用户层下拦截系统 API 的原理与实现 二
1
/////////////////////////////////////////////////////////////////////
/
2 附录:一个拦截CreateFile函数的简单实现
3 ///////////////////////////////////////////////////////////////////// /
4 #include < stdio.h >
5 #include < windows.h >
6 #include < Psapi.h >
7
8 #pragma comment(lib, " psapi.lib " )
9
10 typedef struct _RemoteParam {
11 DWORD dwCreateFile;
12 DWORD dwMessageBox;
13 DWORD dwGetCurrentProcess;
14 DWORD dwWriteProcessMemory;
15 unsigned char szOldCode[ 10 ];
16 DWORD FunAddr;
17 } RemoteParam, * PRemoteParam;
18
19 typedef HANDLE (__stdcall * PFN_CREATEFILE)(LPCTSTR,DWORD,DWORD,LPSECURITY_ATTRIBUTES,DWORD,DWORD,HANDLE);
20 typedef int (__stdcall * PFN_MESSAGEBOX)(HWND, LPCTSTR, LPCTSTR, DWORD);
21 typedef BOOL (__stdcall * PFN_WRITEPROCESSMEMORY)(HANDLE,LPVOID,LPCVOID,SIZE_T,SIZE_T * );
22 typedef HANDLE (__stdcall * PFN_GETCURRENTPROCESS)( void );
23
24 #define PROCESSNUM 128
25 #define MYMESSAGEBOX "MessageBoxW"
26 #define MYCREATEFILE "CreateFileW"
27
28 void HookCreateFile(LPVOID lParam)
29 {
30
31 RemoteParam * pRP = (RemoteParam * )lParam;
32
33
34 DWORD NextIpAddr = 0 ;
35 DWORD dwParamaAddr = 0 ;
36
37 HANDLE RetFpHdl = INVALID_HANDLE_value;
38 LPCTSTR lpFileName;
39 DWORD dwDesiredAccess;
40 DWORD dwShareMode;
41 LPSECURITY_ATTRIBUTES lpSecurityAttributes;
42 DWORD dwCreationDisposition;
43 DWORD dwFlagsAndAttributes;
44 HANDLE hTemplateFile;
45 PFN_CREATEFILE pfnCreatefile = (PFN_CREATEFILE)pRP -> dwCreateFile;
46
47
48 __asm
49 {
50 MOV EAX,[EBP + 8 ]
51 MOV [dwParamaAddr], EAX
52 MOV EAX,[EBP + 12 ]
53 MOV [NextIpAddr], EAX
54 MOV EAX,[EBP + 16 ]
55 MOV [lpFileName], EAX
56 MOV EAX,[EBP + 20 ]
57 MOV [dwDesiredAccess],EAX
58 MOV EAX,[EBP + 24 ]
59 MOV [dwShareMode],EAX
60 MOV EAX,[EBP + 28 ]
61 MOV [lpSecurityAttributes],EAX
62 MOV EAX,[EBP + 32 ]
63 MOV [dwCreationDisposition],EAX
64 MOV EAX,[EBP + 36 ]
65 MOV [dwFlagsAndAttributes],EAX
66 MOV EAX,[EBP + 40 ]
67 MOV [hTemplateFile],EAX
68 }
69
70 PFN_MESSAGEBOX pfnMessageBox = (PFN_MESSAGEBOX)pRP -> dwMessageBox;
71 int allowFlag = pfnMessageBox(NULL, lpFileName, NULL, MB_ICONINformATION | MB_YESNO);
72
73 if (allowFlag == IDYES)
74 {
75 unsigned char szNewCode[ 10 ];
76 int PramaAddr = ( int )dwParamaAddr;
77 szNewCode[ 4 ] = PramaAddr >> 24 ;
78 szNewCode[ 3 ] = (PramaAddr << 8 ) >> 24 ;
79 szNewCode[ 2 ] = (PramaAddr << 16 ) >> 24 ;
80 szNewCode[ 1 ] = (PramaAddr << 24 ) >> 24 ;
81 szNewCode[ 0 ] = 0x68 ;
82
83 int funaddr = ( int )pRP -> FunAddr - ( int )pfnCreatefile - 10 ;
84 szNewCode[ 9 ] = funaddr >> 24 ;
85 szNewCode[ 8 ] = (funaddr << 8 ) >> 24 ;
86 szNewCode[ 7 ] = (funaddr << 16 ) >> 24 ;
