Win8下HOOK explorer的CreateProcessW函数

最新推荐文章于 2019-05-11 15:25:07 发布
最新推荐文章于 2019-05-11 15:25:07 发布
阅读量2.4k 收藏
点赞数 1
分类专栏: MFC/Windows程序
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/dszgf5717/article/details/44160807
版权

windows的很多进程都是通过explorer来创建的,所以如果我们设置一个钩子,劫取explorer的CreateProcess,那可以对其它的进程做些事情了。

        首先使用ollyDBG这个工具查看一下CreateProcessW函数是哪个dll给带出来的,不一定是kernel32.dll,在我的机器上是:API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2.DLL,ollyDBG这个软件怎么用网上教程一大把,《加密与解密》这本书也介绍的非常详细,不过这里就使用一下Ctrl+N和打断点就OK了。最后发现CreateProcess函数是在Shell32.dll的API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2.DLL中引入的。

关于如何注入explorer这个程序,请看这个帖子:http://bbs.pediy.com/showthread.php?t=126226

废话就说这么多,下面贴下代码看如何在explorer中劫取这个函数:

// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"

DWORD dwOrigCreateProcessAddr;
HINSTANCE hInstance = NULL;
bool noLogfile = true;

typedef BOOL(WINAPI *LPCREATEPROCESS)(
	LPCWSTR lpApplicationName,
	LPWSTR lpCommandLine,
	LPSECURITY_ATTRIBUTES lpProcessAttributes,
	LPSECURITY_ATTRIBUTES lpThreadAttributes,
	BOOL bInheritHandles,
	DWORD dwCreationFlags,
	LPVOID lpEnvironment,
	LPCWSTR lpCurrentDirectory,
	LPSTARTUPINFOW lpStartupInfo,
	LPPROCESS_INFORMATION lpProcessInformation
	);

void OutLog(char *pStr);

BOOL WINAPI MyCreateProcessW(
	LPCWSTR lpApplicationName,
	LPWSTR lpCommandLine,
	LPSECURITY_ATTRIBUTES lpProcessAttributes,
	LPSECURITY_ATTRIBUTES lpThreadAttributes,
	BOOL bInheritHandles,
	DWORD dwCreationFlags,
	LPVOID lpEnvironment,
	LPCWSTR lpCurrentDirectory,
	LPSTARTUPINFOW lpStartupInfo,
	LPPROCESS_INFORMATION lpProcessInformation
	);

void HookCreateProcess(bool bHook);

BOOL APIENTRY DllMain(HMODULE hModule,
	DWORD  ul_reason_for_call,
	LPVOID lpReserved
	)
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	{
							   hInstance = (HINSTANCE)hModule;
							   OutLog("dll attach; test by huangwu.");
							   HookCreateProcess(true);
							   break;
	}
	case DLL_THREAD_ATTACH:
		break;
	case DLL_THREAD_DETACH:
		break;
	case DLL_PROCESS_DETACH:
	{
							   HookCreateProcess(false);
							   break;
	}
	}
	return TRUE;
}

void HookCreateProcess(bool bHook)
{
	HMODULE hModule = GetModuleHandle("SHELL32.DLL");
	if (hModule != NULL)
	{
		PIMAGE_DOS_HEADER pstDosHeader = (PIMAGE_DOS_HEADER)hModule;
		PIMAGE_NT_HEADERS pstNtHeaders = (PIMAGE_NT_HEADERS)((ULONG)hModule + (ULONG)(pstDosHeader->e_lfanew));
		IMAGE_OPTIONAL_HEADER stOptionalHeader = pstNtHeaders->OptionalHeader;
		IMAGE_DATA_DIRECTORY stImportDataDirectory = stOptionalHeader.DataDirectory[1];//导入表结构
		PIMAGE_IMPORT_DESCRIPTOR pstImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG)hModule + (ULONG)(stImportDataDirectory.VirtualAddress));

