??1?//////////////////////////////////////////////////////////////////////?
??2?附錄:一個攔截CreateFile函數的簡單實現?
??3?//////////////////////////////////////////////////////////////////////?
??4?#include?<stdio.h>?
??5?#include?<windows.h>?
??6?#include?<Psapi.h>?
??7?
??8?#pragma?comment(lib,?"psapi.lib")?
??9?
?10?typedef?struct?_RemoteParam?{?
?11???DWORD?dwCreateFile;?
?12???DWORD?dwMessageBox;?
?13???DWORD?dwGetCurrentProcess;?
?14???DWORD?dwWriteProcessMemory;?
?15???unsigned?char?szOldCode[10];?
?16???DWORD?FunAddr;?
?17?}?RemoteParam,?*?PRemoteParam;?
?18?
?19?typedef?HANDLE?(__stdcall?*?PFN_CREATEFILE)(LPCTSTR,DWORD,DWORD,LPSECURITY_ATTRIBUTES,DWORD,DWORD,HANDLE);?
?20?typedef?int?(__stdcall?*?PFN_MESSAGEBOX)(HWND,?LPCTSTR,?LPCTSTR,?DWORD);?
?21?typedef?BOOL?(__stdcall?*?PFN_WRITEPROCESSMEMORY)(HANDLE,LPVOID,LPCVOID,SIZE_T,SIZE_T*);?
?22?typedef?HANDLE?(__stdcall?*?PFN_GETCURRENTPROCESS)(void);?
?23?
?24?#define?PROCESSNUM?128?
?25?#define?MYMESSAGEBOX?"MessageBoxW"?
?26?#define?MYCREATEFILE?"CreateFileW"?
?27?
?28?void?HookCreateFile(LPVOID?lParam)?
?29?{?
?30?
?31???RemoteParam*?pRP?=?(RemoteParam*)lParam;?
?32?
?33?
?34???DWORD?NextIpAddr?=?0;?
?35???DWORD?dwParamaAddr?=?0;?
?36?
?37???HANDLE?RetFpHdl?=?INVALID_HANDLE_value;?
?38???LPCTSTR?lpFileName;?
?39???DWORD?dwDesiredAccess;?
?40???DWORD?dwShareMode;?
?41???LPSECURITY_ATTRIBUTES?lpSecurityAttributes;?
?42???DWORD?dwCreationDisposition;?
?43???DWORD?dwFlagsAndAttributes;?
?44???HANDLE?hTemplateFile;?
?45???PFN_CREATEFILE?pfnCreatefile?=?(PFN_CREATEFILE)pRP->dwCreateFile;?
?46?
?47?
?48???__asm?
?49???{?
?50?????MOV?EAX,[EBP+8]?
?51?????MOV?[dwParamaAddr],?EAX?
?52?????MOV?EAX,[EBP+12]???????????
?53?????MOV?[NextIpAddr],?EAX?
?54?????MOV?EAX,[EBP+16]?
?55?????MOV?[lpFileName],?EAX?
?56?????MOV?EAX,[EBP+20]?
?57?????MOV?[dwDesiredAccess],EAX?
?58?????MOV?EAX,[EBP+24]?
?59?????MOV?[dwShareMode],EAX?
?60?????MOV?EAX,[EBP+28]?
?61?????MOV?[lpSecurityAttributes],EAX?
?62?????MOV?EAX,[EBP+32]?
?63?????MOV?[dwCreationDisposition],EAX?
?64?????MOV?EAX,[EBP+36]?
?65?????MOV?[dwFlagsAndAttributes],EAX?
?66?????MOV?EAX,[EBP+40]?
?67?????MOV?[hTemplateFile],EAX?????
?68???}?
?69?
?70???PFN_MESSAGEBOX?pfnMessageBox?=?(PFN_MESSAGEBOX)pRP->dwMessageBox;?
?71???int?allowFlag?=?pfnMessageBox(NULL,?lpFileName,?NULL,?MB_ICONINformATION?|?MB_YESNO);?
?72????
?73???if(allowFlag?==?IDYES)?
?74???{?
