通过API HOOK 创建SYSTEM用户进程

最新推荐文章于 2019-05-30 22:46:19 发布
最新推荐文章于 2019-05-30 22:46:19 发布
阅读量5.6k 收藏 7
点赞数
分类专栏: VB文章 文章标签: system hook api function string attributes
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/chenhui530/article/details/1932599
版权

 

 clsHookInfo.cls

VERSION  1.0  CLASS
BEGIN
  MultiUse  =   - 1    ' True
  Persistable  =   0    ' NotPersistable
  DataBindingBehavior  =   0    ' vbNone
  DataSourceBehavior   =   0    ' vbNone
  MTSTransactionMode   =   0    ' NotAnMTSObject
END
Attribute VB_Name  =   " clsHookInfo "
Attribute VB_GlobalNameSpace  =   False
Attribute VB_Creatable  =   True
Attribute VB_PredeclaredId  =   False
Attribute VB_Exposed  =   False
Private  Declare  Function  MessageBoxA Lib  " user32 "  (ByVal hwnd  As   Long , ByVal lpText  As   String , ByVal lpCaption  As   String , ByVal wType  As   Long As   Long
Private  Declare  Function  MessageBoxW Lib  " user32 "  (ByVal hwnd  As   Long , ByVal lpText  As   String , ByVal lpCaption  As   String , ByVal wType  As   Long As   Long
Private  Declare  Function  WriteProcessMemory Lib  " kernel32 "  (ByVal hProcess  As   Long , lpBaseAddress  As  Any, lpBuffer  As  Any, ByVal nSize  As   Long , lpNumberOfBytesWritten  As   Long As   Long
Private  Declare  Sub  CopyMemory Lib  " kernel32 "  Alias  " RtlMoveMemory "  (Destination  As  Any, Source  As  Any, ByVal Length  As   Long )
 Private  Declare  Function  OpenProcess Lib  " kernel32 "  (ByVal dwDesiredAccess  As   Long , ByVal bInheritHandle  As   Long , ByVal dwProcessId  As   Long As   Long
Private  Declare  Function  LoadLibrary Lib  " kernel32 "  Alias  " LoadLibraryA "  (ByVal lpLibFileName  As   String As   Long
Private  Declare  Function  GetProcAddress Lib  " kernel32 "  (ByVal hModule  As   Long , ByVal lpProcName  As   String As   Long
Private  Declare  Function  GetCurrentProcessId Lib  " kernel32 "  ()  As   Long
Private  Declare  Function  CloseHandle Lib  " kernel32 "  (ByVal hObject  As   Long As   Long
Private   Const  PROCESS_QUERY_INFORMATION  As   Long   =  ( & H400)

 Private   Const  STANDARD_RIGHTS_REQUIRED  As   Long   =   & HF0000

 Private   Const  SYNCHRONIZE  As   Long   =   & H100000

 Private   Const  PROCESS_ALL_ACCESS  As   Long   =  (STANDARD_RIGHTS_REQUIRED  Or  SYNCHRONIZE  Or   & HFFF)

 Private  mbytOldCode( 5 As   Byte
Private  mbytNewCode( 5 As   Byte
Private  mlngFunAddr  As   Long

Private  mhProcess  As   Long

Public   Function  HookApi(ByVal strDllName  As   String , ByVal strFunName  As   String , ByVal lngFunAddr  As   Long , ByVal hProcess  As   Long As   Boolean
     Dim  hModule  As   Long , dwJmpAddr  As   Long
    mhProcess  =  hProcess
    hModule  =  LoadLibrary(strDllName)
     If  hModule  =   0   Then
        HookApi  =   False
         Exit   Function
     End   If
    mlngFunAddr  =  GetProcAddress(hModule, strFunName)
     If  mlngFunAddr  =   0   Then
        HookApi  =   False
         Exit   Function
     End   If
    CopyMemory mbytOldCode( 0 ), ByVal mlngFunAddr,  6
    Debug.Print mbytOldCode( 0 ); mbytOldCode( 1 ); mbytOldCode( 2 ); mbytOldCode( 3 ); mbytOldCode( 4 )
    mbytNewCode( 0 =   & HE9
    dwJmpAddr  =  lngFunAddr  -  mlngFunAddr  -   5
    CopyMemory mbytNewCode( 1 ), dwJmpAddr,  4
    Debug.Print mbytNewCode( 0 ); mbytNewCode( 1 ); mbytNewCode( 2 ); mbytNewCode( 3 ); mbytNewCode( 4 )
    HookStatus  True
    HookApi  =   True
End Function