87 szNewCode[ 6 ] = (funaddr << 24 ) >> 24 ;
88 szNewCode[ 5 ] = 0xE8 ;
89
90
91 PFN_GETCURRENTPROCESS pfnGetCurrentProcess = (PFN_GETCURRENTPROCESS)pRP -> dwGetCurrentProcess;
92 PFN_WRITEPROCESSMEMORY pfnWriteProcessMemory = (PFN_WRITEPROCESSMEMORY)pRP -> dwWriteProcessMemory;
93 pfnWriteProcessMemory(pfnGetCurrentProcess(),
94 (LPVOID)pfnCreatefile,
95 (LPCVOID)pRP -> szOldCode,
96 10 ,
97 NULL);
98
99 RetFpHdl = pfnCreatefile(lpFileName,
100 dwDesiredAccess,
101 dwShareMode,
102 lpSecurityAttributes,
103 dwCreationDisposition,
104 dwFlagsAndAttributes,
105 hTemplateFile);
106 pfnWriteProcessMemory(pfnGetCurrentProcess(),
107 (LPVOID)pfnCreatefile,
108 (LPCVOID)szNewCode,
109 10 ,
110 NULL);
111 }
112
113
114 __asm
115 {POP EDI
116 POP ESI
117 POP EBX
118 MOV EDX, [NextIpAddr]
119 MOV EAX, [RetFpHdl]
120 MOV ESP, EBP
121 POP EBP
122 ADD ESP, 28H
123 PUSH EDX
124 RET
125 }
126
127
128 }
129
130
131
132 BOOL AdjustProcessPrivileges(LPCSTR szPrivilegesName)
133 {
134 HANDLE hToken;
135 TOKEN_PRIVILEGES tkp;
136
137 if ( ! OpenProcessToken(GetCurrentProcess(),
138 TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, & hToken))
139 {
140 return FALSE;
141 }
142
143 if ( ! LookupPrivilegeValue(NULL,szPrivilegesName,
144 & tkp.Privileges[ 0 ].Luid))
145 {
146 CloseHandle(hToken);
147 return FALSE;
148 }
149
150 tkp.PrivilegeCount = 1 ;
151 tkp.Privileges[ 0 ].Attributes = SE_PRIVILEGE_ENABLED;
152
153 if ( ! AdjustTokenPrivileges(hToken,FALSE, & tkp, sizeof (tkp),NULL,NULL))
154 {
155 CloseHandle(hToken);
156 return FALSE;
157 }
158
159 CloseHandle(hToken);
160 return TRUE;
161 }
162
163
164 void printProcessNameByPid( DWORD ProcessId )
165 {
166 HANDLE pHd;
167 HMODULE pHmod;
168 char ProcessName[MAX_PATH] = " unknown " ;
169 DWORD cbNeeded;
170 pHd = OpenProcess( PROCESS_QUERY_INformATION | PROCESS_VM_READ, FALSE, ProcessId );
171 if (pHd == NULL)
172 return ;
173
174 if ( ! EnumProcessModules( pHd, & pHmod, sizeof (pHmod), & cbNeeded))
175 return ;
176 if ( ! GetModuleFileNameEx( pHd, pHmod, ProcessName, MAX_PATH))
177 return ;
178
179 printf( " %dt%sn " , ProcessId, ProcessName);
180 CloseHandle( pHd );
181 return ;
182 }
183
184
185 int main( void )
186 {
187
188 if ( ! AdjustProcessPrivileges(SE_DEBUG_NAME))
189 {
190 printf( " AdjustProcessPrivileges Error!n " );
191 return - 1 ;
192 }
193
194 DWORD Pids[PROCESSNUM];
195 DWORD dwProcessNum = 0 ;
196 if ( ! EnumProcesses(Pids, sizeof (Pids), & dwProcessNum))
197 {
198 printf( " EnumProcess Error!n " );
199 return - 1 ;
200 }
201
202 for ( DWORD num = 0 ; num < (dwProcessNum / sizeof (DWORD)); num ++ )
203 printProcessNameByPid(Pids[num]);
