 return TRUE;
094 }
095
096 LRESULT CALLBACK MyProcessMsgA(HWND hWnd, UINT nId, WPARAM wparam, LPARAM lparam)
097 {
098
099 }
100
101 LRESULT CALLBACK MyProcessMsgW(HWND hWnd, UINT nId, WPARAM wparam, LPARAM lparam)
102 {
103 WndData *pWndData;
104 DBG_MSG(L"MSG id:0x%08x\n",nId);
105 switch(nId)
106 {
107 case WM_KEYDOWN:
108 {
109 DBG_MSG(L"Key down !\n");
110 }
111 case WM_CHAR:
112 {
113
114 }
115 break;
116 case WM_COMMAND:
117 {
118
119 }
120 break;
121 default:
122 break;
123 }
124 pWndData = (WndData *)GetWindowLongPtrW(hWnd,GWL_USERDATA);
125 if(pWndData == NULL)
126 {
127 DBG_MSG(L"ERROR : hwnd: %d last error:%u\n",hWnd,GetLastError());
128 return DefWindowProc(hWnd,nId,wparam,lparam);
129 }
130 SetWindowLongPtrW(hWnd,GWL_USERDATA,(LONG)pWndData->lparam);
131 pWndData->orgiProc(hWnd,nId,wparam,lparam);
132 SetWindowLongPtrW(hWnd,GWL_USERDATA,(LONG)pWndData);
133 return DefWindowProc(hWnd,nId,wparam,lparam);
134 }
135
136
137 BOOL CALLBACK EnumWindowsProc(HWND hwnd,LPARAM lParam )
138 {
139 DWORD dwProcessId;
140 DWORD dwThreadId;
141 WndData *pWndData;
142 dwThreadId = GetWindowThreadProcessId(hwnd,&dwProcessId);
143 if(dwProcessId == dwMyProcessId)//窗口是本进程创建的
144 {
145 DBG_MSG(L"is unicode :%d ,hwnd :%d\n",IsWindowUnicode(hwnd),hwnd);
146 pWndData = (WndData *)malloc(sizeof(WndData));
147 if(pWndData == NULL)
148 {
149 DBG_MSG(L"ERROR !!! malloc failed..\n");
150 return TRUE;
151 }
152 SetLastError(0);
153 pWndData->lparam = (LPARAM)SetWindowLongPtrW(hwnd,GWL_USERDATA,(LONG)pWndData);
154 if(pWndData->lparam == NULL && GetLastError())
155 {
156 DBG_MSG(L"SetWindowLongPtrW failed...\n");
157 free(pWndData);
158 return TRUE;
159 }
160 pWndData->orgiProc = (WNDPROC)SetWindowLongPtrW(hwnd,GWLP_WNDPROC,(LONG)MyProcessMsgW);
161 if(pWndData->orgiProc == NULL)
162 {
163 DBG_MSG(L"Hook Failed!!\n");
164 }
165 }
166 return TRUE;
167 }
168
169 void HookWindowProc()
170 {
171 EnumWindows(EnumWindowsProc,NULL);
172 }
173
174
175
176 BOOL WINAPI DllMain(
177 HANDLE hinstDLL,
178 DWORD dwReason,
179 LPVOID lpvReserved
180 )
181 {
182 switch(dwReason)
183 {
184 case DLL_PROCESS_ATTACH:
185 {
186 DisableThreadLibraryCalls(hinstDLL);
187 EnableAllPrivilege(TRUE);
188 dwMyProcessId = GetProcessId(OpenProcess(PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId()));
189 DBG_MSG(L"My process id :%u \n",dwMyProcessId);
190 if(dwMyProcessId)
191 HookWindowProc();
192 }
193 break;
194 default:
195 break;
196 }
197 return TRUE;
198 }