Public   Function  HookStatus(ByVal blnIsHook  As   Boolean As   Boolean
     If  blnIsHook  Then
        If  WriteProcessMemory(mhProcess, ByVal mlngFunAddr, mbytNewCode( 0 ),  5 0 <>   0   Then  HookStatus  =   False   ' 拦截
     Else
         If  WriteProcessMemory(mhProcess, ByVal mlngFunAddr, mbytOldCode( 0 ),  5 0 <>   0   Then  HookStatus  =   False   ' 恢复
     End   If
End Function

Private   Sub  Class_Initialize()
 '     mhProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, GetCurrentProcessId)
End Sub

Private   Sub  Class_Terminate()
    HookStatus  False
'     CloseHandle mhProcess
End Sub


frmMain.frm

VERSION  5.00
Begin VB.Form frmMain 
   BorderStyle      =     1    ' Fixed Single
   Caption          =     " 创建系统进程 "
   ClientHeight     =     3090
   ClientLeft       =     45
   ClientTop        =     435
   ClientWidth      =     4680
   LinkTopic        =     " Form1 "
   MaxButton        =     0     ' False
   MinButton        =     0     ' False
   ScaleHeight      =     3090
   ScaleWidth       =     4680
   StartUpPosition  =     3    ' 窗口缺省
   Begin VB.CommandButton cmdExit 
      Caption          =     " 退出 "
      Default          =     - 1    ' True
      Height           =     375
       Left              =     3510
      TabIndex         =     3
      Top              =     2010
      Width            =     945
    End
   Begin VB.CommandButton cmdRun 
      Caption          =     " 启动 "
      Height           =     375
       Left              =     2190
      TabIndex         =     2
      Top              =     2010
      Width            =     945
    End
   Begin VB.TextBox txtPath 
      Height           =     255
       Left              =     960
      TabIndex         =     1
      Text             =     " notepad "
      Top              =     1020
      Width            =     3525
    End
   Begin VB.Label lblNote 
      AutoSize         =     - 1    ' True
      Caption          =     " 文件路径: "
      Height           =     180
       Left              =     90
      TabIndex         =     0
      Top              =     1050
      Width            =     810
    End
End
Attribute VB_Name  =   " frmMain "
Attribute VB_GlobalNameSpace  =   False
Attribute VB_Creatable  =   False
Attribute VB_PredeclaredId  =   True
Attribute VB_Exposed  =   False
Private  Declare  Function  OpenProcess Lib  " kernel32 "  (ByVal dwDesiredAccess  As   Long , ByVal bInheritHandle  As   Long , ByVal dwProcessId  As   Long As   Long
Private  Declare  Function  CloseHandle Lib  " kernel32 "  (ByVal hObject  As   Long As   Long
Private  Declare  Function  GetCurrentProcessId Lib  " kernel32 "  ()  As   Long
Private   Const  PROCESS_QUERY_INFORMATION  As   Long   =  ( & H400)
 Private   Const  STANDARD_RIGHTS_REQUIRED  As   Long   =   & HF0000
 Private   Const  SYNCHRONIZE  As   Long   =   & H100000
 Private   Const  PROCESS_ALL_ACCESS  As   Long   =  (STANDARD_RIGHTS_REQUIRED  Or  SYNCHRONIZE  Or   & HFFF)

 Private  Type PROCESS_INFORMATION
    hProcess  As   Long
    hThread  As   Long
    dwProcessId  As   Long
    dwThreadId  As   Long
End  Type

 Private  Type STARTUPINFO
    cb  As   Long
    lpReserved  As   String
    lpDesktop  As   String
    lpTitle  As   String
    dwX  As   Long
    dwY  As   Long
    dwXSize  As   Long
    dwYSize  As   Long
    dwXCountChars  As   Long
    dwYCountChars  As   Long
    dwFillAttribute  As   Long
    dwFlags  As   Long
    wShowWindow  As   Integer
    cbReserved2  As   Integer
    lpReserved2  As   Byte
    hStdInput  As   Long
    hStdOutput  As   Long
    hStdError  As   Long
End  Type