204
205 printf( " nAll %d processes running. n " , dwProcessNum / sizeof (DWORD));
206
207 DWORD dwPid = 0 ;
208 printf( " n请输入要拦截的进程id: " );
209 scanf( " %d " , & dwPid);
210
211 HANDLE hTargetProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, dwPid);
212 if (hTargetProcess == NULL)
213 {
214 printf( " OpenProcess Error!n " );
215 return - 1 ;
216 }
217
218 DWORD dwFunAddr = (DWORD)VirtualAllocEx(hTargetProcess, NULL, 8192 ,
219 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
220
221 if ((LPVOID)dwFunAddr == NULL)
222 {
223 printf( " 申请线程内存失败!n " );
224 CloseHandle(hTargetProcess);
225 return - 1 ;
226 }
227
228 DWORD dwPramaAddr = (DWORD)VirtualAllocEx(hTargetProcess, NULL, sizeof (RemoteParam),
229 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
230
231 if ((LPVOID)dwPramaAddr == NULL)
232 {
233 printf( " 申请参数内存失败!n " );
234 CloseHandle(hTargetProcess);
235 return - 1 ;
236 }
237
238 printf( " n线程内存地址:%.8xn "
239 " 参数内存地址:%.8xn " ,
240 dwFunAddr, dwPramaAddr);
241 RemoteParam RParam;
242 ZeroMemory( & RParam, sizeof (RParam));
243 HMODULE hKernel32 = LoadLibrary( " kernel32.dll " );
244 HMODULE hUser32 = LoadLibrary( " user32.dll " );
245
246 RParam.dwCreateFile = (DWORD)GetProcAddress(hKernel32, MYCREATEFILE);
247 RParam.dwGetCurrentProcess = (DWORD)GetProcAddress(hKernel32, " GetCurrentProcess " );
248 RParam.dwWriteProcessMemory = (DWORD)GetProcAddress(hKernel32, " WriteProcessMemory " );
249 RParam.dwMessageBox = (DWORD)GetProcAddress(hUser32, MYMESSAGEBOX);
250
251 unsigned char oldcode[ 10 ];
252 unsigned char newcode[ 10 ];
253 int praadd = ( int )dwPramaAddr;
254 int threadadd = ( int )dwFunAddr;
255 newcode[ 4 ] = praadd >> 24 ;
256 newcode[ 3 ] = (praadd << 8 ) >> 24 ;
257 newcode[ 2 ] = (praadd << 16 ) >> 24 ;
258 newcode[ 1 ] = (praadd << 24 ) >> 24 ;
259 newcode[ 0 ] = 0x68 ;
260
261 int offsetaddr = threadadd - ( int )RParam.dwCreateFile - 10 ;
262 newcode[ 9 ] = offsetaddr >> 24 ;
263 newcode[ 8 ] = (offsetaddr << 8 ) >> 24 ;
264 newcode[ 7 ] = (offsetaddr << 16 ) >> 24 ;
265 newcode[ 6 ] = (offsetaddr << 24 ) >> 24 ;
266 newcode[ 5 ] = 0xE8 ;
267
268 printf( " NewCode: " );
269 for ( int j = 0 ; j < 10 ; j ++ )
270 printf( " 0x%.2x " ,newcode[j]);
271 printf( " nn " );
272
273
274
275 if ( ! ReadProcessMemory(GetCurrentProcess(),
276 (LPCVOID)RParam.dwCreateFile,
277 oldcode,
278 10 ,
279 & dwPid))
280 {
281 printf( " read error " );
282 CloseHandle(hTargetProcess);
283 FreeLibrary(hKernel32);
284 return - 1 ;
285 }
286
287 strcat(( char * )RParam.szOldCode, ( char * )oldcode);
288 RParam.FunAddr = dwFunAddr;
289
290 printf(
