1 //////////////////////////////////////////////////////////////////////
2 附录:一个拦截CreateFile函数的简单实现
3 //////////////////////////////////////////////////////////////////////
4 #include <stdio.h>
5 #include <windows.h>
6 #include <Psapi.h>
7
8 #pragma comment(lib, "psapi.lib")
9
10 typedef struct _RemoteParam {
11 DWORD dwCreateFile;
12 DWORD dwMessageBox;
13 DWORD dwGetCurrentProcess;
14 DWORD dwWriteProcessMemory;
15 unsigned char szOldCode[10];
16 DWORD FunAddr;
17 } RemoteParam, * PRemoteParam;
18
19 typedef HANDLE (__stdcall * PFN_CREATEFILE)(LPCTSTR,DWORD,DWORD,LPSECURITY_ATTRIBUTES,DWORD,DWORD,HANDLE);
20 typedef int (__stdcall * PFN_MESSAGEBOX)(HWND, LPCTSTR, LPCTSTR, DWORD);
21 typedef BOOL (__stdcall * PFN_WRITEPROCESSMEMORY)(HANDLE,LPVOID,LPCVOID,SIZE_T,SIZE_T*);
22 typedef HANDLE (__stdcall * PFN_GETCURRENTPROCESS)(void);
23
24 #define PROCESSNUM 128
25 #define MYMESSAGEBOX "MessageBoxW"
26 #define MYCREATEFILE "CreateFileW"
27
28 void HookCreateFile(LPVOID lParam)
29 {
30
31 RemoteParam* pRP = (RemoteParam*)lParam;
32
33
34 DWORD NextIpAddr = 0;
35 DWORD dwParamaAddr = 0;
36
37 HANDLE RetFpHdl = INVALID_HANDLE_value;
38 LPCTSTR lpFileName;
39 DWORD dwDesiredAccess;
40 DWORD dwShareMode;
41 LPSECURITY_ATTRIBUTES lpSecurityAttributes;
42 DWORD dwCreationDisposition;
43 DWORD dwFlagsAndAttributes;
44 HANDLE hTemplateFile;
45 PFN_CREATEFILE pfnCreatefile = (PFN_CREATEFILE)pRP->dwCreateFile;
46
47
48 __asm
49 {
50 MOV EAX,[EBP+8]
51 MOV [dwParamaAddr], EAX
52 MOV EAX,[EBP+12]
53 MOV [NextIpAddr], EAX
54 MOV EAX,[EBP+16]
55 MOV [lpFileName], EAX
56 MOV EAX,[EBP+20]
57 MOV [dwDesiredAccess],EAX
58 MOV EAX,[EBP+24]
59 MOV [dwShareMode],EAX
60 MOV EAX,[EBP+28]
61 MOV [lpSecurityAttributes],EAX
62 MOV EAX,[EBP+32]
63 MOV [dwCreationDisposition],EAX
64 MOV EAX,[EBP+36]
65 MOV [dwFlagsAndAttributes],EAX
66 MOV EAX,[EBP+40]
67 MOV [hTemplateFile],EAX
68 }
69
70 PFN_MESSAGEBOX pfnMessageBox = (PFN_MESSAGEBOX)pRP->dwMessageBox;
71 int allowFlag = pfnMessageBox(NULL, lpFileName, NULL, MB_ICONINformATION | MB_YESNO);
72
73 if(allowFlag == IDYES)
74 {
75 unsigned char szNewCode[10];
76 int PramaAddr = (int)dwParamaAddr;
77 szNewCode[4] = PramaAddr>>24;
78 szNewCode[3] = (PramaAddr<<8)>>24;
79 szNewCode[2] = (PramaAddr<<16)>>24;
80 szNewCode[1] = (PramaAddr<<24)>>24;
81 szNewCode[0] = 0x68;
82
83 int funaddr = (int)pRP->FunAddr - (int)pfnCreatefile - 10 ;
84 szNewCode[9] = funaddr>>24;
85 szNewCode[8] = (funaddr<<8)>>24;
86 szNewCode[7] = (funaddr<<16)>>24;
87 szNewCode[6] = (funaddr<<24)>>24;
88 szNewCode[5] = 0xE8;
89
90
91 PFN_GETCURRENTPROCESS pfnGetCurrentProcess = (PFN_GETCURRENTPROCESS)pRP->dwGetCurrentProcess;
92 PFN_WRITEPROCESSMEMORY pfnWriteProcessMemory = (PFN_WRITEPROCESSMEMORY)pRP->dwWriteProcessMemory;
