劫持进程创建注入原理是利用Windows系统中CreateProcess()这个API创建一个进程,并将第6个参数设为CREATE_SUSPENDED,进而创建一个挂起状态的进程,利用这个进程状态进行远程线程注入DLL,然后用ResumeThread()函数恢复进程。下面成功代码:
BYTE ShellCode[128]=
{
0x60,
0x9c,
0x68,0x00,0x00,0x00,0x00,//push [xxxx]
0xff,0x15,0x00,0x00,0x00,0x00,//call [xxxx]
0x9d,
0x61,
0xff,0x25,0x00,0x00,0x00,0x00,// jmp [xxxxx]
};
/*
{
00973689 > 60 PUSHAD
0097368A 9C PUSHFD
0097368B 68 50369700 PUSH notepad.00973650
00973690 FF15 70369700 CALL DWORD PTR DS:[973670]
00973696 9D POPFD
00973697 61 POPAD
00973698 - FF25 30369700 JMP DWORD PTR DS:[973630]
}
*/
BOOL StartHook(HANDLE hProcess,HANDLE hThread,LPCSTR pDllName)
{
CONTEXT ctx;
ctx.ContextFlags=CONTEXT_ALL;
if (!GetThreadContext(hThread,&ctx))
{
printf("GetThreadContext Error\n");
return FALSE;
}
LPVOID LpAddr=VirtualAllocEx(hProcess,NULL,sizeof(ShellCode),MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if (LpAddr==NULL)
{
printf("VirtualAlloc Error\n");
return FALSE;
}
DWORD LoadDllAAddr=(DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
if (LoadDllAAddr==NULL)
{
printf("LoadDllAddr error\n");
return FALSE;
}
/////////////
//_asm mov esp,esp //这里不知道有啥用?
memcpy((ShellCode+29),pDllName,_tcslen(pDllName));
*(DWORD*)(ShellCode+3)=(DWORD)LpAddr+29;
////////////////
*(DWORD*)(ShellCode+21)=LoadDllAAddr;
*(DWORD*)(ShellCode+9)=(DWORD)LpAddr+21;
//////////////////////////////////
*(DWORD*)(ShellCode+25)=ctx.Eip;
*(DWORD*)(ShellCode+17)=(DWORD)LpAddr+25;
////////////////////////////////////
if (!WriteProcessMemory(hProcess,LpAddr,ShellCode,64,NULL))
{
printf("write Process Error\n");
return FALSE;
}
ctx.Eip=(DWORD)LpAddr;
if (!SetThreadContext(hThread,&ctx))
{
printf("set thread context error\n");
return FALSE;
}
return TRUE;
};
BOOL EnableDebugPriv()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
return FALSE;
}
if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&sedebugnameValue))
{
CloseHandle(hToken);
return FALSE;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(hToken,FALSE,&tkp,sizeof(tkp),NULL,NULL))
{
return FALSE;
}
CloseHandle(hToken);
return TRUE;
} 下面是调用方法:
EnableDebugPriv();
STARTUPINFO sti;
PROCESS_INFORMATION proci;
memset(&sti,0,sizeof(STARTUPINFO));
memset(&proci,0,sizeof(PROCESS_INFORMATION));
sti.cb=sizeof(STARTUPINFO);
TCHAR ExeName[]="C:\\Program Files (x86)\\TTPlayer\\TTPlayer.exe";
TCHAR DllName[]="E:\\mk.dll";
DWORD valc=CreateProcess(ExeName,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL\
,&sti,&proci);
if (valc==NULL)
{
printf("Creaet Process Failed ERROR=%d\n",GetLastError());
getchar();
}
if (!StartHook(proci.hProcess,proci.hThread,DllName))
{
TerminateProcess(proci.hProcess,0);
printf("失败\n");
getchar();
}
ResumeThread(proci.hThread);
CloseHandle(proci.hProcess);
CloseHandle(proci.hThread); 本文链接:https://it72.com/11229.htm
VirtualXposed,让你无需Root也能使用Xposed框架!
CentOS 搭建 OpenVPN 服务
android studio的DDMS问题
【蓝牙开发】winsock协议错误编码解析
解决Xposed提示didn't find class
MPAndroidChart标记控件MarkerView的使用方法
排名前5的开源在线机器学习
SpringBoot打Jar包did not assign a file to the build artifact
Linux系统查看CPU使用率的几个命令
Win10定时执行php任务
Android反编译工具及方法(持续更新中)
网络爬虫Scrapy入门
OnePlus3 Android8.0的Root教程