 Private  Declare  Function  CreateProcess Lib  " kernel32 "  Alias  " CreateProcessA "  (ByVal lpApplicationName  As   String , ByVal lpCommandLine  As   String , lpProcessAttributes  As  Any, lpThreadAttributes  As  Any, ByVal bInheritHandles  As   Long , ByVal dwCreationFlags  As   Long , lpEnvironment  As  Any, ByVal lpCurrentDriectory  As   String , lpStartupInfo  As  STARTUPINFO, lpProcessInformation  As  PROCESS_INFORMATION)  As   Long

Private   Sub  cmdExit_Click()
    Unload Me
 End Sub

Private   Sub  cmdRun_Click()
     Dim  lp  As  PROCESS_INFORMATION
     Dim  si  As  STARTUPINFO
    si.cb  =   Len (si)
    CreateProcess vbNullString, txtPath.Text, ByVal  0 & , ByVal  0 & 0 0 , ByVal  0 & , vbNullString, si, lp
 End Sub

Private   Sub  Form_Load()
    EnablePrivilege
     ' 注意这里不能马上把句柄关闭掉
    glngSystemHandle  =  OpenProcess(PROCESS_ALL_ACCESS,  0 , GetSystemProcessId)
     If  glngSystemHandle  =   0   Then
         MsgBox   " 获取系统进程句柄出错!! " , vbCritical,  " 错误 "
         Exit   Sub
     End   If
     Set  gclsHookNtCreateProcess  =   New  clsHookInfo
     Set  gclsHookNtCreateProcessEx  =   New  clsHookInfo
    glngProcess  =  OpenProcess(PROCESS_ALL_ACCESS,  0 , GetCurrentProcessId)
    gclsHookNtCreateProcessEx.HookApi  " ntdll.dll " " NtCreateProcessEx " , GetFunAddr(AddressOf NtCreateProcessExCallback), glngProcess
    gclsHookNtCreateProcess.HookApi  " ntdll.dll " " NtCreateProcess " , GetFunAddr(AddressOf NtCreateProcessCallback), glngProcess
 End Sub

Private   Sub  Form_Unload(Cancel  As   Integer )
     Set  gclsHookNtCreateProcess  =   Nothing
     Set  gclsHookNtCreateProcessEx  =   Nothing
    CloseHandle glngSystemHandle
    CloseHandle glngProcess
 End Sub


modEnablePrivilege.bas

Attribute VB_Name  =   " modEnablePrivilege "
Option   Explicit

Private   Const  STANDARD_RIGHTS_REQUIRED  =   & HF0000
 Private   Const  TOKEN_ASSIGN_PRIMARY  =   & H1
 Private   Const  TOKEN_DUPLICATE  =  ( & H2)
 Private   Const  TOKEN_IMPERSONATE  =  ( & H4)
 Private   Const  TOKEN_QUERY  =  ( & H8)
 Private   Const  TOKEN_QUERY_SOURCE  =  ( & H10)
 Private   Const  TOKEN_ADJUST_PRIVILEGES  =  ( & H20)
 Private   Const  TOKEN_ADJUST_GROUPS  =  ( & H40)
 Private   Const  TOKEN_ALL_ACCESS  =   983551
Private   Const  SE_PRIVILEGE_ENABLED  =   & H2
 Private   Const  ANYSIZE_ARRAY  =   1
Private   Const  SE_DEBUG_NAME  =   " SeDebugPrivilege "

Private  Type LUID
    lowpart  As   Long
    highpart  As   Long
End  Type

 Private  Type LUID_AND_ATTRIBUTES
    pLuid  As  LUID
    Attributes  As   Long
End  Type

 Private  Type TOKEN_PRIVILEGES
    PrivilegeCount  As   Long
    Privileges(ANYSIZE_ARRAY)  As  LUID_AND_ATTRIBUTES
 End  Type

