HookIAT的启动程序 

  1 // 启动程序.cpp : 定义控制台应用程序的入口点。
  2 //
  3 
  4 #include "stdafx.h"
  5 #include <Windows.h>
  6 #include <TlHelp32.h>
  7 #include <iostream>
  8 #include <Psapi.h>
  9 
 10 #pragma comment(lib,"psapi.lib")
 11 using namespace std;
 12 BOOL  IsX64PEFile(WCHAR* wzProcessFullPath);
 13 BOOL GetProcessIDByProcessImageName(WCHAR* wzProcessImageName,DWORD* dwTargetProcessID);
 14 BOOL EnableDebugPrivilege();
 15 int _tmain(int argc, _TCHAR* argv[])
 16 {
 17 
 18     
 19     if (EnableDebugPrivilege()==FALSE) // 进行提权
 20     {
 21         return 0;
 22     }
 23 
 24     DWORD  dwTargetProcessID = 0;
 25     HANDLE hTargetProcess    = NULL;
 26 
 27 
 28 
 29     if(GetProcessIDByProcessImageName(L"EnumProcessByForce应用程序.exe",&dwTargetProcessID)==FALSE)
 30     {
 31         return 0;
 32     }
 33     hTargetProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE,dwTargetProcessID);
 34     if (hTargetProcess==NULL)
 35     {
 36         return 0;
 37     }
 38     HMODULE hModule = NULL;
 39     DWORD   cbNeeded = 0;
 40 
 41     WCHAR wzProcessFullPath[MAX_PATH] = {0};
 42     //进程文件的绝对路径
 43     EnumProcessModules(hTargetProcess, &hModule, sizeof(hModule),&cbNeeded);
 44 
 45     cout<<GetLastError()<<endl;
 46     //得到自身的完整名称
 47 
 48     /*
 49 
 50     DWORD GetModuleFileNameEx(
 51       HANDLE hProcess,
 52       HMODULE hModule,
 53       LPTSTR lpFilename,
 54       DWORD nSize
 55     );
 56 
 57     */
 58     DWORD dwReturn = GetModuleFileNameEx(hTargetProcess, hModule, 
 59         wzProcessFullPath, 
 60         MAX_PATH);
 61 
 62 
 63     CloseHandle(hTargetProcess);
 64     
 65     
 66     
 67 
 68     WCHAR  wzHookIATFullPath[MAX_PATH] = {0};
 69 
 70     GetCurrentDirectory(MAX_PATH,wzHookIATFullPath);
 71 
 72     WCHAR* v1 = wzHookIATFullPath+wcslen(wzHookIATFullPath);
 73 
 74 
 75     int i = 0;
 76     while (v1--)
 77     {
 78         if (*v1==L'\\')
 79         {
 80             i++;
 81             if (i==3)  // 注意  调试和编译生成的文件位置不同    调试状态下 i == 2;
 82             {
 83                 break;
 84             }
 85 
 86         }
 87     }
 88 
 89     *v1 = '\0';
 90     
 91     //文件映射   
 92     if (IsX64PEFile(wzProcessFullPath)==TRUE)
 93     {
 94         //cout<<"X64 文件"<<endl;
 95 
 96     
 97 
 98         wcscat(wzHookIATFullPath,L"\\x64\\HookIAT(Ring3 x64).exe");
 99 
100 
101         
102         
103     }
104     else
105     {
106 
107         wcscat(wzHookIATFullPath,L"\\x86\\HookIAT(Ring3 x86).exe");
108     }
109     
110     STARTUPINFO si = {0};
111     si.cb = sizeof(STARTUPINFO);
112     PROCESS_INFORMATION pi = {0};
113 
114     BOOL bOk = CreateProcess(wzHookIATFullPath,NULL,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi);
115 
116     WaitForSingleObject(pi.hProcess,INFINITE);
117     CloseHandle(pi.hProcess);
118     CloseHandle(pi.hThread);
119 
120     return 0;
121 }
122 
123 
124 BOOL  IsX64PEFile(WCHAR* wzProcessFullPath)
125 {
126     HANDLE hFile = CreateFile(wzProcessFullPath,GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
127     PIMAGE_DOS_HEADER DosHeader = NULL;
128     PIMAGE_NT_HEADERS NtHeader  = NULL;
129     cout<<GetLastError()<<endl;
130     if (hFile==INVALID_HANDLE_VALUE)
131     {
132         return FALSE;
133     }
134 
135     char szBuffer[0x1000] = {0};
136 
137     DWORD dwReturn = 0;
138     if (ReadFile(hFile,szBuffer,0x1000,&dwReturn,NULL)==FALSE)
139     {
140         CloseHandle(hFile);
141         return FALSE;
142     }
143 
144     else
145     {
146         CloseHandle(hFile);
147         DosHeader=(PIMAGE_DOS_HEADER)szBuffer;
148 
149         NtHeader=(PIMAGE_NT_HEADERS)((ULONG64)szBuffer+DosHeader->e_lfanew);
150 
151 
152         if(NtHeader->OptionalHeader.Magic!=0x20b)
153         {
154             
155             return FALSE;
156         }
157 
158         return TRUE;
159     }
160     
161 }
162 
163 
164 
165 BOOL GetProcessIDByProcessImageName(WCHAR* wzProcessImageName,DWORD* dwTargetProcessID)
166 {
167     ULONG_PTR i = 0;
168     BOOL   bOk = FALSE;  
169     HANDLE hProcessTool = NULL;
170 
171     PROCESSENTRY32 pe32 = {0};
172     pe32.dwSize = sizeof(PROCESSENTRY32);
173 
174 
175     hProcessTool = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);  
176 
177 
178     if (hProcessTool==INVALID_HANDLE_VALUE)
179     {
180         return FALSE;
181     }
182 
183 
184     bOk = Process32First(hProcessTool,&pe32);
185     do 
186     {
187 
188         if (bOk)
189         {        
190             if(wcsicmp(pe32.szExeFile,wzProcessImageName)==0)
191             {
192                 *dwTargetProcessID = pe32.th32ProcessID;
193                 return TRUE;
194             }
195         }
196 
197         else
198         {
199             break;
200         }
201 
202 
203         bOk = Process32Next(hProcessTool,&pe32);
204 
205 
206     } while (1);
207 
208 
209     return FALSE;
210 }
211 
212 
213 BOOL EnableDebugPrivilege()   //Debug 
214 {
215 
216     HANDLE hToken = NULL;   
217     TOKEN_PRIVILEGES TokenPrivilege;
218     LUID uID;
219 
220 
221     //打开权限令牌
222     if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
223     {
224         return FALSE;
225     }
226 
227     if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&uID))
228     {
229 
230         CloseHandle(hToken);
231         hToken = NULL;
232         return FALSE;
233     }
234 
235 
236     TokenPrivilege.PrivilegeCount = 1;
237     TokenPrivilege.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
238     TokenPrivilege.Privileges[0].Luid = uID;
239 
240 
241     //在这里我们进行调整权限
242     if (!AdjustTokenPrivileges(hToken,false,&TokenPrivilege,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
243     {
244         CloseHandle(hToken);
245         hToken = NULL;
246         return  FALSE;
247     }
248 
249     CloseHandle(hToken);
250     return TRUE;
251 
252 }
小小的代码

 

posted on 2015-11-11 11:34  yifi  阅读(244)  评论(0编辑  收藏  举报

导航