new:一种DLL插入方案

于 2008-08-20 14:00:00 发布
阅读量1.2k 收藏 1
点赞数
分类专栏: windows底层核心編程 文章标签: dll attributes string object exception byte
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/iiprogram/article/details/2801395
版权

 by killvxk:

 

typedef unsigned long DWORD;
typedef unsigned short WORD;
typedef unsigned char BYTE;

__declspec(dllimport) DWORD PsLookupProcessByProcessId(HANDLE ProcessId,PEPROCESS* pProcess);
__declspec(dllimport) DWORD ZwOpenProcess(PHANDLE ProcessHandle,ULONG DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,PCLIENT_ID Cid);
__declspec(dllimport) DWORD ZwQueryInformationProcess(HANDLE ProcessHandle,PROCESSINFOCLASS ProcessInformationClass,PVOID ProcessInformation,ULONG ProcessInformationLength,PULONG ReturnLength);
__declspec(dllimport) BYTE *PsGetProcessPeb(PEPROCESS Process);

#ifdef _WIN64
#define SHIM_OFFSET 0x2d8
#else
#define SHIM_OFFSET 0x1e8
#endif

STATIC_UNICODE_STRING(shimRegRoot,"//REGISTRY//MACHINE//SOFTWARE//shim");

WCHAR shimName[]=L"shimeng.dll";
WCHAR shimSection[]=L"//knowndlls//shimeng.dll";
STATIC_UNICODE_STRING(shimDllRegKey,"shimdll");
HANDLE hShimSection;
#ifdef _WIN64
WCHAR shimSection32[]=L"//knowndlls32//shimeng.dll";
STATIC_UNICODE_STRING(shimDll32RegKey,"shimdll32");
HANDLE hShimSection32;
#endif

void processNotify(HANDLE parentId,HANDLE processId,BOOLEAN createFlag){
    PVOID memAddress=0;
    SIZE_T memSize=sizeof(shimName);
    HANDLE hProcess;
    BYTE *pPeb;
    OBJECT_ATTRIBUTES objAttr;
    CLIENT_ID idClient;
    PEPROCESS pEProcess;
    DWORD ntStatus;
    KAPC_STATE kaps;   

    if(createFlag){
        RtlZeroMemory(&objAttr,sizeof(OBJECT_ATTRIBUTES));
        idClient.UniqueProcess=processId;
        idClient.UniqueThread=0;
        if(ZwOpenProcess(&hProcess,PROCESS_DUP_HANDLE,&objAttr,&idClient)!=0){
            return;
        }
        if(PsLookupProcessByProcessId(processId,&pEProcess)!=0){
            return;
        }
        pPeb=PsGetProcessPeb(pEProcess);
        if(pPeb==0){
            return;
        }
        ntStatus=ZwAllocateVirtualMemory(hProcess,&memAddress,0,&memSize,MEM_COMMIT,PAGE_READWRITE);
        if(ntStatus!=0){
            return;
        }       
        KeStackAttachProcess(pEProcess,&kaps);
        __try{
            memcpy(memAddress,shimName,sizeof(shimName));
            *(WCHAR**)(pPeb+SHIM_OFFSET)=memAddress;
        }__except(EXCEPTION_EXECUTE_HANDLER){
        }
        KeUnstackDetachProcess(&kaps);
    }
    return;
}

void driverUnload(PDRIVER_OBJECT DriverObject){       
    PsSetCreateProcessNotifyRoutine(processNotify,TRUE);
    ZwClose(hShimSection);
#ifdef _WIN64
    ZwClose(hShimSection32);
#endif
#ifdef SHIM_DEBUG
    DbgPrint("shim injector: unloaded");
#endif
    return;
}

NTSTATUS mapShim(HANDLE *pSection,PUNICODE_STRING dllName,WCHAR *sectionName){
    HANDLE hFile;
    OBJECT_ATTRIBUTES objAttr;
    IO_STATUS_BLOCK ioStatusBlock;   
    UNICODE_STRING usFileName;
    DWORD ntStatus;
    HANDLE hRegKey;
    PKEY_VALUE_PARTIAL_INFORMATION regKeyInfo=0;
    DWORD regKeySize=sizeof(KEY_VALUE_PARTIAL_INFORMATION)+0x200;

    InitializeObjectAttributes(&objAttr,&shimRegRoot,0,0,0);
    ntStatus=ZwOpenKey(&hRegKey,KEY_QUERY_VALUE,&objAttr);
    if(ntStatus!=STATUS_SUCCESS){
        return ntStatus;
    }
    regKeyInfo=(KEY_VALUE_PARTIAL_INFORMATION*)ExAllocatePoolWithTag(PagedPool,regKeySize,'SHIM');
    if(regKeyInfo==0){
        ZwClose(hRegKey);
        return ntStatus;
    }
    ntStatus=ZwQueryValueKey(hRegKey,dllName,KeyValuePartialInformation,regKeyInfo,regKeySize,®KeySize);
    ZwClose(hRegKey);
    if(ntStatus!=STATUS_SUCCESS){
        ExFreePool(regKeyInfo);
        return ntStatus;
    }
#ifdef SHIM_DEBUG
    DbgPrint("shim injector: shim %ls added",regKeyInfo->Data);
#endif
    RtlInitUnicodeString(&usFileName,regKeyInfo->Data);
    InitializeObjectAttributes(&objAttr,&usFileName,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,0,0);
    ntStatus=ZwOpenFile(&hFile,FILE_GENERIC_EXECUTE,&objAttr,&ioStatusBlock,FILE_SHARE_READ,FILE_SYNCHRONOUS_IO_NONALERT);
    if(ntStatus!=STATUS_SUCCESS){
        ExFreePool(regKeyInfo);
        return ntStatus;
    }
    RtlInitUnicodeString(&usFileName,sectionName);   
    ntStatus=ZwCreateSection(pSection,SECTION_ALL_ACCESS,&objAttr,0,PAGE_EXECUTE,SEC_IMAGE,hFile);
    ZwClose(hFile);
    ExFreePool(regKeyInfo);
    return ntStatus;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath){
    DWORD ntStatus;   
#ifdef SHIM_DEBUG   
    DbgPrint("shim injector: loaded");
#endif
    ntStatus=mapShim(&hShimSection,&shimDllRegKey,shimSection);
#ifdef _WIN64
    if(ntStatus==STATUS_SUCCESS){
        ntStatus=mapShim(&hShimSection32,&shimDll32RegKey,shimSection32);
    }
#endif
    if(ntStatus==STATUS_SUCCESS){
        ntStatus=PsSetCreateProcessNotifyRoutine(processNotify,FALSE);
    }
    if(ntStatus!=STATUS_SUCCESS){
        ZwClose(hShimSection);
#ifdef _WIN64
        ZwClose(hShimSection32);
#endif
#ifdef SHIM_DEBUG
        DbgPrint("shim injector: unloaded (0x%x)",ntStatus);
#endif
    }
    DriverObject->DriverUnload=driverUnload;
    return ntStatus;
}
 
 
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值