 Private  Declare  Function  OpenProcessToken Lib  " advapi32.dll "  (ByVal ProcessHandle  As   Long , ByVal DesiredAccess  As   Long , TokenHandle  As   Long As   Long
Private  Declare  Function  AdjustTokenPrivileges Lib  " advapi32.dll "  (ByVal TokenHandle  As   Long , ByVal DisableAllPriv  As   Long , NewState  As  TOKEN_PRIVILEGES, ByVal BufferLength  As   Long , PreviousState  As  TOKEN_PRIVILEGES, ReturnLength  As   Long As   Long                  ' Used to adjust your program's security privileges, can't restore without it!
Private  Declare  Function  LookupPrivilegeValue Lib  " advapi32.dll "  Alias  " LookupPrivilegeValueA "  (ByVal lpSystemName  As  Any, ByVal lpName  As   String , lpLuid  As  LUID)  As   Long
Private  Declare  Function  GetCurrentProcess Lib  " kernel32 "  ()  As   Long   ' 获取当前进程句柄

 

 Public   Function  EnablePrivilege()  As   Boolean
     Dim  hdlProcessHandle  As   Long
     Dim  hdlTokenHandle  As   Long
     Dim  tmpLuid  As  LUID
     Dim  tkp  As  TOKEN_PRIVILEGES
     Dim  tkpNewButIgnored  As  TOKEN_PRIVILEGES
     Dim  lBufferNeeded  As   Long
     Dim  lp  As   Long
    hdlProcessHandle  =  GetCurrentProcess()
    lp  =  OpenProcessToken(hdlProcessHandle, TOKEN_ADJUST_PRIVILEGES  Or  TOKEN_QUERY, hdlTokenHandle)
    lp  =  LookupPrivilegeValue(vbNullString,  " SeDebugPrivilege " , tmpLuid)
    tkp.PrivilegeCount  =   1
    tkp.Privileges( 0 ).pLuid  =  tmpLuid
    tkp.Privileges( 0 ).Attributes  =  SE_PRIVILEGE_ENABLED
    EnablePrivilege  =  AdjustTokenPrivileges(hdlTokenHandle,  False , tkp,  Len (tkpNewButIgnored), tkpNewButIgnored, lBufferNeeded)
 End Function

 

modHook.bas

Attribute VB_Name  =   " modHook "
Private  Declare  Function  NtCreateProcessEx Lib  " NTDLL.DLL "  (ByRef ProcessHandle  As   Long , ByVal AccessMask  As   Long , ByVal ObjectAttributes  As   Long , ByVal hParentProcess  As   Long , ByVal InheritHandles  As   Long , ByVal hSection  As   Long , ByVal hDebugPort  As   Long , ByVal hExceptionPort  As   Long , ByVal reserv  As   Long As   Long
Private  Declare  Function  NtCreateProcess Lib  " NTDLL.DLL "  (ByRef ProcessHandle  As   Long , ByVal AccessMask  As   Long , ByVal ObjectAttributes  As   Long , ByVal hParentProcess  As   Long , ByVal InheritHandles  As   Long , ByVal hSection  As   Long , ByVal hDebugPort  As   Long , ByVal hExceptionPort  As   Long As   Long
Private  Declare  Function  CloseHandle Lib  " kernel32 "  (ByVal hObject  As   Long As   Long
Private  Declare  Function  GetCurrentProcessId Lib  " kernel32 "  ()  As   Long
Private  Declare  Function  OpenProcess Lib  " kernel32.dll "  (ByVal dwDesiredAccessas  As   Long , ByVal bInheritHandle  As   Long , ByVal dwProcId  As   Long As   Long
Private   Const  PROCESS_QUERY_INFORMATION  As   Long   =  ( & H400)
 Private   Const  STANDARD_RIGHTS_REQUIRED  As   Long   =   & HF0000
 Private   Const  SYNCHRONIZE  As   Long   =   & H100000
 Private   Const  PROCESS_ALL_ACCESS  As   Long   =  (STANDARD_RIGHTS_REQUIRED  Or  SYNCHRONIZE  Or   & HFFF)
 Private  Type OBJECT_ATTRIBUTES
    Length  As   Long
    RootDirectory  As   Long
    ObjectName  As   Long
    Attributes  As   Long
    SecurityDescriptor  As   Long
    SecurityQualityOfService  As   Long
End  Type

 Public  gclsHookNtCreateProcessEx  As  clsHookInfo
 Public  gclsHookNtCreateProcess  As  clsHookInfo
 Public  glngProcess  As   Long
Public  glngSystemHandle  As   Long