?75???unsigned?char?szNewCode[10];?
?76???int?PramaAddr?=?(int)dwParamaAddr;?
?77???szNewCode[4]?=?PramaAddr>>24;?
?78???szNewCode[3]?=?(PramaAddr<<8)>>24;?
?79???szNewCode[2]?=?(PramaAddr<<16)>>24;?
?80???szNewCode[1]?=?(PramaAddr<<24)>>24;?
?81???szNewCode[0]?=?0x68;?
?82????
?83???int?funaddr?=?(int)pRP->FunAddr?-?(int)pfnCreatefile?-?10?;?
?84???szNewCode[9]?=?funaddr>>24;?
?85???szNewCode[8]?=?(funaddr<<8)>>24;?
?86???szNewCode[7]?=?(funaddr<<16)>>24;?
?87???szNewCode[6]?=?(funaddr<<24)>>24;?
?88???szNewCode[5]?=?0xE8;?
?89????
?90????
?91???PFN_GETCURRENTPROCESS?pfnGetCurrentProcess?=?(PFN_GETCURRENTPROCESS)pRP->dwGetCurrentProcess;?
?92???PFN_WRITEPROCESSMEMORY?pfnWriteProcessMemory?=?(PFN_WRITEPROCESSMEMORY)pRP->dwWriteProcessMemory;?
?93???pfnWriteProcessMemory(pfnGetCurrentProcess(),?
?94?????????????????????????(LPVOID)pfnCreatefile,?
?95?????????????????????????(LPCVOID)pRP->szOldCode,?
?96?????????????????????????10,?
?97?????????????????????????NULL);?
?98?
?99???RetFpHdl?=?pfnCreatefile(lpFileName,?
100?????????????????????????????dwDesiredAccess,?
101?????????????????????????????dwShareMode,?
102?????????????????????????????lpSecurityAttributes,?
103?????????????????????????????dwCreationDisposition,?
104?????????????????????????????dwFlagsAndAttributes,?
105?????????????????????????????hTemplateFile);?
106???pfnWriteProcessMemory(pfnGetCurrentProcess(),?
107?????????????????????????(LPVOID)pfnCreatefile,?
108?????????????????????????(LPCVOID)szNewCode,?
109?????????????????????????10,?
110?????????????????????????NULL);?
111???}?
112?
113?
114???__asm?
115???????{POP?EDI?
116?????????POP?ESI?
117?????????POP?EBX?
118?????????MOV?EDX,?[NextIpAddr]?
119?????????MOV?EAX,?[RetFpHdl]?
120?????????MOV?ESP,?EBP?
121?????????POP?EBP?
122?????????ADD?ESP,?28H???
123?????????PUSH?EDX?
124?????????RET?
125???????}?
126?
127????
128?}?
129?
130?
131?
132?BOOL?AdjustProcessPrivileges(LPCSTR?szPrivilegesName)?
133?{?
134???HANDLE?hToken;?
135???TOKEN_PRIVILEGES?tkp;?
136?
137???if(!OpenProcessToken(GetCurrentProcess(),?
138???????TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))?
139???{?
140???????return?FALSE;?
141???}?
142?
143???if(!LookupPrivilegeValue(NULL,szPrivilegesName,?
144?????????????????????????????&tkp.Privileges[0].Luid))?
145???{?
146???????CloseHandle(hToken);?
147???????return?FALSE;?
148???}?
149????
150???tkp.PrivilegeCount?=?1;?
151???tkp.Privileges[0].Attributes?=?SE_PRIVILEGE_ENABLED;?
152????
153???if(!AdjustTokenPrivileges(hToken,FALSE,&tkp,sizeof(tkp),NULL,NULL))?
154???{?
155???????CloseHandle(hToken);?
156???????return?FALSE;?
157???}?
158????
159???CloseHandle(hToken);?
160???return?TRUE;?
161?}?
162?
163?
164?void?printProcessNameByPid(?DWORD?ProcessId?)?
165?{?
166???HANDLE?pHd;?
167???HMODULE?pHmod;?
168???char?ProcessName[MAX_PATH]?=?"unknown";?