291 " RParam.dwCreate文件:%.8xn "
292 " RParam.dwMessageBox:%.8xn "
293 " RParam.dwGetCurrentProcess:%.8xn "
294 " RParam.dwWriteProcessMemory:%.8xn "
295 " RParam.FunAddr:%.8xn " ,
296 RParam.dwCreateFile,
297 RParam.dwMessageBox,
298 RParam.dwGetCurrentProcess,
299 RParam.dwWriteProcessMemory,
300 RParam.FunAddr);
301 printf( " RParam.szOldCode: " );
302 for ( int i = 0 ; i < 10 ; i ++ )
303 printf( " 0x%.2x " , RParam.szOldCode);
304 printf( " n " );
305
306
307 if ( ! WriteProcessMemory(hTargetProcess, (LPVOID)dwFunAddr, (LPVOID) & HookCreateFile, 8192 , & dwPid))
308 {
309 printf( " WriteRemoteProcessesMemory Error!n " );
310 CloseHandle(hTargetProcess);
311 FreeLibrary(hKernel32);
312 return - 1 ;
313 }
314
315 if ( ! WriteProcessMemory(hTargetProcess, (LPVOID)dwPramaAddr, (LPVOID) & RParam, sizeof (RemoteParam), & dwPid))
316 {
317 printf( " WriteRemoteProcessesMemory Error!n " );
318 CloseHandle(hTargetProcess);
319 FreeLibrary(hKernel32);
320 return - 1 ;
321 }
322
323 if ( ! WriteProcessMemory(hTargetProcess, (LPVOID)RParam.dwCreateFile, (LPVOID)newcode, 10 , & dwPid))
324 {
325 printf( " WriteRemoteProcessesMemory Error!n " );
326 CloseHandle(hTargetProcess);
327 FreeLibrary(hKernel32);
328 return - 1 ;
329 }
330
331 printf( " nThat's all, good luck :)n " );
332 CloseHandle(hTargetProcess);
333 FreeLibrary(hKernel32);
334 return 0 ;
335 }
2 附录:一个拦截CreateFile函数的简单实现
3 ///////////////////////////////////////////////////////////////////// /
4 #include < stdio.h >
5 #include < windows.h >
6 #include < Psapi.h >
7
8 #pragma comment(lib, " psapi.lib " )
9
10 typedef struct _RemoteParam {
11 DWORD dwCreateFile;
12 DWORD dwMessageBox;
13 DWORD dwGetCurrentProcess;
14 DWORD dwWriteProcessMemory;
15 unsigned char szOldCode[ 10 ];
16 DWORD FunAddr;
17 } RemoteParam, * PRemoteParam;
18
19 typedef HANDLE (__stdcall * PFN_CREATEFILE)(LPCTSTR,DWORD,DWORD,LPSECURITY_ATTRIBUTES,DWORD,DWORD,HANDLE);
20 typedef int (__stdcall * PFN_MESSAGEBOX)(HWND, LPCTSTR, LPCTSTR, DWORD);
21 typedef BOOL (__stdcall * PFN_WRITEPROCESSMEMORY)(HANDLE,LPVOID,LPCVOID,SIZE_T,SIZE_T * );
22 typedef HANDLE (__stdcall * PFN_GETCURRENTPROCESS)( void );
23
24 #define PROCESSNUM 128
25 #define MYMESSAGEBOX "MessageBoxW"
26 #define MYCREATEFILE "CreateFileW"
27
28 void HookCreateFile(LPVOID lParam)
29 {
30
31 RemoteParam * pRP = (RemoteParam * )lParam;
32
33
34 DWORD NextIpAddr = 0 ;
35 DWORD dwParamaAddr = 0 ;
36
37 HANDLE RetFpHdl = INVALID_HANDLE_value;
38 LPCTSTR lpFileName;
39 DWORD dwDesiredAccess;
40 DWORD dwShareMode;
41 LPSECURITY_ATTRIBUTES lpSecurityAttributes;
42 DWORD dwCreationDisposition;
43 DWORD dwFlagsAndAttributes;
