-
- 加为好友
- 发送私信
- 在线聊天
sojia- 等级:
- 可用分等级:
- 总技术分:
- 总技术分排名:
|
| 发表于:2008-08-19 16:45:506楼 得分:0 |
首先感谢!
注入DLL我用的是Windows 程序设计(王艳平)编写的类:class CRemThreadInjector。开始时枚举所有进程,远程注入,
HOOKAPI用得Jeffrey的CAPIHook类 ,都没有做修改。
HOOKAPI很多贴一两个吧:
extern CAPIHook g_WriteFile;
CAPIHook g_WriteFile("kernel32.dll", "WriteFile", (PROC)Hook_WriteFile);
HANDLE WINAPI Hook_WriteFile(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped)
{
typedef HANDLE (WINAPI *PFNTERMINATEPROCESS)(HANDLE, LPCVOID, DWORD, LPDWORD, LPOVERLAPPED);
// 取得主模块的文件名称
char szPathName[MAX_PATH];
::GetModuleFileName(NULL, szPathName, MAX_PATH);
/////////////////////////////////////////////////////////
NTSTATUS status = -1;
HMODULE hNtdll = NULL;
IO_STATUS_BLOCK IoStatus = {0};
wchar_t FileInfo[MAX_PATH+2];
LPSTR p;
char szFilePath[MAX_PATH];
RtlZeroMemory(szFilePath, MAX_PATH);
hNtdll = LoadLibrary(_T("ntdll.dll"));
if(hNtdll!=NULL)
{
NtQueryInformationFile = (NTQUERYINFORMATIONFILE)GetProcAddress(hNtdll, "NtQueryInformationFile");
if(NtQueryInformationFile!=NULL)
{
if (hFile != INVALID_HANDLE_VALUE)
{
RtlZeroMemory((void*)&FileInfo, MAX_PATH);
status = NtQueryInformationFile(hFile, &IoStatus, (PVOID)FileInfo, MAX_PATH+2, FileNameInformation);
if (NT_SUCCESS(status))
{
wchar_t* temp=&FileInfo[0];
temp=temp+2;
char* AnsiPath=UnicodeToAnsi((LPCTSTR)temp);
GetFullPathNameA(AnsiPath, MAX_PATH, szFilePath, &p);
}
}
}
}
FreeLibrary(hNtdll);
////////////////////////////////////////////////////////////////
// 构建发送给主窗口的字符串
char sz[2048];
wsprintf(sz, "%d\r\n%s\r\nWriteFile\r\n%s\r\n", ::GetCurrentProcessId(), szPathName, szFilePath);
// 发送这个字符串到主对话框
COPYDATASTRUCT cds = { ::GetCurrentProcessId(), strlen(sz) + 1, sz };
::SendMessageTimeout(::FindWindow(NULL, "HookComu"), WM_COPYDATA, 0, (LPARAM)&cds, SMTO_ABORTIFHUNG, 10, NULL);
return ((PFNTERMINATEPROCESS)(PROC)g_WriteFile)(hFile, lpBuffer, nNumberOfBytesToWrite, lpNumberOfBytesWritten, lpOverlapped);
}
此外还HOOK了很多注册表的操作,大约HOOk了28个API | | |
修改
删除
举报
引用
回复
| |
