CreateRemoteThread+detours hook

CreateRemoteThread+detours hook

本文实现一个通过CreateRemoteThread远程注入dll到win7 32位上+detours hook OpenProcess达到进程防杀的效果(只针对结束进程有效,结束任务走的其他的逻辑,起一个同一个session的应用程序注入到taskmgr.exe即可)


//代码来源于网络

BOOL InjectDll(DWORD procID)
{

char* buffer = "E:\\hjx\\workspace\\hook\\nokilltest\\Release\\Nokill.dll";

/*
* Get process handle passing in the process ID.
*/
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);
if(process == NULL) {

OutputDebugPrintfA("Error: the specified process couldn't be found.\n");
return FALSE;
}

/*
* Get address of the LoadLibrary function.
*/
LPVOID addr = (LPVOID)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");
if(addr == NULL) {
OutputDebugPrintfA("Error: the LoadLibraryA function was not found inside kernel32.dll library.\n");
CloseHandle(process);
return FALSE;
}

/*
* Allocate new memory region inside the process's address space.
*/
LPVOID arg = (LPVOID)VirtualAllocEx(process, NULL, strlen(buffer), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if(arg == NULL) {
OutputDebugPrintfA("Error: the memory could not be allocated inside the chosen process.\n");
CloseHandle(process);
return FALSE;
}

/*
* Write the argument to LoadLibraryA to the process's newly allocated memory region.
*/
int n = WriteProcessMemory(process, arg, buffer, strlen(buffer), NULL);
if(n == 0) {
OutputDebugPrintfA("Error: there was no bytes written to the process's address space.\n");
CloseHandle(process);
return FALSE;
}
OutputDebugPrintfA("written to the process's address space.%d,%s\n",strlen(buffer),buffer);
/*
* Inject our DLL into the process's address space.
*/
HANDLE threadID = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)addr, arg, NULL, NULL);
if(threadID == NULL) {
OutputDebugPrintfA("Error: the remote thread could not be created.reason:%d\n",GetLastError());
CloseHandle(process);
return FALSE;
}
else {
OutputDebugPrintfA("Success: the remote thread was successfully created.\n");
}

/*
* Close the handle to the process, becuase we've already injected the DLL.
*/
CloseHandle(process);
return TRUE;
}

dll的主要目的就是将OpenProcess换成我们的OpenProcess。32位机上微软是提供detours库的用他们的简单稳定,流程网上一搜一大片,贴的都是关键代码(都是网上search的。。),代码都是经过我测试的,完整代码可以留言给我。Nokill.dll代码:


DWORD GetProcessIdByName(LPCTSTR processName)
{
DWORD dwPID;
HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapShot == INVALID_HANDLE_VALUE)
{
OutputDebugStringA( "Take SnapShot Failed!" );
return 0;
}
else
{
OutputDebugStringA( "Take SnapShot Success!" );
}
PROCESSENTRY32 pe;
pe.dwSize = sizeof(PROCESSENTRY32);

if (!Process32First(hSnapShot, &pe))
{
OutputDebugStringA( "Failed To Get The Information of System!" );
return 0;
}
else
{
OutputDebugStringA( "Get the Information of System Success!" );
}

while (Process32Next(hSnapShot, &pe))
{

if (!strcmp((const char *)processName, (const char *)pe.szExeFile))
return pe.th32ProcessID;

}
return 0;
}

HANDLE WINAPI MyOpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId)
{
//filter
if(dwProcessId != myprocessid)
{
letgocount++;
if(letgocount==20){
OutputDebugPrintfA("LET IT GO now processid:%d myprocessid:%d",dwProcessId,myprocessid);
letgocount=0;
}
return ((PFNTERMINATEPROCESS)HookedOpenProcess)(dwDesiredAccess,bInheritHandle,dwProcessId);
}
OutputDebugPrintfA("PERMISSION DENIED");
return NULL;

}

BOOL APIENTRY InstallHook()
{
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
HMODULE hDll1 = GetModuleHandleA("kernel32.dll");
if(hDll1==NULL)
{
OutputDebugPrintfA("GetModuleHandleA Failed");
return FALSE;
}
HookedOpenProcess = GetProcAddress(hDll1,"OpenProcess");
if(HookedOpenProcess==NULL)
{
OutputDebugPrintfA("DetourFindFunction Failed HookedOpenProcess");
return FALSE;
}
DetourAttach(&(HookedOpenProcess), MyOpenProcess);
LONG ret = DetourTransactionCommit();
if (NO_ERROR != ret) {
OutputDebugPrintfA("DetourTransactionCommit error");
}
OutputDebugPrintfA("install success");
return ret==NO_ERROR;
}
BOOL APIENTRY UninstallHook()
{
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
if(HookedOpenProcess)
DetourDetach(&(HookedOpenProcess), MyOpenProcess);
LONG ret = DetourTransactionCommit();
if (NO_ERROR != ret) {
OutputDebugPrintfA("DetourTransactionCommit error:%d",ret);
}
OutputDebugPrintfA("uninstall success");
return ret==NO_ERROR;
}

发表评论

电子邮件地址不会被公开。 必填项已用*标注