44 HANDLE hTemplateFile;
45 PFN_CREATEFILE pfnCreatefile = (PFN_CREATEFILE)pRP -> dwCreateFile;
46
47
48 __asm
49 {
50 MOV EAX,[EBP + 8 ]
51 MOV [dwParamaAddr], EAX
52 MOV EAX,[EBP + 12 ]
53 MOV [NextIpAddr], EAX
54 MOV EAX,[EBP + 16 ]
55 MOV [lpFileName], EAX
56 MOV EAX,[EBP + 20 ]
57 MOV [dwDesiredAccess],EAX
58 MOV EAX,[EBP + 24 ]
59 MOV [dwShareMode],EAX
60 MOV EAX,[EBP + 28 ]
61 MOV [lpSecurityAttributes],EAX
62 MOV EAX,[EBP + 32 ]
63 MOV [dwCreationDisposition],EAX
64 MOV EAX,[EBP + 36 ]
65 MOV [dwFlagsAndAttributes],EAX
66 MOV EAX,[EBP + 40 ]
67 MOV [hTemplateFile],EAX
68 }
69
70 PFN_MESSAGEBOX pfnMessageBox = (PFN_MESSAGEBOX)pRP -> dwMessageBox;
71 int allowFlag = pfnMessageBox(NULL, lpFileName, NULL, MB_ICONINformATION | MB_YESNO);
72
73 if (allowFlag == IDYES)
74 {
75 unsigned char szNewCode[ 10 ];
76 int PramaAddr = ( int )dwParamaAddr;
77 szNewCode[ 4 ] = PramaAddr >> 24 ;
78 szNewCode[ 3 ] = (PramaAddr << 8 ) >> 24 ;
79 szNewCode[ 2 ] = (PramaAddr << 16 ) >> 24 ;
80 szNewCode[ 1 ] = (PramaAddr << 24 ) >> 24 ;
81 szNewCode[ 0 ] = 0x68 ;
82
83 int funaddr = ( int )pRP -> FunAddr - ( int )pfnCreatefile - 10 ;
84 szNewCode[ 9 ] = funaddr >> 24 ;
85 szNewCode[ 8 ] = (funaddr << 8 ) >> 24 ;
86 szNewCode[ 7 ] = (funaddr << 16 ) >> 24 ;
87 szNewCode[ 6 ] = (funaddr << 24 ) >> 24 ;
88 szNewCode[ 5 ] = 0xE8 ;
89
90
91 PFN_GETCURRENTPROCESS pfnGetCurrentProcess = (PFN_GETCURRENTPROCESS)pRP -> dwGetCurrentProcess;
92 PFN_WRITEPROCESSMEMORY pfnWriteProcessMemory = (PFN_WRITEPROCESSMEMORY)pRP -> dwWriteProcessMemory;
93 pfnWriteProcessMemory(pfnGetCurrentProcess(),
94 (LPVOID)pfnCreatefile,
95 (LPCVOID)pRP -> szOldCode,
96 10 ,
97 NULL);
98
99 RetFpHdl = pfnCreatefile(lpFileName,
100 dwDesiredAccess,
101 dwShareMode,
102 lpSecurityAttributes,
103 dwCreationDisposition,
104 dwFlagsAndAttributes,
105 hTemplateFile);
106 pfnWriteProcessMemory(pfnGetCurrentProcess(),
107 (LPVOID)pfnCreatefile,
108 (LPCVOID)szNewCode,
109 10 ,
110 NULL);
111 }
112
113
114 __asm
115 {POP EDI
116 POP ESI
117 POP EBX
118 MOV EDX, [NextIpAddr]
119 MOV EAX, [RetFpHdl]
120 MOV ESP, EBP
121 POP EBP
122 ADD ESP, 28H
123 PUSH EDX
124 RET
125 }
126
127
128 }
129
130
131
132 BOOL AdjustProcessPrivileges(LPCSTR szPrivilegesName)
133 {
134 HANDLE hToken;
135 TOKEN_PRIVILEGES tkp;
136
137 if ( ! OpenProcessToken(GetCurrentProcess(),
138 TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, & hToken))
139 {
140 return FALSE;
141 }
142
143 if ( ! LookupPrivilegeValue(NULL,szPrivilegesName,
144 & tkp.Privileges[ 0 ].Luid))
145 {
146 CloseHandle(hToken);
147 return FALSE;
148 }
149
150 tkp.PrivilegeCount = 1 ;