Public   Function  NtCreateProcessExCallback(ByRef ProcessHandle  As   Long , ByVal AccessMask  As   Long , ByVal ObjectAttributes  As   Long , ByVal hParentProcess  As   Long , ByVal InheritHandles  As   Long , ByVal hSection  As   Long , ByVal hDebugPort  As   Long , ByVal hExceptionPort  As   Long , ByVal reserv  As   Long As   Long
     Dim  hReturn  As   Long
    
    gclsHookNtCreateProcessEx.HookStatus  False
    hReturn  =  NtCreateProcessEx(ProcessHandle, AccessMask, ObjectAttributes, glngSystemHandle, InheritHandles, hSection, hDebugPort, hExceptionPort, reserv)
    gclsHookNtCreateProcessEx.HookStatus  True
    NtCreateProcessExCallback  =  hReturn
 End Function

Public   Function  NtCreateProcessCallback(ByRef ProcessHandle  As   Long , ByVal AccessMask  As   Long , ByVal ObjectAttributes  As   Long , ByVal hParentProcess  As   Long , ByVal InheritHandles  As   Long , ByVal hSection  As   Long , ByVal hDebugPort  As   Long , ByVal hExceptionPort  As   Long As   Long
     Dim  hReturn  As   Long
    gclsHookNtCreateProcess.HookStatus  False
    hReturn  =  NtCreateProcess(ProcessHandle, AccessMask, ObjectAttributes, glngSystemHandle, InheritHandles, hSection, hDebugPort, hExceptionPort)
    gclsHookNtCreateProcess.HookStatus  True
    NtCreateProcessCallback  =  hReturn
 End Function

Public   Function  GetFunAddr(lngFunAddr  As   Long As   Long
    GetFunAddr  =  lngFunAddr
 End Function


modProcess.bas

Attribute VB_Name  =   " modProcess "
Option   Explicit

Private  Declare  Function  CloseHandle Lib  " kernel32.dll "  (ByVal Handle  As   Long As   Long
Private  Declare  Function  OpenProcess Lib  " kernel32.dll "  (ByVal dwDesiredAccessas  As   Long , ByVal bInheritHandle  As   Long , ByVal dwProcId  As   Long As   Long
Private  Declare  Function  EnumProcesses Lib  " PSAPI.DLL "  (ByRef lpidProcess  As   Long , ByVal cb  As   Long , ByRef cbNeeded  As   Long As   Long
Private  Declare  Function  GetModuleFileNameExA Lib  " PSAPI.DLL "  (ByVal hProcess  As   Long , ByVal hModule  As   Long , ByVal ModuleName  As   String , ByVal nSize  As   Long As   Long
Private  Declare  Function  EnumProcessModules Lib  " PSAPI.DLL "  (ByVal hProcess  As   Long , ByRef lphModule  As   Long , ByVal cb  As   Long , ByRef cbNeeded  As   Long As   Long
Private  Declare  Function  OpenProcessToken Lib  " advapi32.dll "  (ByVal ProcessHandle  As   Long , ByVal DesiredAccess  As   Long , TokenHandle  As   Long As   Long
Private  Declare  Function  GetCurrentProcess Lib  " kernel32 "  ()  As   Long   ' 获取当前进程句柄
Private  Declare  Function  GetLastError Lib  " kernel32 "  ()  As   Long
Private  Declare  Function  GetModuleBaseName Lib  " PSAPI.DLL "  Alias  " GetModuleBaseNameA "  (ByVal hProcess  As   Long , ByVal hModule  As   Long , ByVal lpBaseName  As   String , ByVal nSize  As   Long As   Long
Private   Const  PROCESS_QUERY_INFORMATION  =   & H400
 Private   Const  PROCESS_VM_READ  =   & H10

 ' Private Const PROCESS_QUERY_INFORMATION As Long = (&H400)
Private   Const  STANDARD_RIGHTS_REQUIRED  As   Long   =   & HF0000
 Private   Const  SYNCHRONIZE  As   Long   =   & H100000
 Private   Const  PROCESS_ALL_ACCESS  As   Long   =  (STANDARD_RIGHTS_REQUIRED  Or  SYNCHRONIZE  Or   & HFFF)