		PIMAGE_THUNK_DATA pThunkData = NULL;
		while (pstImportDescriptor->FirstThunk != 0)
		{
			char *pDllName = (char*)((ULONG)hModule + pstImportDescriptor->Name);
			if (0 == strnicmp(pDllName, "API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2.DLL", strlen("API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2.DLL")))
			{
				OutLog("找到导入表中API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2.DLL.");
				pThunkData = (PIMAGE_THUNK_DATA)((ULONG)hModule + pstImportDescriptor->FirstThunk);
				break;
			}
			pstImportDescriptor++;
		}
		if (pThunkData != NULL)
		{
			DWORD ulCreateProcessW = (ULONG)GetProcAddress(GetModuleHandle("kernel32.dll"), "CreateProcessW");
			while (pThunkData->u1.Function != 0)
			{
				DWORD *lpFuncAddr = (PULONG)&(pThunkData->u1.Function);
				/*char * pLog = new char[100];
				sprintf(pLog, "%x-%x-MyCreateProcessA:%x-%x", *lpFuncAddr, lpFuncAddr, MyCreateProcessW, ulCreateProcessW);
				OutLog(pLog);
				delete[] pLog;*/

				if (*lpFuncAddr == ulCreateProcessW)
				{
					OutLog("找到API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2.DLL结构中CreateProcessW函数地址.");
					dwOrigCreateProcessAddr = *lpFuncAddr;
					DWORD dwOldProtect = 0;

					MEMORY_BASIC_INFORMATION stMemBasicInfo = { 0 };
					VirtualQuery(lpFuncAddr, &stMemBasicInfo, sizeof(MEMORY_BASIC_INFORMATION));
					/*char *pLog2 = new char[300];
					sprintf(pLog2, "该块内存信息stMemBasicInfo.BaseAddress is %x, stMemBasicInfo.Protect is %d, stMemBasicInfo.RegionSize is %d", stMemBasicInfo.BaseAddress, stMemBasicInfo.Protect, stMemBasicInfo.RegionSize);
					OutLog(pLog2);
					delete[] pLog2;*/
					VirtualProtect(stMemBasicInfo.BaseAddress, stMemBasicInfo.RegionSize, PAGE_EXECUTE_READWRITE, &dwOldProtect);
					if (bHook)
					{
						DWORD lpDw = (DWORD)MyCreateProcessW;
						HANDLE h = ::GetCurrentProcess();
						OutLog("开始改写函数地址.");
						bool bOk = WriteProcessMemory(h, lpFuncAddr, &lpDw, sizeof(DWORD), NULL);
						if (bOk == true)
							OutLog("改写API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2.DLL结构中CreateProcessW函数地址成功");
						else
						{
							OutLog("改写API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2.DLL结构中CreateProcessW函数地址失败");
							VirtualProtect(stMemBasicInfo.BaseAddress, stMemBasicInfo.RegionSize, dwOldProtect, NULL);
						}
					}
					else
						::WriteProcessMemory(::GetCurrentProcess(), lpFuncAddr, &dwOrigCreateProcessAddr, sizeof(DWORD), NULL);
					DWORD temp = 0;
					VirtualProtect(stMemBasicInfo.BaseAddress, stMemBasicInfo.RegionSize, dwOldProtect, &temp);
					OutLog("属性修改成功");
					break;
				}
				pThunkData++;
			}
		}
		else
			OutLog("没有找到导入表中SHELL32.DLL结构.");
	}
	else
	{
		OutLog("获取当前进程句柄失败.");
	}
	OutLog("成功退出HOOK函数");
}

BOOL WINAPI MyCreateProcessW(
	LPCWSTR lpApplicationName,
	LPWSTR lpCommandLine,
	LPSECURITY_ATTRIBUTES lpProcessAttributes,
	LPSECURITY_ATTRIBUTES lpThreadAttributes,
	BOOL bInheritHandles,
	DWORD dwCreationFlags,
	LPVOID lpEnvironment,
	LPCWSTR lpCurrentDirectory,
	LPSTARTUPINFOW lpStartupInfo,
	LPPROCESS_INFORMATION lpProcessInformation
	)
{
	OutLog("进入MyCreateProcessW函数");
	DWORD dwNum = WideCharToMultiByte(CP_OEMCP, 0, (LPCWCH)lpApplicationName, -1, NULL, 0, NULL, false);
	if (dwNum != 0)
	{
		char *lpAnsiName = new char[dwNum + 1];
		dwNum = WideCharToMultiByte(CP_OEMCP, NULL, (LPCWCH)lpApplicationName, -1, lpAnsiName, dwNum + 1, NULL, false);

