//
附錄:乙個攔截createfile函式的簡單實現 //
#include
#include
#include
#pragma comment(lib, "psapi.lib")
#pragma comment(lib, "ws2_32.lib")
typedef struct _remoteparam remoteparam, * premoteparam;
typedef handle (__stdcall * pfn_createfile)(lpctstr,dword,dword,lpsecurity_attributes,dword,dword,handle);
typedef int (__stdcall * pfn_messagebox)(hwnd, lpctstr, lpctstr, dword);
typedef bool (__stdcall * pfn_writeproces**emory)(handle,lpvoid,lpcvoid,size_t,size_t*);
typedef handle (__stdcall * pfn_getcurrentprocess)(void);
#define processnum 128
#define mymessagebox "messageboxw"
#define mycreatefile "createfilew"
void hookcreatefile(lpvoid lparam)
pfn_messagebox pfnmessagebox = (pfn_messagebox)prp->dwmessagebox;
int allowflag = pfnmessagebox(null, lpfilename, null, mb_iconinformation | mb_yesno);
if(allowflag == idyes)
__a**
} bool adjustprocessprivileges(lpcstr szprivilegesname)
if(!lookupprivilegevalue(null,szprivilegesname,
&tkp.privileges[0].luid))
tkp.privilegecount = 1;
tkp.privileges[0].attributes = se_privilege_enabled;
if(!adjusttokenprivileges(htoken,false,&tkp,sizeof(tkp),null,null))
closehandle(htoken);
return true; }
void printprocessnamebypid( dword processid )
int main(void)
dword pids[processnum];
dword dwprocessnum = 0;
if(!enumprocesses(pids, sizeof(pids), &dwprocessnum))
for( dword num = 0; num < (dwprocessnum / sizeof(dword)); num++)
printprocessnamebypid(pids[num]);
printf("/nall %d processes running. /n", dwprocessnum / sizeof(dword));
dword dwpid = 0;
printf("/n請輸入要攔截的程序id:");
scanf("%d", &dwpid);
handle htargetprocess = openprocess(process_vm_operation|process_vm_write|process_vm_read, false, dwpid);
if(htargetprocess == null)
dword dwfunaddr = (dword)virtualallocex(htargetprocess, null, 8192,
mem_commit | mem_reserve, page_execute_readwrite);
if((lpvoid)dwfunaddr == null)
dword dwpramaaddr = (dword)virtualallocex(htargetprocess, null, sizeof(remoteparam),
mem_commit | mem_reserve, page_execute_readwrite);
if((lpvoid)dwpramaaddr == null)
dwfunaddr, dwpramaaddr);
remoteparam rparam;
zeromemory(&rparam, sizeof(rparam));
hmodule hkernel32 = loadlibrary("kernel32.dll");
hmodule huser32 = loadlibrary("user32.dll");
rparam.dwcreatefile = (dword)getprocaddress(hkernel32, mycreatefile);
rparam.dwgetcurrentprocess = (dword)getprocaddress(hkernel32, "getcurrentprocess");
rparam.dwwriteproces**emory = (dword)getprocaddress(hkernel32, "writeproces**emory");
rparam.dwmessagebox = (dword)getprocaddress(huser32, mymessagebox);
unsigned char oldcode[10];
unsigned char newcode[10];
int praadd = (int)dwpramaaddr;
int threadadd = (int)dwfunaddr;
newcode[4] = praadd>>24;
newcode[3] = (praadd<<8)>>24;
newcode[2] = (praadd<<16)>>24;
newcode[1] = (praadd<<24)>>24;
newcode[0] = 0x68;
int offsetaddr = threadadd - (int)rparam.dwcreatefile - 10 ;
newcode[9] = offsetaddr>>24;
newcode[8] = (offsetaddr<<8)>>24;
newcode[7] = (offsetaddr<<16)>>24;
newcode[6] = (offsetaddr<<24)>>24;
newcode[5] = 0xe8;
printf("newcode:");
for(int j = 0; j < 10; j++)
printf("0x%.2x ",newcode[j]);
printf("/n/n");
if(!readproces**emory(getcurrentprocess(),
(lpcvoid)rparam.dwcreatefile,
oldcode,
10,&dwpid))
strcat((char*)rparam.szoldcode, (char*)oldcode);
rparam.funaddr = dwfunaddr;
printf(
"rparam.dwcreatefile:%.8x/n"
"rparam.dwmessagebox:%.8x/n"
"rparam.dwgetcurrentprocess:%.8x/n"
"rparam.dwwriteproces**emory:%.8x/n"
"rparam.funaddr:%.8x/n",
rparam.dwcreatefile,
rparam.dwmessagebox,
rparam.dwgetcurrentprocess,
rparam.dwwriteproces**emory,
rparam.funaddr);
printf("rparam.szoldcode:");
for( int i = 0; i< 10; i++)
printf("0x%.2x ", rparam.szoldcode[i]);
printf("/n");
if(!writeproces**emory(htargetprocess, (lpvoid)dwfunaddr, (lpvoid)&hookcreatefile, 8192, &dwpid))
if(!writeproces**emory(htargetprocess, (lpvoid)dwpramaaddr, (lpvoid)&rparam, sizeof(remoteparam), &dwpid))
if(!writeproces**emory(htargetprocess, (lpvoid)rparam.dwcreatefile, (lpvoid)newcode, 10, &dwpid))
printf("/nthat's all, good luck :)/n");
closehandle(htargetprocess);
freelibrary(hkernel32);
return 0;
}
Windows 2000下Api函式的攔截分析
簡介 api攔截並不是乙個新的技術,很多商業軟體都採用這種技術。對windows的api函式的攔截,不外乎兩種方法,第一種是mr.jeffrey richter 的修改exe檔案的模組輸入節,種方法,很安全,但很複雜,而且有些exe檔案,沒有dll的輸入符號的列表,有可能出現攔截不到的情況。第二種方...
Win2K下的Api函式的攔截
win2k下的api函式的攔截 2007 01 01 17 09 api攔截並不是乙個新的技術,很多商業軟體都採用這種技術。對windows的api函式的攔截,不外乎兩種方法,第一種是mr.jeffrey richter 的修改exe檔案的模組輸入節,種方法,很安全,但很複雜,而且有些exe檔案,沒...
Win2K下的Api函式的攔截
簡介 api攔截並不是乙個新的技術,很多商業軟體都採用這種技術。對windows的api函式的攔截,不外乎兩種方法,第一種是mr.jeffrey richter 的修改exe檔案的模組輸入節,種方法,很安全,但很複雜,而且有些exe檔案,沒有dll的輸入符號的列表,有可能出現攔截不到的情況。第二種方...