 Public   Function  GetSystemProcessId()  As   Long
     Dim  lngCbNeeded  As   Long
     Dim  lngNumElements  As   Long
     Dim  lngProcessIDArray()  As   Long
     Dim  lngCbNeeded2  As   Long
     Dim  lngNumElements2  As   Long
     Dim  Modules( 0   To   1023 As   Long
     Dim  lngRet  As   Long
     Dim  lngSize  As   Long
     Dim  hProcess  As   Long
     Dim  i  As   Long , strModuleName  As   String
     Dim  lngModules  As   Long , hLen  As   Long
     ReDim  lngProcessIDArray( 1024 )
    lngRet  =  EnumProcesses(lngProcessIDArray( 0 ),  4   *   1024 , lngCbNeeded)
    lngNumElements  =  lngCbNeeded  /   4
     ReDim  Preserve lngProcessIDArray(lngNumElements  -   1 )
     On   Error   Resume   Next
     For  i  =   0   To  lngNumElements  -   1
        hProcess  =  OpenProcess(PROCESS_QUERY_INFORMATION  Or  PROCESS_VM_READ,  False , lngProcessIDArray(i))
         If  hProcess  <>   0   And  lngProcessIDArray(i)  <>   4   Then
            lngRet  =  EnumProcessModules(hProcess, Modules( 0 ),  1024 , lngCbNeeded2)
             If  lngRet  <>   0   Then
                strModuleName  =   String ( 260 " * " )
                lngRet  =  GetModuleFileNameExA(hProcess, Modules( 0 ), strModuleName,  260 )
                strModuleName  =   Left (strModuleName, lngRet)
             End   If
             If   InStr ( LCase (strModuleName),  " system32/smss.exe " Then
             ' If InStr(LCase(strModuleName), "system32/winlogon.exe") Then
                GetSystemProcessId  =  lngProcessIDArray(i)
                lngRet  =  CloseHandle(hProcess)
                 Exit   Function
             End   If
         End   If
        lngRet  =  CloseHandle(hProcess)
     Next
End Function