		OutLog(lpAnsiName);
		char lpExePath[100] = { 0 };
		strncpy(lpExePath, lpAnsiName, strlen(lpAnsiName));

		char lpExeName[50] = { 0 };
		char *p = strrchr(lpAnsiName, '\\');
		strncpy(lpExeName, p + 1, strlen(p + 1));
		OutLog(lpExeName);
		delete lpAnsiName;
		//如果是感兴趣的进程被创建,将通过EPO技术挂关键函数,这里只是修改进程的EP入口,对目标进程实现dll注入
		if ('3' == lpExeName[0] && '6' == lpExeName[1] && '0' == lpExeName[2])
		{

			dwCreationFlags |= CREATE_SUSPENDED;
			bool bRes = ((LPCREATEPROCESS)dwOrigCreateProcessAddr)(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
				bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);

			OutLog("找到360相关进程");
			if (bRes)
			{
				Sleep(180000);
				ResumeThread(lpProcessInformation->hThread);
				OutLog("恢复360相关进程");
			}

			return bRes;
		}
		else
		{
			return ((LPCREATEPROCESS)dwOrigCreateProcessAddr)(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
				bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
		}

	}
	else
	{
		OutLog("lpApplicationName为空");
		return ((LPCREATEPROCESS)dwOrigCreateProcessAddr)(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
			bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
	}
}

void OutLog(char *pStr)
{
	//判断日志文件是否存在
	bool bFileExist = false;
	FILE *fp = NULL;
	//fp = fopen("C:\\Users\\May_second\\Desktop\\0308_badboy\\log.txt", "a+");
	fp = fopen("F:\\C++文件\\0308_BadBoy\\Debug\\log.txt", "a+");
	if (fp != NULL)
	{
		fprintf(fp, "%s\n", pStr);
		fclose(fp);
		fp = NULL;
	}
	else if (noLogfile)
	{
		noLogfile = false;
		MessageBox(NULL, "没找到对应log文件", NULL, MB_OK);
	}
}


