应用层隐藏服务的项目

最新推荐文章于 2020-10-21 21:20:01 发布

sanshao27

最新推荐文章于 2020-10-21 21:20:01 发布

阅读量1.1k

点赞数

文章标签： hook null winapi service dll thread


应用层隐藏服务的项目	2006-03-28
HideService 　 // ***************************************************************************// // // 文件名: AgentHk.cpp // 所属项目名称： // 所属模块名称： AGENT Service Hook // 所属项目版本： 2.0 // 文件用途 : // 文件作者 : horse_b // 创建日期 : 2004-11-30 // // 文件修改说明： // 文件修改人： // 修改日期： // // // //*****************************************************************************// #include <stdio.h> #include <tchar.h> // Make program ansi AND unicode safe #include <windows.h> // Most Windows functions #include <commctrl.h> // Used for TreeView controls #include <setupapi.h> // Used for SetupDiXxx functions #include <basetsd.h> #include <cfgmgr32.h> // Used for CM_Xxxx functions #include <regstr.h> // Extract Registry Strings #include <devguid.h> //API HOOK方式 #define APIHOOK16 #ifdef APIHOOK16 #include "apihook16.h" #define CAPIHook CAPIHook16 #else #include "apihook32.h" #define CAPIHook CAPIHook32 #endif #pragma comment(lib, "setupapi.lib") #pragma comment(lib, "advapi32.lib") //setupapi.dll中的函数声明 / BOOL WINAPI mySetupDiSetClassInstallParamsA( IN HDEVINFO DeviceInfoSet, IN PSP_DEVINFO_DATA DeviceInfoData, IN PSP_CLASSINSTALL_HEADER ClassInstallParams, IN DWORD ClassInstallParamsSize ); / BOOL WINAPI mySetupDiSetClassInstallParamsW( IN HDEVINFO DeviceInfoSet, IN PSP_DEVINFO_DATA DeviceInfoData, IN PSP_CLASSINSTALL_HEADER ClassInstallParams, IN DWORD ClassInstallParamsSize ); //setupapi.dll hook CAPIHook g_hook_setupapi_paramsw("setupapi.dll", "SetupDiSetClassInstallParamsW", (FARPROC)mySetupDiSetClassInstallParamsW); //CAPIHook g_hook_setupapi_paramsa("setupapi.dll", "SetupDiSetClassInstallParamsA", (FARPROC)mySetupDiSetClassInstallParamsA); //advapi32.lib BOOL WINAPI myChangeServiceConfigW( SC_HANDLE hService, DWORD dwServiceType, DWORD dwStartType, DWORD dwErrorControl, LPCWSTR lpBinaryPathName, LPCWSTR lpLoadOrderGroup, LPDWORD lpdwTagId, LPCWSTR lpDependencies, LPCWSTR lpServiceStartName, LPCWSTR lpPassword, LPCWSTR lpDisplayName ); //CAPIHook g_hook_advapi32_ChangeA("advapi32.dll", "ChangeServiceConfigA", (FARPROC)myChangeServiceConfigA); CAPIHook g_hook_advapi32_ChangeW("advapi32.dll", "ChangeServiceConfigW", (FARPROC)myChangeServiceConfigW); LPSTR WideStringToAnsiString(LPCWSTR lpcsUnicode) { LPSTR lpAnsiString = NULL; if (lpcsUnicode) { DWORD dwSize = wcstombs(NULL, lpcsUnicode, 0); lpAnsiString = new char[dwSize+1]; size_t rc = wcstombs(lpAnsiString, lpcsUnicode, dwSize); //ASSERT(rc != (size_t)(-1)); lpAnsiString[dwSize] = '/0'; } return lpAnsiString; } void WriteLog(char fmt,...) { /* FILE fp; va_list args; char modname[200]; if((fp =fopen("c://hooksetupapi.log", "a")) !=NULL) { va_start(args,fmt); GetModuleFileName(NULL, modname, sizeof(modname)); fprintf(fp, ":%s:", modname); vfprintf(fp, fmt, args); fprintf(fp, "/n"); fclose(fp); va_end(args); } / } BOOL WINAPI mySetupDiSetClassInstallParamsW( IN HDEVINFO DeviceInfoSet, IN PSP_DEVINFO_DATA DeviceInfoData, IN PSP_CLASSINSTALL_HEADER ClassInstallParams, IN DWORD ClassInstallParamsSize ) { BOOL ret = FALSE; #ifdef APIHOOK16 g_hook_setupapi_paramsw.Hook(FALSE); //g_hook_setupapi_paramsa.Hook(FALSE); g_hook_advapi32_ChangeW.Hook(FALSE); #endif