 
进程隐藏之API HOOK
weixin_42071117的博客
10-20 1218
// 在Windows中,用户进程的所有操作都是基于WIN32 API来实现的,例如使用任务管理器来查看进程等操作。 // API HOOK技术是一种改变API执行结果的技术。 // PS:ZwQuerySystemInformation函数: // 功能:获取指定的系统信息。 // 原型:NTSTASTUS WINAPI ZwQuerySystemInformation ( // _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
Win10 Hook 进程创建的研究
myjisgreat的专栏
11-21 8300
Win7甚至在它之前开始,想要hook进程创建已经不能简单的HookCreateProcessInternalW这一个函数了,因为Vista开始引入了UAC机制。如果一个进程想要通过UAC弹窗创建管理员进程hook这个进程的CreateProcessInternalW已经不起作用,我在几年前的博文《Win7/VistaHook CreateProcess 的特别之处》(http://blog
API_HOOK_CreateProcess进程监视:知道你运行了哪些程序.zip
04-04
API_HOOK_CreateProcess知道你运行哪些程序.zip
APIHook CreateProcess
Ghost-J 's Area.
08-21 4862
unit ApiHook;interfaceuses Windows, Messages, Dialogs, Controls, Classes, SysUtils, psapi;type PImpCode = ^TImpCode; TImpCode = packed record JumpItn: Word; // 应该是$25FF,JUM
创建SYSTEM用户权限的进程
csafu的专栏
02-22 2525
#include #include #include #include #include typedef NTSTATUS (WINAPI *pfRtlAdjustPrivilege)( ULONG Privilege, BOOLEAN Enable, BOOLEAN CurrentThread, PBOOLEAN Enabled); void AdjustPri
VB 创建SYSTEM用户进程
lotuso的专栏
05-12 456
Option Explicitchenhui530 VB创建SYSTEM用户进程2007-5-29Private Const PROCESS_Create_THREAD = &H2Private Const PROCESS_QUERY_INFORMATION = &H400Private Const PROCESS_VM_WRITE = &H20Private Const PROCESS_V
【翻译】系统范围内挂钩Native API控制进程创建(SSDT HOOK)
Leo的专栏
12-15 1449
作者:Anton Bassov原文地址:[url]http://www.codeproject.com/KB/system/soviet_protector.aspx[/url]该文同时发表于看雪论坛:http://bbs.pediy.com/showthread.php?t=126574简介最近我偶然看到一款叫作Sanctuary的安全产品的介绍,这个产品非常有趣.它可以阻止任何程序的的运行,只要在特定机器的"允许运行软件列表"中没有这个软件.因此,PC用户就可以对抗间谍插件,蠕虫和木马--即使一些恶意软
API_HOOK.rar_api hook_hook api_system用户进程_visual c
09-21
3. **权限管理**:为了创建SYSTEM进程,可能需要获取SeDebugPrivilege等特权,这可以通过AdjustTokenPrivileges函数实现。 4. **安全考虑**:由于涉及到系统级别的操作,必须确保代码的安全性,防止恶意利用。 总结...
创建SYSTEM用户进程的软件源码
04-09
标题中的“创建SYSTEM用户进程”是指在Windows操作系统中,通过编程方式创建一个权限级别为SYSTEM的用户进程。在Windows系统中,SYSTEM用户是最高级别的内置账户,拥有对系统的完全访问权,通常用于执行核心服务和...
通过HOOK控制进程创建
jiangxinyu的专栏
01-29 4717
一、 简介  最近,我了解到一个叫做Sanctuary的相当有趣的安全产品。它能够阻止任何程序的运行-这些程序没有显示在软件列表中-该表中的程序被允许在一个特定的机器上运行。结果,PC用户得到保护而免于各种插件间谍软件、蠕虫和特洛伊木马的侵袭-就算能够进入他/她的计算机,它们也没有机会执行,并因此没有机会对该机器造成任何损害。当然,我觉得这个特征相当有趣;并且,在稍作思考以后,我就有了一个自己
Hook_API.rar_Hook_api_api hook_api 码_hook_hook api
09-20
"Hook_API.rar_Hook_api_api hook_hook api"这个标题暗示了内容涉及到API钩子技术,这是一种监视或修改其他程序调用API行为的技术。在这个压缩包中,你可能找到了关于如何实现API钩子的源代码示例。 API钩子是一种...
hook方式进程创建监控,进程保护
kernweak的博客
05-30 3092
关于进程创建, xp系统:CreatProcessW->CreateProcessInternalW->NtCreateProcessEx->NtCreatSection Vista以上:CCreatProcessW->CreateProcessInternalW->NtCreateUserProcess->NtCreateSection 所以我们要Hoo...
VB创建SYSTEM用户进程
05-07
摘要:VB源码,系统相关,创建用户  使用VB创建一个SYSTEM用户进程,注意: 本程序不支持 win7 、 vista操作系统,Windows XP/2K正常运行。
API HOOK 全局钩子, 防止进程被杀
03-22
API拦截 防止进程被控制台杀死. 用的是全局钩子 通过修改进程的导入表修改OpenProcess的地址指向我们自定义的函数
hook其他进程API
Johnny的专栏
08-22 1707
HOOK是一种WINDOWS下存在很久的技术了。 HOOK一般分两种1。HOOK MESSAGE 2。HOOK API 本问讨论的是HOOK API。(如果你是HOOK高手就不要看了) 在最初学HOOK-API的时候通常都是通过"覆盖地址"和"修改IAT"的方法。通过这两种技术,我们基本都可以实现对本进程API函数进行HOOK了。但是在高兴之余会有点遗憾,怎么才能HOOK其他进程API函数呢?
EasyHook远程进程注入并hook api的实现
03-15
总之,EasyHook是实现远程进程API Hook的强大工具,通过理解其工作原理和使用方法,我们可以有效地监控和控制远程进程的行为,从而实现各种复杂的功能。但需要注意,不恰当的使用可能会导致安全问题,因此在实际应用...
在SYSTEM权限下创建用户进程方法
edger2heaven的专栏
04-06 678
1、runas,优点系统自带,缺点要交互。 2、lsrunas ,可以一次完成。 3、nircmd,功能丰富强大,缺点有时会被杀软查杀。 4、计划任务schtasks,优点系统自带。 5、psexec,新版本会蹦框提示,需要先运行命令加入注册表或运行时加-accepteula选项。 ......
HOOK小工具(进程、窗口、全局)
12-14
HOOK小工具,可以用进程,窗口,全局注入,本人用进程方法注入了带NP的游戏
Hook技术(五)如何Hook系统中任意服务
我叫王菜鸟
03-15 6045
获取服务&amp;注册 ServiceManager.getService() public static IBinder getService(String name) { try { IBinder service = sCache.get(name); //先从缓存中查看 if (service != null) { ...
评论 10
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值