169???DWORD?cbNeeded;?
170???pHd?=?OpenProcess(?PROCESS_QUERY_INformATION?|PROCESS_VM_READ,?FALSE,?ProcessId?);?
171???if(pHd?==?NULL)?
172???????return;?
173????
174???if(!EnumProcessModules(?pHd,?&pHmod,?sizeof(pHmod),?&cbNeeded))?
175???????return;?
176???if(!GetModuleFileNameEx(?pHd,?pHmod,?ProcessName,?MAX_PATH))?
177???????return;?
178????
179???printf(?"%dt%sn",?ProcessId,?ProcessName);?
180???CloseHandle(?pHd?);?
181???return;?
182?}?
183?
184?
185?int?main(void)?
186?{?
187?
188?????if(!AdjustProcessPrivileges(SE_DEBUG_NAME))?
189?????{?
190?????????printf("AdjustProcessPrivileges?Error!n");?
191?????????return?-1;?
192?????}?
193?
194?????DWORD?Pids[PROCESSNUM];?
195?????DWORD?dwProcessNum?=?0;?
196?????if(!EnumProcesses(Pids,?sizeof(Pids),?&dwProcessNum))?
197?????{?
198?????????printf("EnumProcess?Error!n");?
199?????????return?-1;?
200?????}?
201??????
202?????for(?DWORD?num?=?0;?num?<?(dwProcessNum?/?sizeof(DWORD));?num++)?
203?????????printProcessNameByPid(Pids[num]);?
204?
205?????printf("nAll?%d?processes?running.?n",?dwProcessNum?/?sizeof(DWORD));?
206?
207?????DWORD?dwPid?=?0;?
208?????printf("n請輸入要攔截的進程id:");?
209?????scanf("%d",?&dwPid);?
210??????
211?????HANDLE?hTargetProcess?=?OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_READ,?FALSE,?dwPid);?
212?????if(hTargetProcess?==?NULL)?
213?????{?
214?????????printf("OpenProcess?Error!n");?
215?????????return?-1;?
216?????}?
217?
218?????DWORD?dwFunAddr?=?(DWORD)VirtualAllocEx(hTargetProcess,?NULL,?8192,?
219?????????????????????????????????????????????MEM_COMMIT?|?MEM_RESERVE,?PAGE_EXECUTE_READWRITE);?
220??????
221?????if((LPVOID)dwFunAddr?==?NULL)?
222?????{?
223?????????printf("申請線程內存失敗!n");?
224?????????CloseHandle(hTargetProcess);?
225?????????return?-1;?
226?????}?
227?
228?????DWORD?dwPramaAddr?=?(DWORD)VirtualAllocEx(hTargetProcess,?NULL,?sizeof(RemoteParam),?
229???????????????????????????????????????????????MEM_COMMIT?|?MEM_RESERVE,?PAGE_EXECUTE_READWRITE);?
230?
231?????if((LPVOID)dwPramaAddr?==?NULL)?
232?????{?
233?????????printf("申請參數內存失敗!n");?
234?????????CloseHandle(hTargetProcess);?
235?????????return?-1;?
236?????}?
237?
238?????printf("n線程內存地址:%.8xn"?
239???????????"參數內存地址:%.8xn",?
240???????????dwFunAddr,?dwPramaAddr);?
241???????RemoteParam?RParam;?
242?????ZeroMemory(&RParam,?sizeof(RParam));?
243?????HMODULE?hKernel32?=?LoadLibrary("kernel32.dll");?
244?????HMODULE?hUser32?=?LoadLibrary("user32.dll");?
245?
246?????RParam.dwCreateFile?=?(DWORD)GetProcAddress(hKernel32,?MYCREATEFILE);?
247?????RParam.dwGetCurrentProcess?=?(DWORD)GetProcAddress(hKernel32,?"GetCurrentProcess");?
248?????RParam.dwWriteProcessMemory?=?(DWORD)GetProcAddress(hKernel32,?"WriteProcessMemory");?
249?????RParam.dwMessageBox?=?(DWORD)GetProcAddress(hUser32,?MYMESSAGEBOX);?
