摘自: http://yulinlu.blog.163.com/blog/static/588156982008113111911557/
PerformCallBack4
强制令别的进程调用某个API,如果这个API是LoadLibrary的话,就相当于线程注入了,由coredll.dll提供
PerformCallBack4函数的定义:
[DllImport("coredll.dll")]
public static extern uint PerformCallBack4(ref CallBackInfo CallBackInfo,
IntPtr ni_pVoid1,IntPtr ni_pVoid2,IntPtr ni_pVoid3);
其中函数的参数CallBackInfo结构定义:
public struct CallBackInfo
{
public IntPtr hProc; //远程的目标进程
public IntPtr pfn; //指向远程目标进程的函数地址的指针
public IntPtr pvArg0; //函数的需要的第一个参数
}
而PerformCallback4的 ni_pVoid1、ni_pVoid2、ni_pVoid3为传递到远程目标进程执行函数的其它三个参数。
例子:
/*-------------------------------------------------------------------
FUNCTION: CallCoredllInProc
PURPOSE: CallCoredllInProc uses undocumented method
PerformCallBack4 to call exported methods from coredll.dll in
the specified process.
PARAMETERS:
HANDLE p_hProcess - handle to the process, where the call should
be made
LPCTSTR p_pszMethodName - name of method exported from coredll,
such as VirtualAlloc, VirtualFree, etc.
DWORD p_dwParam1, p_dwParam2, p_dwParam3, p_dwParam4 - arguments
DWORD * p_pdwResult - pointer to the return value
RETURNS:
TRUE on success, FALSE on failure
-------------------------------------------------------------------*/
BOOL CallCoredllInProc
(
HANDLE p_hProcess,
LPCTSTR p_pszMethodName,
DWORD p_dwParam1, DWORD p_dwParam2,
DWORD p_dwParam3, DWORD p_dwParam4,
DWORD * p_pdwResult)
{
HINSTANCE l_hCoreDll = NULL;
BOOL l_bReturn = FALSE;
__try
{
//Use undocumented method PerformCallBack4
//to call method in NK.EXE.
CALLBACKINFO CallbackInfo;
CallbackInfo.m_hDestinationProcessHandle = p_hProcess;
l_hCoreDll = LoadLibrary(_T("COREDLL"));
CallbackInfo.m_pFunction =
(FARPROC)GetProcAddress(l_hCoreDll, p_pszMethodName);
if(!CallbackInfo.m_pFunction)
{
/*HTRACE(TG_Error,
_T("GetProcAddress(%x, %s) failed. Err %d"),
l_hCoreDll, p_pszMethodName, GetLastError());
*/
}
else
{
CallbackInfo.m_pFirstArgument = (LPVOID)p_dwParam1;
DWORD l_dwResult = PerformCallBack4
(&CallbackInfo, p_dwParam2, p_dwParam3, p_dwParam4);
if(p_pdwResult)
{
*p_pdwResult = l_dwResult;
}
l_bReturn = TRUE;
}
}
__except(1)
{
/*
HTRACE(TG_Error, _T("Exception in CallCoredllInProc(%s)"),
p_pszMethodName);
*/
l_bReturn = FALSE;
}
if(l_hCoreDll)
{
FreeLibrary(l_hCoreDll);
}
return l_bReturn;
}//BOOL CallCoredllInProc
CreateAPISet
CE6.0以前是个未公开API,不过6.0以后就公开了
This function creates an API set from the list of functions passed as a parameter.
Syntax
HANDLE CreateAPISet(
char acName[4],
USHORT cFunctions,
const PFNVOID *ppfnMethods,
const ULONGLONG *pu64Sig
);
Parameters
acName
[in] Name of the API set.
cFunctions
[in] Number of functions for this API set.
ppfnMethods
[in] Array of functions for the API set.
pu64Sig
[in] Array of signatures for the functions.
Return Value
A handle to the API set.
Remarks
Before any process can become a handle server, the process must create and register a handle-based API set with this function and RegisterAPISet.
Requirements
Header pkfuncs.h
Library coredll.lib
Windows Embedded CE Windows Embedded CE 6.0 and later
CE6.0以前在coredll.dll里面有这个函数
RegisterAPISet
CE6.0以前是个未公开API,不过6.0以后就公开了
This function registers an API set.
Syntax
BOOL RegisterAPISet(
HANDLE hASet,
DWORD dwSetID
);
Parameters
hASet
[in] Handle to API set created by the CreateAPISet function.
dwSetID
[in] Type of API set. You must perform a bitwise OR operation on this parameter with REGISTER_APISET_TYPE to create a handle-based API set.
Return Value
TRUE indicates success. FALSE indicates failure. Call GetLastError to get extended error information.
Remarks
Before any process can become a handle server, the process must create and register a handle-based API set with CreateAPISet and RegisterAPISet.
Requirements
Header pkfuncs.h
Library coredll.lib
Windows Embedded CE Windows Embedded CE 6.0 and later
CE6.0以前在coredll.dll里面有这个函数
QueryAPISetID
根据名字查询该API的ID,由coredll.dll提供
Syntax
int QueryAPISetID(
char *pName
);
Parameters
pName
[in] API的名字
Return Value
API的ID
GetAPIAddress
获取特定API的特定Method的地址,由coredll.dll提供
FARPROC GetAPIAddress(
int setId,
int iMethod
);
Parameters
setId
[in] API的ID
iMethod
[in] Method的ID
Return Value
该Method的地址
GetProcessIndexFromID
根据进程的ID计算出进程的序号(这个序号就是进程处于第几个slot),由coredll.dll提供
Syntax
DWORD GetProcessIndexFromID(
HANDLE hProc
);
Parameters
hProc
[in] 进程的句柄,这里为什么不是进程的ID而是进程的句柄呢?非常简单,因为在CE中进程的句柄就是进程的ID!
Return Value
进程的序号
posted on 2009-07-16 16:37
Sandy 阅读(590)
评论(0) 编辑 收藏 引用 所属分类:
Windows Mobile