if((InlineIsEqualGUID(DeviceInfoData->ClassGuid,GUID_DEVCLASS_NET)) \|\| (InlineIsEqualGUID(DeviceInfoData->ClassGuid,GUID_DEVCLASS_PCMCIA)) \|\| (InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_CDROM)) \|\| (InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_PORTS)) \|\| (InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_USB)) \|\| (InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_PRINTER)) \|\| (InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_1394)) \|\| (InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_MODEM)) \|\| (InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_FLOPPYDISK)) \|\| (InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_INFRARED)) \|\| (InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_SCSIADAPTER)) \|\| (InlineIsEqualGUID(DeviceInfoData->ClassGuid, GUID_DEVCLASS_DISKDRIVE)) ) { WriteLog("SetupDiCallClassInstaller hook/n"); SP_PROPCHANGE_PARAMS PropChangeParams = {sizeof(SP_CLASSINSTALL_HEADER)}; PropChangeParams.ClassInstallHeader.InstallFunction = DIF_DETECT; PropChangeParams.Scope = DICS_FLAG_GLOBAL; PropChangeParams.StateChange = 0x0; //ClassInstallParams->InstallFunction = DIF_DETECT; ret = SetupDiSetClassInstallParamsW(DeviceInfoSet,DeviceInfoData, (SP_CLASSINSTALL_HEADER )&PropChangeParams, sizeof(PropChangeParams)); #ifdef APIHOOK16 g_hook_setupapi_paramsw.Hook(TRUE); //g_hook_setupapi_paramsa.Hook(TRUE); g_hook_advapi32_ChangeW.Hook(TRUE); #endif return ret; } ret = SetupDiSetClassInstallParamsW(DeviceInfoSet,DeviceInfoData, ClassInstallParams, ClassInstallParamsSize); #ifdef APIHOOK16 g_hook_setupapi_paramsw.Hook(TRUE); //g_hook_setupapi_paramsa.Hook(TRUE); g_hook_advapi32_ChangeW.Hook(TRUE); #endif return ret; } BOOL WINAPI myChangeServiceConfigW( SC_HANDLE hService, DWORD dwServiceType, DWORD dwStartType, DWORD dwErrorControl, LPCWSTR lpBinaryPathName, LPCWSTR lpLoadOrderGroup, LPDWORD lpdwTagId, LPCWSTR lpDependencies, LPCWSTR lpServiceStartName, LPCWSTR lpPassword, LPCWSTR lpDisplayName ) { BOOL ret = FALSE; #ifdef APIHOOK16 // g_hook_advapi32_ChangeA.Hook(FALSE); g_hook_advapi32_ChangeW.Hook(FALSE); g_hook_setupapi_paramsw.Hook(FALSE); #endif LPSTR lpDisplay; lpDisplay = WideStringToAnsiString(lpDisplayName); //if(lpDisplayName == NULL) //{ // WriteLog("ChangeServiceConfigW hook :Display name is null:/n"); // goto XLOOP; //} if(strstr(lpDisplay ,"Cns Agent") != NULL) { WriteLog("ChangeServiceConfigW hook :Cns Agent:no_change:/n"); ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_AUTO_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName); #ifdef APIHOOK16 // g_hook_advapi32_ChangeA.Hook(TRUE); g_hook_advapi32_ChangeW.Hook(TRUE); g_hook_setupapi_paramsw.Hook(TRUE); #endif delete []lpDisplay; return ret; } else if(strstr(lpDisplay ,"HookNdis") != NULL) { WriteLog("ChangeServiceConfigW hook :HookNdis:no_change:/n"); if( dwStartType != SERVICE_AUTO_START) ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_SYSTEM_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName); else ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_AUTO_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName); #ifdef APIHOOK16 // g_hook_advapi32_ChangeA.Hook(TRUE); g_hook_advapi32_ChangeW.Hook(TRUE); g_hook_setupapi_paramsw.Hook(TRUE); #endif delete []lpDisplay; return ret; } else if(strstr(lpDisplay ,"Hooktdi") != NULL) { WriteLog("ChangeServiceConfigW hook :Hooktdi:no_change:/n"); if( dwStartType != SERVICE_AUTO_START) ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_SYSTEM_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName); else ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_AUTO_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName); #ifdef APIHOOK16 // g_hook_advapi32_ChangeA.Hook(TRUE); g_hook_advapi32_ChangeW.Hook(TRUE); g_hook_setupapi_paramsw.Hook(TRUE); #endif delete []lpDisplay; return ret; } else if(strstr(lpDisplay ,"Hideprocess") != NULL) { WriteLog("ChangeServiceConfigW hook :Hideprocess:no_change:/n"); if( dwStartType != SERVICE_AUTO_START) ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_SYSTEM_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName); else ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_AUTO_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName); #ifdef APIHOOK16 // g_hook_advapi32_ChangeA.Hook(TRUE); g_hook_advapi32_ChangeW.Hook(TRUE); g_hook_setupapi_paramsw.Hook(TRUE); #endif delete []lpDisplay; return ret; } else if(strstr(lpDisplay ,"ZzFilesensor") != NULL) { WriteLog("ChangeServiceConfigW hook :ZzFilesensor:no_change:/n"); if( dwStartType != SERVICE_AUTO_START) ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_SYSTEM_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName); else ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_AUTO_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName); #ifdef APIHOOK16 // g_hook_advapi32_ChangeA.Hook(TRUE); g_hook_advapi32_ChangeW.Hook(TRUE); g_hook_setupapi_paramsw.Hook(TRUE); #endif delete []lpDisplay; return ret; } else if(strstr(lpDisplay ,"Zzregsensor") != NULL) { WriteLog("ChangeServiceConfigW hook :Zzregsensor:no_change:/n"); if( dwStartType != SERVICE_AUTO_START) ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_SYSTEM_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName); else ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_AUTO_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName); #ifdef APIHOOK16 // g_hook_advapi32_ChangeA.Hook(TRUE); g_hook_advapi32_ChangeW.Hook(TRUE); g_hook_setupapi_paramsw.Hook(TRUE); #endif delete []lpDisplay; return ret; } XLOOP: WriteLog("ChangeServiceConfigW hook /n"); ret = ChangeServiceConfigW( hService, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName); #ifdef APIHOOK16 // g_hook_advapi32_ChangeA.Hook(TRUE); g_hook_advapi32_ChangeW.Hook(TRUE); g_hook_setupapi_paramsw.Hook(TRUE); #endif delete []lpDisplay; return ret; } void HookAll(BOOL bHook) { #ifdef APIHOOK16 // g_hook_advapi32_ChangeA.Hook(bHook); g_hook_advapi32_ChangeW.Hook(bHook); g_hook_setupapi_paramsw.Hook(bHook); // g_hook_setupapi_paramsa.Hook(bHook); #endif } extern "C" int APIENTRY DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved) { switch (dwReason) { case DLL_PROCESS_ATTACH: HookAll(TRUE); break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; case DLL_PROCESS_DETACH: HookAll(FALSE); break; } return 1; } 　　　 // **************************************************************************// // // 文件名: main.CPP // 所属项目名称： // 所属模块名称： AGENT Service Hook MMC.EXE // 所属项目版本： 2.0 // 文件用途 : // 文件作者 : horse_b // 创建日期 : 