151 tkp.Privileges[ 0 ].Attributes = SE_PRIVILEGE_ENABLED;
152
153 if ( ! AdjustTokenPrivileges(hToken,FALSE, & tkp, sizeof (tkp),NULL,NULL))
154 {
155 CloseHandle(hToken);
156 return FALSE;
157 }
158
159 CloseHandle(hToken);
160 return TRUE;
161 }
162
163
164 void printProcessNameByPid( DWORD ProcessId )
165 {
166 HANDLE pHd;
167 HMODULE pHmod;
168 char ProcessName[MAX_PATH] = " unknown " ;
169 DWORD cbNeeded;
170 pHd = OpenProcess( PROCESS_QUERY_INformATION | PROCESS_VM_READ, FALSE, ProcessId );
171 if (pHd == NULL)
172 return ;
173
174 if ( ! EnumProcessModules( pHd, & pHmod, sizeof (pHmod), & cbNeeded))
175 return ;
176 if ( ! GetModuleFileNameEx( pHd, pHmod, ProcessName, MAX_PATH))
177 return ;
178
179 printf( " %dt%sn " , ProcessId, ProcessName);
180 CloseHandle( pHd );
181 return ;
182 }
183
184
185 int main( void )
186 {
187
188 if ( ! AdjustProcessPrivileges(SE_DEBUG_NAME))
189 {
190 printf( " AdjustProcessPrivileges Error!n " );
191 return - 1 ;
192 }
193
194 DWORD Pids[PROCESSNUM];
195 DWORD dwProcessNum = 0 ;
196 if ( ! EnumProcesses(Pids, sizeof (Pids), & dwProcessNum))
197 {
198 printf( " EnumProcess Error!n " );
199 return - 1 ;
200 }
201
202 for ( DWORD num = 0 ; num < (dwProcessNum / sizeof (DWORD)); num ++ )
203 printProcessNameByPid(Pids[num]);
204
205 printf( " nAll %d processes running. n " , dwProcessNum / sizeof (DWORD));
206
207 DWORD dwPid = 0 ;
208 printf( " n请输入要拦截的进程id: " );
209 scanf( " %d " , & dwPid);
210
211 HANDLE hTargetProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, dwPid);
212 if (hTargetProcess == NULL)
213 {
214 printf( " OpenProcess Error!n " );
215 return - 1 ;
216 }
217
218 DWORD dwFunAddr = (DWORD)VirtualAllocEx(hTargetProcess, NULL, 8192 ,
219 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
220
221 if ((LPVOID)dwFunAddr == NULL)
222 {
223 printf( " 申请线程内存失败!n " );
224 CloseHandle(hTargetProcess);
225 return - 1 ;
226 }
227
228 DWORD dwPramaAddr = (DWORD)VirtualAllocEx(hTargetProcess, NULL, sizeof (RemoteParam),
229 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
230
231 if ((LPVOID)dwPramaAddr == NULL)
232 {
233 printf( " 申请参数内存失败!n " );
234 CloseHandle(hTargetProcess);
235 return - 1 ;
236 }
237
238 printf( " n线程内存地址:%.8xn "
239 " 参数内存地址:%.8xn " ,
240 dwFunAddr, dwPramaAddr);
241 RemoteParam RParam;
242 ZeroMemory( & RParam, sizeof (RParam));
243 HMODULE hKernel32 = LoadLibrary( " kernel32.dll " );
244 HMODULE hUser32 = LoadLibrary( " user32.dll " );
245
246 RParam.dwCreateFile = (DWORD)GetProcAddress(hKernel32, MYCREATEFILE);
247 RParam.dwGetCurrentProcess = (DWORD)GetProcAddress(hKernel32, " GetCurrentProcess " );
