劫持进程创建注入原理是利用Windows系统中CreateProcess()这个API创建一个进程,并将第6个参数设为CREATE_SUSPENDED,进而创建一个挂起状态的进程,利用这个进程状态进行远程线程注入DLL,然后用ResumeThread()函数恢复进程。下面成功代码:
下面是调用方法:
BYTE ShellCode[128]= { 0x60, 0x9c, 0x68,0x00,0x00,0x00,0x00,//push [xxxx] 0xff,0x15,0x00,0x00,0x00,0x00,//call [xxxx] 0x9d, 0x61, 0xff,0x25,0x00,0x00,0x00,0x00,// jmp [xxxxx] }; /* { 00973689 > 60 PUSHAD 0097368A 9C PUSHFD 0097368B 68 50369700 PUSH notepad.00973650 00973690 FF15 70369700 CALL DWORD PTR DS:[973670] 00973696 9D POPFD 00973697 61 POPAD 00973698 - FF25 30369700 JMP DWORD PTR DS:[973630] } */ BOOL StartHook(HANDLE hProcess,HANDLE hThread,LPCSTR pDllName) { CONTEXT ctx; ctx.ContextFlags=CONTEXT_ALL; if (!GetThreadContext(hThread,&ctx)) { printf("GetThreadContext Error\n"); return FALSE; } LPVOID LpAddr=VirtualAllocEx(hProcess,NULL,sizeof(ShellCode),MEM_COMMIT,PAGE_EXECUTE_READWRITE); if (LpAddr==NULL) { printf("VirtualAlloc Error\n"); return FALSE; } DWORD LoadDllAAddr=(DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA"); if (LoadDllAAddr==NULL) { printf("LoadDllAddr error\n"); return FALSE; } ///////////// //_asm mov esp,esp //这里不知道有啥用? memcpy((ShellCode+29),pDllName,_tcslen(pDllName)); *(DWORD*)(ShellCode+3)=(DWORD)LpAddr+29; //////////////// *(DWORD*)(ShellCode+21)=LoadDllAAddr; *(DWORD*)(ShellCode+9)=(DWORD)LpAddr+21; ////////////////////////////////// *(DWORD*)(ShellCode+25)=ctx.Eip; *(DWORD*)(ShellCode+17)=(DWORD)LpAddr+25; //////////////////////////////////// if (!WriteProcessMemory(hProcess,LpAddr,ShellCode,64,NULL)) { printf("write Process Error\n"); return FALSE; } ctx.Eip=(DWORD)LpAddr; if (!SetThreadContext(hThread,&ctx)) { printf("set thread context error\n"); return FALSE; } return TRUE; }; BOOL EnableDebugPriv() { HANDLE hToken; LUID sedebugnameValue; TOKEN_PRIVILEGES tkp; if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)) { return FALSE; } if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&sedebugnameValue)) { CloseHandle(hToken); return FALSE; } tkp.PrivilegeCount = 1; tkp.Privileges[0].Luid = sedebugnameValue; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if(!AdjustTokenPrivileges(hToken,FALSE,&tkp,sizeof(tkp),NULL,NULL)) { return FALSE; } CloseHandle(hToken); return TRUE; }
下面是调用方法:
EnableDebugPriv(); STARTUPINFO sti; PROCESS_INFORMATION proci; memset(&sti,0,sizeof(STARTUPINFO)); memset(&proci,0,sizeof(PROCESS_INFORMATION)); sti.cb=sizeof(STARTUPINFO); TCHAR ExeName[]="C:\\Program Files (x86)\\TTPlayer\\TTPlayer.exe"; TCHAR DllName[]="E:\\mk.dll"; DWORD valc=CreateProcess(ExeName,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL\ ,&sti,&proci); if (valc==NULL) { printf("Creaet Process Failed ERROR=%d\n",GetLastError()); getchar(); } if (!StartHook(proci.hProcess,proci.hThread,DllName)) { TerminateProcess(proci.hProcess,0); printf("失败\n"); getchar(); } ResumeThread(proci.hThread); CloseHandle(proci.hProcess); CloseHandle(proci.hThread);
收藏的用户(0) X
正在加载信息~
推荐阅读
最新回复 (0)
站点信息
- 文章2305
- 用户1336
- 访客11259375
每日一句
Children see magic because they look for it.
孩子之所以能看到魔法,是因为他们在寻找。
孩子之所以能看到魔法,是因为他们在寻找。
VirtualXposed,让你无需Root也能使用Xposed框架!
CentOS 搭建 OpenVPN 服务
android studio的DDMS问题
【蓝牙开发】winsock协议错误编码解析
解决Xposed提示didn't find class
MPAndroidChart标记控件MarkerView的使用方法
排名前5的开源在线机器学习
SpringBoot打Jar包did not assign a file to the build artifact
Linux系统查看CPU使用率的几个命令
Win10定时执行php任务
Android反编译工具及方法(持续更新中)
网络爬虫Scrapy入门
OnePlus3 Android8.0的Root教程
新会员