2004-11-15 // // 文件修改说明： // 文件修改人： // 修改日期： // // // //*****************************************************************************// #include <windows.h> #include <stdio.h> #include <malloc.h> // For alloca #include <TlHelp32.h> // For enum process #define DEFAULT_LIB "AgentHk.DLL" char g_szExeName[MAX_PATH] = {0}; BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { return TRUE; } BOOL WINAPI InjectLib(DWORD dwProcessId, PCSTR pszDllInject) { HANDLE hProcess = NULL, hThread = NULL; char pszDllInjectRemote = NULL; char szLine[MAX_PATH] = {0}; BOOL bOk = FALSE; __try { // Get a handle for the target process. hProcess = OpenProcess( PROCESS_QUERY_INFORMATION \| // Required by Alpha PROCESS_CREATE_THREAD \| // For CreateRemoteThread PROCESS_VM_OPERATION \| // For VirtualAllocEx/VirtualFreeEx PROCESS_VM_WRITE, // For WriteProcessMemory FALSE, dwProcessId); if (hProcess == NULL) { __leave; } // Calculate the number of bytes needed for the DLL's pathname int cch = 1 + strlen(pszDllInject); int cb = cch * sizeof(char); // Allocate space in the remote process for the pathname pszDllInjectRemote = (char ) VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE); if (pszDllInjectRemote == NULL) { __leave; } // Copy the DLL's pathname to the remote process's address space if (!WriteProcessMemory(hProcess, pszDllInjectRemote, (PVOID) pszDllInject, cb, NULL)) { __leave; } // Get the real address of LoadLibraryA in Kernel32.dll PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA"); if (pfnThreadRtn == NULL) { __leave; } // Create a remote thread that calls LoadLibraryA(DLLPathname) hThread = CreateRemoteThread(hProcess, NULL, 0, pfnThreadRtn, pszDllInjectRemote, 0, NULL); if (hThread == NULL) { __leave; } // Wait for the remote thread to terminate WaitForSingleObject(hThread, INFINITE); bOk = TRUE; // Everything executed successfully } __finally { // Now, we can clean everthing up // Free the remote memory that contained the DLL's pathname if (pszDllInjectRemote != NULL) VirtualFreeEx(hProcess, pszDllInjectRemote, 0, MEM_RELEASE); if (hThread != NULL) CloseHandle(hThread); if (hProcess != NULL) CloseHandle(hProcess); } return(bOk); } BOOL WINAPI EjectLib(DWORD dwProcessId, PCSTR pszDllInject) { BOOL bOk = FALSE; // Assume that the function fails HANDLE hthSnapshot = NULL; HANDLE hProcess = NULL, hThread = NULL; __try { // Grab a new snapshot of the process hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId); if (hthSnapshot == NULL) __leave; // Get the HMODULE of the desired library MODULEENTRY32 me = { sizeof(me) }; BOOL bFound = FALSE; BOOL bMoreMods = Module32First(hthSnapshot, &me); for (; bMoreMods; bMoreMods = Module32Next(hthSnapshot, &me)) { bFound = (stricmp(me.szModule, pszDllInject) == 0) \|\| (stricmp(me.szExePath, pszDllInject) == 0); if (bFound) break; } if (!bFound) __leave; // Get a handle for the target process. hProcess = OpenProcess( PROCESS_QUERY_INFORMATION \| // Required by Alpha PROCESS_CREATE_THREAD \| PROCESS_VM_OPERATION, // For CreateRemoteThread FALSE, dwProcessId); if (hProcess == NULL) __leave; // Get the real address of FreeLibrary in Kernel32.dll PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibrary"); if (pfnThreadRtn == NULL) __leave; // Create a remote thread that calls FreeLibraryA(HANDLE) hThread = CreateRemoteThread(hProcess, NULL, 0, pfnThreadRtn, me.modBaseAddr, 0, NULL); if (hThread == NULL) __leave; // Wait for the remote thread to terminate WaitForSingleObject(hThread, INFINITE); bOk = TRUE; // Everything executed successfully } __finally { // Now we can clean everything up if (hthSnapshot != NULL) CloseHandle(hthSnapshot); if (hThread != NULL) CloseHandle(hThread); if (hProcess != NULL) CloseHandle(hProcess); } return(bOk); } int WINAPI InjectLibAll(char pszDllInject) { HANDLE hthSnapshot = NULL; HANDLE hProcess = NULL, hThread = NULL; int nRtn = 0; __try { // Grab a new snapshot of the process hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hthSnapshot == NULL) __leave; // Get the HMODULE of the desired library PROCESSENTRY32 pe = { sizeof(pe) }; BOOL bFound = FALSE; BOOL bMoreProcesses = Process32First(hthSnapshot, &pe); for (; bMoreProcesses; bMoreProcesses = Process32Next(hthSnapshot, &pe)) { if (stricmp(pe.szExeFile, g_szExeName) == 0) continue; if (InjectLib(pe.th32ProcessID, pszDllInject)) { nRtn++; printf("%s - %s/n", pe.szExeFile, "DLL Injection successful."); } else { printf("%s - %s/n", pe.szExeFile, "DLL Injection failed."); } } } __finally { // Now we can clean everything up if (hthSnapshot != NULL) CloseHandle(hthSnapshot); if (hThread != NULL) CloseHandle(hThread); if (hProcess != NULL) CloseHandle(hProcess); } return nRtn; } int WINAPI EjectLibAll(char pszDllInject) { HANDLE hthSnapshot = NULL; HANDLE hProcess = NULL, hThread = NULL; int nRtn = 0; __try { // Grab a new snapshot of the process hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hthSnapshot == NULL) __leave; // Get the HMODULE of the desired library PROCESSENTRY32 pe = { sizeof(pe) }; BOOL bFound = FALSE; BOOL bMoreProcesses = Process32First(hthSnapshot, &pe); for (; bMoreProcesses; bMoreProcesses = Process32Next(hthSnapshot, &pe)) { if (stricmp(pe.szExeFile, g_szExeName) == 0) continue; if (EjectLib(pe.th32ProcessID, pszDllInject)) { nRtn++; printf("%s - %s/n", pe.szExeFile, "DLL Ejection successful."); } else { printf("%s - %s/n", pe.szExeFile, "DLL Ejection failed."); } } } __finally { // Now we can clean everything up if (hthSnapshot != NULL) CloseHandle(hthSnapshot); if (hThread != NULL) CloseHandle(hThread); if (hProcess != NULL) CloseHandle(hProcess); } return nRtn; } int WINAPI InjectLibByName(char pszDllInject, char pszProcName) { HANDLE hthSnapshot = NULL; HANDLE hProcess = NULL, hThread = NULL; int nRtn = 0; __try { // Grab a new snapshot of the process hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hthSnapshot == NULL) __leave; // Get the HMODULE of the desired library PROCESSENTRY32 pe = { sizeof(pe) }; BOOL bFound = FALSE; BOOL bMoreProcesses = Process32First(hthSnapshot, &pe); for (; bMoreProcesses; bMoreProcesses = Process32Next(hthSnapshot, &pe)) { if (stricmp(pe.szExeFile, pszProcName) == 0) { if (InjectLib(pe.th32ProcessID, pszDllInject)) { nRtn++; printf("%s/%s - %s/n", pszDllInject, pe.szExeFile, "DLL Injection successful."); } else { printf("%s/%s - %s/n", pszDllInject, pe.szExeFile, "DLL Injection failed"); } } } } __finally { // Now we can clean everything up if (hthSnapshot != NULL) CloseHandle(hthSnapshot); if (hThread != NULL) CloseHandle(hThread); if (hProcess != NULL) CloseHandle(hProcess); } return