248 RParam.dwWriteProcessMemory = (DWORD)GetProcAddress(hKernel32, " WriteProcessMemory " );
249 RParam.dwMessageBox = (DWORD)GetProcAddress(hUser32, MYMESSAGEBOX);
250
251 unsigned char oldcode[ 10 ];
252 unsigned char newcode[ 10 ];
253 int praadd = ( int )dwPramaAddr;
254 int threadadd = ( int )dwFunAddr;
255 newcode[ 4 ] = praadd >> 24 ;
256 newcode[ 3 ] = (praadd << 8 ) >> 24 ;
257 newcode[ 2 ] = (praadd << 16 ) >> 24 ;
258 newcode[ 1 ] = (praadd << 24 ) >> 24 ;
259 newcode[ 0 ] = 0x68 ;
260
261 int offsetaddr = threadadd - ( int )RParam.dwCreateFile - 10 ;
262 newcode[ 9 ] = offsetaddr >> 24 ;
263 newcode[ 8 ] = (offsetaddr << 8 ) >> 24 ;
264 newcode[ 7 ] = (offsetaddr << 16 ) >> 24 ;
265 newcode[ 6 ] = (offsetaddr << 24 ) >> 24 ;
266 newcode[ 5 ] = 0xE8 ;
267
268 printf( " NewCode: " );
269 for ( int j = 0 ; j < 10 ; j ++ )
270 printf( " 0x%.2x " ,newcode[j]);
271 printf( " nn " );
272
273
274
275 if ( ! ReadProcessMemory(GetCurrentProcess(),
276 (LPCVOID)RParam.dwCreateFile,
277 oldcode,
278 10 ,
279 & dwPid))
280 {
281 printf( " read error " );
282 CloseHandle(hTargetProcess);
283 FreeLibrary(hKernel32);
284 return - 1 ;
285 }
286
287 strcat(( char * )RParam.szOldCode, ( char * )oldcode);
288 RParam.FunAddr = dwFunAddr;
289
290 printf(
291 " RParam.dwCreate文件:%.8xn "
292 " RParam.dwMessageBox:%.8xn "
293 " RParam.dwGetCurrentProcess:%.8xn "
294 " RParam.dwWriteProcessMemory:%.8xn "
295 " RParam.FunAddr:%.8xn " ,
296 RParam.dwCreateFile,
297 RParam.dwMessageBox,
298 RParam.dwGetCurrentProcess,
299 RParam.dwWriteProcessMemory,
300 RParam.FunAddr);
301 printf( " RParam.szOldCode: " );
302 for ( int i = 0 ; i < 10 ; i ++ )
303 printf( " 0x%.2x " , RParam.szOldCode);
304 printf( " n " );
305
306
307 if ( ! WriteProcessMemory(hTargetProcess, (LPVOID)dwFunAddr, (LPVOID) & HookCreateFile, 8192 , & dwPid))
308 {
309 printf( " WriteRemoteProcessesMemory Error!n " );
310 CloseHandle(hTargetProcess);
311 FreeLibrary(hKernel32);
312 return - 1 ;
313 }
314
315 if ( ! WriteProcessMemory(hTargetProcess, (LPVOID)dwPramaAddr, (LPVOID) & RParam, sizeof (RemoteParam), & dwPid))
316 {
317 printf( " WriteRemoteProcessesMemory Error!n " );
318 CloseHandle(hTargetProcess);
319 FreeLibrary(hKernel32);
320 return - 1 ;
321 }
322
323 if ( ! WriteProcessMemory(hTargetProcess, (LPVOID)RParam.dwCreateFile, (LPVOID)newcode, 10 , & dwPid))
324 {
325 printf( " WriteRemoteProcessesMemory Error!n " );
326 CloseHandle(hTargetProcess);
327 FreeLibrary(hKernel32);
328 return - 1 ;
329 }
330
331 printf( " nThat's all, good luck :)n " );
332 CloseHandle(hTargetProcess);
333 FreeLibrary(hKernel32);
334 return 0 ;
335 }