监控Explorer的进程创建问题
上一篇 / 下一篇 2008-08-23 14:50:57
查看( 73 ) / 评论( 0 ) / 评分(
0 /
0 )
近日笔者收到某网友的信件称,“为何自己写的监控 Explorer 进程代码运行后,系统会崩溃。”现笔者就这一
问题,拿出与用户共同探讨。NT 下的 Explorer 通过 CreateProcessInternalW建立,R3的控制权。代码如下:
bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation, PHANDLE hNewToken); int APIENTRY DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved) { UNREFERENCED_PARAMETER(lpReserved); if (dwReason == DLL_PROCESS_ATTACH) { ExampleJmp(); } else if (dwReason == DLL_PROCESS_DETACH) { SetHookOff(); } return 1; } void HookOneAPI(LPCTSTR ModuleName, LPCTSTR ApiName, FARPROC lpNewFunc) { BYTE str[8] = { 0x0B8, 0x0, 0x0, 0x40, 0x0, 0x0FF, 0x0E0,0}; // mov eax,addr jmp eax memcpy(m_NewFunc,str,8); m_lpHookFunc = GetProcAddress(GetModuleHandle(ModuleName),ApiName); m_hProc = GetCurrentProcess(); memcpy(m_OldFunc,(char *)m_lpHookFunc,8); *(DWORD *)( m_NewFunc + 1 ) = (DWORD)lpNewFunc; } void WINAPI SetHookOn() { MEMORY_BASIC_INFORMATION mbi; VirtualQuery(m_lpHookFunc,&mbi,sizeof(mbi)); VirtualProtect(m_lpHookFunc,sizeof(DWORD),PAGE_READWRITE,0); DWORD dwOldFlag; WriteProcessMemory(m_hProc, (void *)m_lpHookFunc, (void *)m_NewFunc, 8,&dwOldFlag); } void WINAPI SetHookOff() { DWORD dwOldFlag; WriteProcessMemory(m_hProc, (void *)m_lpHookFunc, (void *)m_OldFunc, 8, &dwOldFlag); } BOOL WINAPI MyCreateProcess(HANDLE hToken, LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation, PHANDLE hNewToken) { BOOL BReturn=TRUE; SetHookOff(); CreateProcessHH CreateProcessHHH=(CreateProcessHH)GetProcAddress(GetModuleHandle("Kernel32.dll"),"CreateProcessInternalW"); BReturn=CreateProcessHHH(hToken,lpApplicationName,lpCommandLine,lpProcessAttributes ,lpThreadAttributes,bInheritHandles,dwCreationFlags,lpEnvironment,lpCurrentDirectory, lpStartupInfo,lpProcessInformation,hNewToken); SetHookOn(); return BReturn; } BOOL UpPrivilege(HANDLE hprocess,LPCTSTR lpname) //提升进程权限 debug { HANDLE hToken; TOKEN_PRIVILEGES Privileges; LUID luid; OpenProcessToken(hprocess,TOKEN_ADJUST_PRIVILEGES,&hToken); Privileges.PrivilegeCount=1; LookupPrivilegeValue(NULL,lpname,&luid); Privileges.Privileges[0].Luid=luid; Privileges.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; if(AdjustTokenPrivileges(hToken,FALSE,&Privileges,NULL,NULL,NULL)!=0) return TRUE; return FALSE; } void WINAPI ExampleJmp() { char privilege[]=SE_DEBUG_NAME; HANDLE hprocess; hprocess=GetCurrentProcess(); if(!UpPrivilege(hprocess,privilege)) //开始提权 { exit(-1); } HookOneAPI("Kernel32.dll","CreateProcessInternalW",(FARPROC)MyCreateProcess); SetHookOn(); } |
欢迎大家把自己的意见和代码公布出来,IT专家网将给您和您的团队提供更多展现自己的舞台!