花果山总钻风
关注
专栏目录
Win10 Hook 进程创建的研究
myjisgreat的专栏
11-21 8230
Win7甚至在它之前开始,想要hook进程创建已经不能简单的HookCreateProcessInternalW这一个函数了,因为Vista开始引入了UAC机制。如果一个进程想要通过UAC弹窗创建管理员进程,hook这个进程的CreateProcessInternalW已经不起作用,我在几年前的博文《Win7/VistaHook CreateProcess 的特别之处》(http://blog
Hook CreateProcess
weixin_30616969的博客
08-19 1112
6种比较常用的运行(执行)程序的方法: 包括WinExec、ShellExecute、CreateProcessCreateProcessAsUser、CreateProcessWithLogonW、CreateProcessWithTokenW 要在r3层hook程序的运行,需要用到上述api CreateProcessAsUser win7用 CreatePr...
挂接CreateProcessW实现对进程创建的完全控制
08-05 1420
SystEm32:这份文档演示了如何实现全局HOOK>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++【前言】【概述】【copy-on-write】【三种可行的办法】【完整演示代码】【资源】++++++++++++++++++++++++++++++++++++++
注入Explorer.exe 并Hook CreateProcessW (MinHook库)
Care
01-21 3324
记录下学习的经历.. win10系统 被某杀毒给挂钩了.. 直接用虚拟机来操作 // dllmain.cpp : 定义 DLL 应用程序的入口点。 #include "stdafx.h" #include #include "MinHook.h" #include #if defined _M_X64 #pragma comment(lib, "libMinHoo
CreateProcessW记录
acmumw248662的博客
11-02 153
STARTUPINFO si = { sizeof(si) }; PROCESS_INFORMATION pi; si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = TRUE; //TRUE表示显示创建的进程的窗口TCHAR cmdline[] =TEXT("c://program files//internet expl...
IATHookTest.zip
01-08
本实例是关于如何利用IAT Hook在程序启动时进行拦截,具体针对`CreateProcessW`函数,以实现对`explorer.exe`进程的控制。`IATHookTest.zip`包含了一个示例程序,它演示了这个过程。 首先,我们需要了解IAT Hook的...
HOOK如何用C++调用detours劫持WindowsAPI?
05-11 796
00 detours detours是微软亚洲研究院出品的信息安全产品,用于劫持 可用Detours Express 3.0编译生成detours.lib 01 劫持MessageBoxW() vs2015创建空项目,源文件中添加msg.c 把detours.h、detours.lib、detver.h文件复制到msg.c同目录下 输入MessageBoxW()右键选择查看定...
定位未导出的函数地址(SHCreateProcess
myjisgreat的专栏
06-13 3301
定位未导出的函数地址(SHCreateProcess) 搬运自我的百度空间,文章基于windows7 64位   我们要Hook shell32.dll的SHCreateProcess这个函数,苦于他没有被导出,也无从知道地址。 其实我们还是有办法的。windbg有功能叫做栈回朔技术,可以看到函数的调用者,函数的调用者的调用者,函数的调用
全局监控进程创建and禁止结束某进程
编程论坛
06-12 1658
32位系统直接传统Hook就Ok了,但是64位系统就不行了,需要改动一下汇编代码64位系统Hook需求1.目标进程64位2.注入程序64位3.dll64位以上条件必须都满足方可Hook64程序--------------------------------------------------------------------------------------------------------...
X64 inline hook CreateProcessInternalW
11-24
X64 inline hook explorer.exe-->CreateProcessInternalW监视进程创建. vc2008+WIN7 64测试通过.
HookCreateProcess示例
08-30
Hook explorer.exe进程CreateProcess示例
CreateProcess
06-24
通过进程打开另一个进程的三种方法:CreateProcess,WinExec,ShellExecute ,给出了调用的实现代码,源码中有CreateProcess,ShellExecute的函数说明,包含一个可执行的演示程序和源码 用VC2008编写的
hook CreateProcessInternal
07-02
利用inline hook技术挂钩CreateProcessInternal,win7 32/64代码均有
APIHook CreateProcess
Ghost-J 's Area.
08-21 4845
unit ApiHook;interfaceuses Windows, Messages, Dialogs, Controls, Classes, SysUtils, psapi;type PImpCode = ^TImpCode; TImpCode = packed record JumpItn: Word; // 应该是$25FF,JUM
注意CreateProcessW函数
ITLionWoo的专栏
04-11 6326
看下面这个代码有什么问题:  #define PROCESS_NAME _T(“C://Windows/NotePad.ext”)      if (!CreateProcessW(NULL, PROCESS_NAME, NULL, NULL, FALSE, 0, NULL, NULL, &startupInfo, &processInformation))  这里的问
processthreadsapi CreateProcessW
程序员Link
03-08 588
CreateProcessW Creates a new process and its primary thread. The new process runs in the security context of the calling process. If the calling process is impersonating another user, the new process...
Win7/Vista Hook CreateProcess 的特别之处
myjisgreat的专栏
06-13 4552
Win7/Vista Hook CreateProcess 的特别之处 搬运自我的百度空间,写本文时主流系统为Win7,本文的方法没有在高版本的windows尝试 HookCreateProcess后发现,每当非管理员进程创建管理员进程,这个Hook被绕过了。   Win7中如果要截取创建新进程,单单Hook 本进程kernel32中的
arm汇编hook主动调用函数
最新发布
08-14
ARM汇编中的hook主动调用函数通常是指通过修改程序内存中的函数地址或者函数指针,使得程序在特定条件下执行我们自定义的代码,然后再跳转回原函数继续执行。这在动态链接库劫持、调试插桩或者安全检查等领域有应用...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值