nRtn; } int WINAPI EjectLibByName(char pszDllInject, char pszProcName) { HANDLE hthSnapshot = NULL; HANDLE hProcess = NULL, hThread = NULL; int nRtn = 0; __try { // Grab a new snapshot of the process hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hthSnapshot == NULL) __leave; // Get the HMODULE of the desired library PROCESSENTRY32 pe = { sizeof(pe) }; BOOL bFound = FALSE; BOOL bMoreProcesses = Process32First(hthSnapshot, &pe); for (; bMoreProcesses; bMoreProcesses = Process32Next(hthSnapshot, &pe)) { if (stricmp(pe.szExeFile, pszProcName) == 0) { if (EjectLib(pe.th32ProcessID, pszDllInject)) { nRtn++; printf("%s - %s/n", pe.szExeFile, "DLL Ejection successful."); } else { printf("%s - %s/n", pe.szExeFile, "DLL Ejection failed."); } } } } __finally { // Now we can clean everything up if (hthSnapshot != NULL) CloseHandle(hthSnapshot); if (hThread != NULL) CloseHandle(hThread); if (hProcess != NULL) CloseHandle(hProcess); } return nRtn; } //提升权限 BOOL EnableDebugPriv(void) { HANDLE hToken; LUID sedebugnameValue; TOKEN_PRIVILEGES tkp; if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES \| TOKEN_QUERY, &hToken)) return FALSE; if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) { CloseHandle(hToken); return FALSE; } tkp.PrivilegeCount = 1; tkp.Privileges[0].Luid = sedebugnameValue; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL)) { CloseHandle(hToken); return FALSE; } return TRUE; } BOOL __stdcall CallHook(int nPid) { BOOL ret = FALSE; DWORD dwProcessId = 0; char szProcName[MAX_PATH] = {0}; char szLine[MAX_PATH] = {0}; char szLibFile[MAX_PATH] = {0}; GetModuleFileName(0, szLine, sizeof(g_szExeName)-1); char ptr = strrchr(szLine, '//'); if (ptr) { ptr++; strcpy(g_szExeName, ptr); } //提升权限 EnableDebugPriv(); GetModuleFileName(NULL, szLibFile, sizeof(szLibFile)); strcpy(strrchr(szLibFile, '//') + 1, DEFAULT_LIB); FILE fp = fopen(szLibFile, "r"); if (!fp) { // printf("DLL file /"%s/" not exists./n", szLibFile); return 0; } fclose(fp); if (dwProcessId > 0) { //根据进程ID注入DLL if (InjectLib(dwProcessId, szLibFile)) { // printf("%s/n", "DLL Injection successful."); ret = TRUE; } else { // printf("%s/n", "DLL Injection failed."); ret = FALSE; } } return ret; } BOOL __stdcall UnHook(int nPid) { BOOL ret = FALSE; DWORD dwProcessId = 0; char szProcName[MAX_PATH] = {0}; char szLine[MAX_PATH] = {0}; char szLibFile[MAX_PATH] = {0}; GetModuleFileName(0, szLine, sizeof(g_szExeName)-1); char ptr = strrchr(szLine, '//'); if (ptr) { ptr++; strcpy(g_szExeName, ptr); } //提升权限 EnableDebugPriv(); GetModuleFileName(NULL, szLibFile, sizeof(szLibFile)); strcpy(strrchr(szLibFile, '//') + 1, DEFAULT_LIB); FILE *fp = fopen(szLibFile, "r"); if (!fp) { // printf("DLL file /"%s/" not exists./n", szLibFile); return 0; } fclose(fp); if (dwProcessId > 0) { //根据进程ID注入DLL if (EjectLib(dwProcessId, szLibFile)) { // printf("%s/n", "DLL Ejection successful."); ret = TRUE; } else { // printf("%s/n", "DLL Ejection failed."); ret = FALSE; } } return ret; }
注意这里隐藏服务采用ＨＯＯＫ　ＭＭＣ．ＥＸＥ的方式，还可以采用全局的应用层ＨＯＯＫ AgentHk.dll 是ＨＯＯＫ　的主要代码 CallHook.dll　是ＨＯＯＫ　代码的调用接口

评论

被折叠的条评论为什么被折叠?

到【灌水乐园】发言

查看更多评论

添加红包

成就一亿技术人!

hope_wisdom

发出的红包

实付元

使用余额支付

点击重新获取

扫码支付

钱包余额 0

抵扣说明：

1.余额是钱包充值的虚拟货币，按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载，可以购买VIP、付费专栏及课程。