1 typedef NTSTATUS (WINAPI *ZWQUERYINFORmMATIONTHREAD)(DWORD ThreadHandle,DWORD ThreadInformationClass,THREAD_BASIC_INFORMATION* SystemInformation,DWORD ThreadInformationLength,DWORD ReturnLength);
2 typedef NTSTATUS (WINAPI *ZWQUERYSYSTEMINFORMATION)(DWORD, PVOID, DWORD, PDWORD);
3 typedef NTSTATUS (WINAPI *ZWOPENPROCESS)(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID );
4 typedef NTSTATUS (WINAPI *ZWDUPLICATEOBHECT)(DWORD SourceProcessHandle, DWORD SourceHandle,DWORD TargetProcessHandle, DWORD* TargetHandle,DWORD DesiredAccess,DWORD HandleAttributes,DWORD Optionss);
5 typedef NTSTATUS (WINAPI *ZWQUERYINFORMATIONPROCESS)(DWORD SystemInformationClass,DWORD dd,PROCESS_BASIC_INFORMATION* SystemInformation,DWORD SystemInformationLength,DWORD ReturnLength);
6 typedef NTSTATUS (WINAPI *ZWMAPVIEWOFSECTION)(HANDLE,HANDLE,LPVOID,ULONG_PTR,SIZE_T,PLARGE_INTEGER,LPVOID,DWORD,ULONG,ULONG);
7 ZWMAPVIEWOFSECTION ZwMapViewOfSection;
8 ZWQUERYINFORmMATIONTHREAD ZwQueryInformationThread;
9 ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation;
10 ZWOPENPROCESS ZwOpenProcess;
11 ZWDUPLICATEOBHECT ZwDuplicateObject;
12 ZWQUERYINFORMATIONPROCESS ZwQueryInformationProcess;
13 NTQUERYINFORMATIONTHREAD NtQueryInformationThread;
14
15 //初始化未导出函数
16 VOID Initialize()
17 {
18
19 HMODULE hNtDll = LoadLibraryW(L"ntdll.dll");
20 ZwQueryInformationThread=(ZWQUERYINFORmMATIONTHREAD)GetProcAddress(hNtDll,"ZwQueryInformationThread");
21 ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll,"ZwQuerySystemInformation");
22 ZwOpenProcess = (ZWOPENPROCESS)GetProcAddress(hNtDll,"ZwOpenProcess");
23 ZwDuplicateObject=(ZWDUPLICATEOBHECT)GetProcAddress(hNtDll,"ZwDuplicateObject");
24 ZwQueryInformationProcess=(ZWQUERYINFORMATIONPROCESS)GetProcAddress(hNtDll,"ZwQueryInformationProcess");
25 NtQueryInformationThread = (NTQUERYINFORMATIONTHREAD)GetProcAddress(hNtDll, "NtQueryInformationThread");
26 ZwMapViewOfSection=(ZWMAPVIEWOFSECTION)GetProcAddress(hNtDll,"ZwMapViewOfSection");
27
28 }
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING ,*PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef struct _CLIENT_ID
{
DWORD UniqueProcess;
DWORD UniqueThread;
} CLIENT_ID, *PCLIENT_ID;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT HandleValue;
PVOID Object;
ACCESS_MASK GrantedAccess;
}SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef struct _SYSTEM_HANDLE_INFORMATION_EX
{
ULONG NumberOfHandles;
SYSTEM_HANDLE_INFORMATION Information[1];
}SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;
typedef struct
{
DWORD ExitStatus; // 接收进程终止状态
DWORD PebBaseAddress; // 接收进程环境块地址
DWORD AffinityMask; // 接收进程关联掩码
DWORD BasePriority; // 接收进程的优先级类
ULONG UniqueProcessId; // 接收进程ID
ULONG InheritedFromUniqueProcessId; //接收父进程ID
} PROCESS_BASIC_INFORMATION;
typedef ULONG KPRIORITY;
typedef LONG NTSTATUS;
typedef struct _THREAD_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PVOID TebBaseAddress;
CLIENT_ID ClientId;
KAFFINITY AffinityMask;
KPRIORITY Priority;
KPRIORITY BasePriority;
} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
typedef LONG NTSTATUS;
typedef NTSTATUS(WINAPI *NTQUERYINFORMATIONTHREAD)(
HANDLE ThreadHandle,
ULONG ThreadInformationClass,
PVOID ThreadInformation,
ULONG ThreadInformationLength,
PULONG ReturnLength);
typedef enum _THREADINFOCLASS
{
ThreadBasicInformation,
ThreadTimes,
ThreadPriority,
ThreadBasePriority,
ThreadAffinityMask,
ThreadImpersonationToken,
ThreadDescriptorTableEntry,
ThreadEnableAlignmentFaultFixup,
ThreadEventPair_Reusable,
ThreadQuerySetWin32StartAddress,
ThreadZeroTlsCell,
ThreadPerformanceCount,
ThreadAmILastThread,
ThreadIdealProcessor,
ThreadPriorityBoost,
ThreadSetTlsArrayAddress, // Obsolete
ThreadIsIoPending,
ThreadHideFromDebugger,
ThreadBreakOnTermination,
ThreadSwitchLegacyState,
ThreadIsTerminated,
ThreadLastSystemCall,
ThreadIoPriority,
ThreadCycleTime,
ThreadPagePriority,
ThreadActualBasePriority,
ThreadTebInformation,
ThreadCSwitchMon, // Obsolete
ThreadCSwitchPmu,
ThreadWow64Context,
ThreadGroupInformation,
ThreadUmsInformation, // UMS
ThreadCounterProfiling,
ThreadIdealProcessorEx,
MaxThreadInfoClass
} THREADINFOCLASS;
const unsigned int SE_SHUTDOWN_PRIVILEGE = 0x13;
#define SystemHandleInformation 0x10 //16
#define ZwGetCurrentProcess -1
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
typedef struct HOOK
{
DWORD HOOKAddress;//要HOOK的地址
DWORD JMPAddress; //HOOK代码的地址
BYTE HOOKbyte[10];//保存被JMP覆盖的字节
DWORD HOOKbyte_length;//被JMP修改的字节长度
}HOOK;
