基于visual c++之windows核心编程代码分析(50)伪装进程路径

我们开发软件的时候,开发出来的软件经常被病毒攻击,伪装进程路径可以保护我们软件正常的运行,不受病毒的侵害,我们下面用代码修改进程信息结构的办法实现伪装进程路径。

 

 

 

 

#include <windows.h>
#include <stdio.h>
#include <tchar.h>

// 结构定义
typedef struct _PROCESS_BASIC_INFORMATION {
	DWORD ExitStatus;
	ULONG PebBaseAddress;
	ULONG AffinityMask;
	LONG BasePriority;
	ULONG UniqueProcessId;
	ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;

// API声明
typedef LONG (__stdcall *PZWQUERYINFORMATIONPROCESS) 
(	HANDLE ProcessHandle,
    ULONG ProcessInformationClass,
	PVOID ProcessInformation,
    ULONG ProcessInformationLength,
    PULONG ReturnLength);
/********************************************************/

/*  函数:FxReplaceProcessPath
    功能:伪装进程路径
    参数:1-目标进程句柄
          2-假路径的字符串(UNICODE)
	返回值:TRUE-成功
			FALSE-失败*/
BOOL FxReplaceProcessPath(HANDLE hProcess, TCHAR *szNewPath)
{
	// 获取NTDLL.DLL的基址
	HMODULE hModule = GetModuleHandle(TEXT("NTDLL.DLL"));
	if (hModule == NULL) return FALSE;

	// 获取ZwQueryInformationProcess函数的指针
	PZWQUERYINFORMATIONPROCESS pZwQueryInformationProcess = 
		(PZWQUERYINFORMATIONPROCESS)GetProcAddress(hModule, "ZwQueryInformationProcess");
	
	// 查询进程基本信息(包含PEB地址)
	PROCESS_BASIC_INFORMATION pbi = {NULL};
	if(pZwQueryInformationProcess(hProcess, 0, (LPVOID)&pbi, sizeof(pbi), NULL) < 0)
		return FALSE;
	
	// 获取PEB+0X10处的_RTL_USER_PROCESS_PARAMETERS结构指针
	ULONG lpRUPP = NULL;
	ReadProcessMemory(hProcess, (LPVOID)(pbi.PebBaseAddress + 0x10), &lpRUPP, 4, NULL);
	
	// 修改进程路径
	ULONG lpOldPath = NULL;
	ReadProcessMemory(hProcess, (LPVOID)(lpRUPP + 0x3C), &lpOldPath, 4, NULL);
	WriteProcessMemory(hProcess, (LPVOID)lpOldPath, szNewPath, MAX_PATH, NULL);

	// 修改命令行为空
	ULONG lpOldCommand = NULL;
	ReadProcessMemory(hProcess, (LPVOID)(lpRUPP + 0x44), &lpOldCommand, 4, NULL);
	WriteProcessMemory(hProcess, (LPVOID)lpOldCommand, TEXT(""), MAX_PATH, NULL);

	return TRUE;
}

//入口函数
int main(int argc, char* argv[])
{
	FxReplaceProcessPath(GetCurrentProcess(), TEXT("C:\\WINDOWS\\system32\\svchost.exe"));
	printf("Goodbye World!\n");
	system("pause");
	return 0;
}


 


原文链接: http://blog.csdn.net/yincheng01/article/details/7214441

你可能感兴趣的:(基于visual c++之windows核心编程代码分析(50)伪装进程路径)