250??????
251?????unsigned?char?oldcode[10];?
252?????unsigned?char?newcode[10];?
253?????int?praadd?=?(int)dwPramaAddr;?
254?????int?threadadd?=?(int)dwFunAddr;?
255?????newcode[4]?=?praadd>>24;?
256?????newcode[3]?=?(praadd<<8)>>24;?
257?????newcode[2]?=?(praadd<<16)>>24;?
258?????newcode[1]?=?(praadd<<24)>>24;?
259?????newcode[0]?=?0x68;?
260????
261?????int?offsetaddr?=?threadadd?-?(int)RParam.dwCreateFile?-?10?;?
262?????newcode[9]?=?offsetaddr>>24;?
263?????newcode[8]?=?(offsetaddr<<8)>>24;?
264?????newcode[7]?=?(offsetaddr<<16)>>24;?
265?????newcode[6]?=?(offsetaddr<<24)>>24;?
266?????newcode[5]?=?0xE8;?
267?
268?????printf("NewCode:");?
269?????for(int?j?=?0;?j?<?10;?j++)?
270?????????printf("0x%.2x?",newcode[j]);?
271?????printf("nn");?
272?
273?
274?
275?????if(!ReadProcessMemory(GetCurrentProcess(),?
276???????????????????????????(LPCVOID)RParam.dwCreateFile,?
277???????????????????????????oldcode,?
278???????????????????????????10,?
279???????????????????????????&dwPid))?
280?????{?
281?????????printf("read?error");?
282?????????CloseHandle(hTargetProcess);?
283?????????FreeLibrary(hKernel32);?
284?????????return?-1;?
285?????}?
286?
287?????strcat((char*)RParam.szOldCode,?(char*)oldcode);?
288?????RParam.FunAddr?=?dwFunAddr;?
289?
290?????printf(?
291???????????"RParam.dwCreate文件:%.8xn"?
292???????????"RParam.dwMessageBox:%.8xn"?
293???????????"RParam.dwGetCurrentProcess:%.8xn"?
294???????????"RParam.dwWriteProcessMemory:%.8xn"?
295???????????"RParam.FunAddr:%.8xn",?
296???????????RParam.dwCreateFile,?
297???????????RParam.dwMessageBox,?
298???????????RParam.dwGetCurrentProcess,?
299???????????RParam.dwWriteProcessMemory,?
300???????????RParam.FunAddr);?
301?????printf("RParam.szOldCode:");?
302?????for(?int?i?=?0;?i<?10;?i++)?
303?????????printf("0x%.2x?",?RParam.szOldCode);?
304?????printf("n");?
305??????
306??????
307?????if(!WriteProcessMemory(hTargetProcess,?(LPVOID)dwFunAddr,?(LPVOID)&HookCreateFile,?8192,?&dwPid))?
308?????{?
309?????????printf("WriteRemoteProcessesMemory?Error!n");?
310?????????CloseHandle(hTargetProcess);?
311?????????FreeLibrary(hKernel32);?
312?????????return?-1;?
313?????}?
314?
315?????if(!WriteProcessMemory(hTargetProcess,?(LPVOID)dwPramaAddr,?(LPVOID)&RParam,?sizeof(RemoteParam),?&dwPid))?
316?????{?
317?????????printf("WriteRemoteProcessesMemory?Error!n");?
318?????????CloseHandle(hTargetProcess);?
319?????????FreeLibrary(hKernel32);?
320?????????return?-1;?
321?????}?
322??????
323?????if(!WriteProcessMemory(hTargetProcess,?(LPVOID)RParam.dwCreateFile,?(LPVOID)newcode,?10,?&dwPid))?
324?????{?
325?????????printf("WriteRemoteProcessesMemory?Error!n");?
326?????????CloseHandle(hTargetProcess);?
327?????????FreeLibrary(hKernel32);?
328?????????return?-1;?
329?????}?
330?
331?????printf("nThat's?all,?good?luck?:)n");?
332?????CloseHandle(hTargetProcess);?
333?????FreeLibrary(hKernel32);?
334?????return?0;?
335?}?