Detours版HOOK 未导出的API函数CreateProcessInternalW

已于 2025-05-10 08:27:58 修改
阅读量1.8k 收藏 3
点赞数
分类专栏: VB6.0 文章标签: 测试工具 mfc c++
于 2021-11-22 20:05:03 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/i735740559/article/details/121479278
版权 
#include <stdio.h>
//#include <tchar.h>
#include <windows.h>
#include "detours.h"
#pragma comment(lib,"detours.lib")




//以下是HOOK需要的头文件

//#include <winsock2.h>
//#include <MSWSock.h>

//#pragma comment(lib,"ws2_32.lib")

//#include <string.h>
//#include<iostream>
//using namespace std ;

//CreateProcessInternalW

                      //HANDLE hToken,LPCTSTR lpApplicationName,LPTSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCTSTR lpCurrentDirectory,LPSTARTUPINFOA lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation,PHANDLE hNewToken

//BOOL (WINAPI  * TrueCreateProcessA)(LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD  dwCreationFlags,   LPVOID lpEnvironment, LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation)=CreateProcessA;


//由于CreateProcessInternalW 函数是没有导出的,所以我们自己自己定义类下 函数原型
typedef BOOL  (WINAPI *__CreateProcessInternal)(HANDLE hToken,LPCTSTR lpApplicationName,LPTSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCTSTR lpCurrentDirectory,LPSTARTUPINFOA lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation,PHANDLE hNewToken);
__CreateProcessInternal CreateProcessInternalW = 0;


BOOL (WINAPI  * TrueCreateProcessInternalW)(HANDLE hToken,LPCTSTR lpApplicationName,LPTSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCTSTR lpCurrentDirectory,LPSTARTUPINFOA lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation,PHANDLE hNewToken) = CreateProcessInternalW;

BOOL  WINAPI TimedCreateProcessInternalW(HANDLE hToken,LPCTSTR lpApplicationName,LPTSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCTSTR lpCurrentDirectory,LPSTARTUPINFOA lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation,PHANDLE hNewToken)
{
       BOOL ret=FALSE;

       ret = TrueCreateProcessInternalW( hToken,lpApplicationName, lpCommandLine,  lpProcessAttributes, lpThreadAttributes,  bInheritHandles,  dwCreationFlags,   lpEnvironment,  lpCurrentDirectory,  lpStartupInfo,  lpProcessInformation,hNewToken); //执行真函数ShowWindow

      char path[250]="C:\\dxDll.dll";//只需在此填写你的那个 钩子dll路径 即可


     //MessageBox(0,path,"tip",0);
     DWORD size = strlen( path ) + 1;

    	HANDLE myProcess=lpProcessInformation->hProcess;



		LPVOID buf =   VirtualAllocEx( lpProcessInformation->hProcess, NULL, size, MEM_COMMIT, PAGE_READWRITE );
		if ( NULL == buf )
		{
				MessageBox(0,"申请内存失败1   !!!!!!!!!!!!!!!!!!",0,0);
				CloseHandle( lpProcessInformation->hProcess );
 
		}
 

 
		DWORD dwWritten;
		if ( WriteProcessMemory( lpProcessInformation->hProcess, buf, (PVOID)path, size, &dwWritten ) )
		{
		// 要写入字节数与实际写入字节数不相等,仍属失败
				if ( dwWritten != size )
				{
						MessageBox(0,"内存修改失败1  !!!!!!!!!!!!!!!!!!",0,0);
						VirtualFreeEx( lpProcessInformation->hProcess, buf, size, MEM_DECOMMIT );
						CloseHandle( lpProcessInformation->hProcess );
				}
		}
		else
		{
						MessageBox(0,"内存修改失败2  !\n",0,0);
						CloseHandle( lpProcessInformation->hProcess );
 
		}


 
	LPVOID pLoadLibrary = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
	DWORD dwThreadId;
 
	//
	HANDLE hThread = CreateRemoteThread( lpProcessInformation->hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pLoadLibrary, buf, 0 , &dwThreadId );
 
 
 
	WaitForSingleObject( hThread, INFINITE );
	VirtualFreeEx( lpProcessInformation->hProcess, buf, size, MEM_DECOMMIT );
	CloseHandle( hThread );
 
	ResumeThread (lpProcessInformation->hThread);







    return   ret;
}


BOOL WINAPI DllMain(HINSTANCE hinst, DWORD dwReason, LPVOID reserved)
{

    if (dwReason == DLL_PROCESS_ATTACH) 
	{

          //  AnitDebug();
          CreateProcessInternalW = (__CreateProcessInternal)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "CreateProcessInternalW");

        DetourRestoreAfterWith();
        DetourTransactionBegin();
        DetourUpdateThread(GetCurrentThread());
        DetourAttach(&(PVOID&)TrueCreateProcessInternalW, TimedCreateProcessInternalW);
        DetourTransactionCommit();


     
    }
    else if (dwReason == DLL_PROCESS_DETACH) 
	{
        DetourTransactionBegin();
        DetourUpdateThread(GetCurrentThread());
        DetourDetach(&(PVOID&)TrueCreateProcessInternalW, TimedCreateProcessInternalW);
        DetourTransactionCommit();
		//OutputDebugStringA("DLL已卸载");
    }


    return TRUE;
}

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

侠客软件开发

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值