93 pfnWriteProcessMemory(pfnGetCurrentProcess(),
94 (LPVOID)pfnCreatefile,
95 (LPCVOID)pRP->szOldCode,
96 10,
97 NULL);
98
99 RetFpHdl = pfnCreatefile(lpFileName,
100 dwDesiredAccess,
101 dwShareMode,
102 lpSecurityAttributes,
103 dwCreationDisposition,
104 dwFlagsAndAttributes,
105 hTemplateFile);
106 pfnWriteProcessMemory(pfnGetCurrentProcess(),
107 (LPVOID)pfnCreatefile,
108 (LPCVOID)szNewCode,
109 10,
110 NULL);
111 }
112
113
114 __asm
115 {POP EDI
116 POP ESI
117 POP EBX
118 MOV EDX, [NextIpAddr]
119 MOV EAX, [RetFpHdl]
120 MOV ESP, EBP
121 POP EBP
122 ADD ESP, 28H
123 PUSH EDX
124 RET
125 }
126
127
128 }
129
130
131
132 BOOL AdjustProcessPrivileges(LPCSTR szPrivilegesName)
133 {
134 HANDLE hToken;
135 TOKEN_PRIVILEGES tkp;
136
137 if(!OpenProcessToken(GetCurrentProcess(),
138 TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
139 {
140 return FALSE;
141 }
142
143 if(!LookupPrivilegeValue(NULL,szPrivilegesName,
144 &tkp.Privileges[0].Luid))
145 {
146 CloseHandle(hToken);
147 return FALSE;
148 }
149
150 tkp.PrivilegeCount = 1;
151 tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
152
153 if(!AdjustTokenPrivileges(hToken,FALSE,&tkp,sizeof(tkp),NULL,NULL))
154 {
155 CloseHandle(hToken);
156 return FALSE;
157 }
158
159 CloseHandle(hToken);
160 return TRUE;
161 }
162
163
164 void printProcessNameByPid( DWORD ProcessId )
165 {
166 HANDLE pHd;
167 HMODULE pHmod;
168 char ProcessName[MAX_PATH] = "unknown";
169 DWORD cbNeeded;
170 pHd = OpenProcess( PROCESS_QUERY_INformATION |PROCESS_VM_READ, FALSE, ProcessId );
171 if(pHd == NULL)
172 return;
173
174 if(!EnumProcessModules( pHd, &pHmod, sizeof(pHmod), &cbNeeded))
175 return;
176 if(!GetModuleFileNameEx( pHd, pHmod, ProcessName, MAX_PATH))
177 return;
178
179 printf( "%dt%sn", ProcessId, ProcessName);
180 CloseHandle( pHd );
181 return;
182 }
183
184
185 int main(void)
186 {
187
188 if(!AdjustProcessPrivileges(SE_DEBUG_NAME))
189 {
190 printf("AdjustProcessPrivileges Error!n");
191 return -1;
192 }
193
194 DWORD Pids[PROCESSNUM];
195 DWORD dwProcessNum = 0;
196 if(!EnumProcesses(Pids, sizeof(Pids), &dwProcessNum))
197 {
198 printf("EnumProcess Error!n");
199 return -1;
200 }
201
202 for( DWORD num = 0; num < (dwProcessNum / sizeof(DWORD)); num++)
203 printProcessNameByPid(Pids[num]);
204
205 printf("nAll %d processes running. n", dwProcessNum / sizeof(DWORD));
206
207 DWORD dwPid = 0;
208 printf("n请输入要拦截的进程id:");
209 scanf("%d", &dwPid);
210
211 HANDLE hTargetProcess = OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_READ, FALSE, dwPid);
212 if(hTargetProcess == NULL)
213 {
214 printf("OpenProcess Error!n");
215 return -1;
216 }
217
218 DWORD dwFunAddr = (DWORD)VirtualAllocEx(hTargetProcess, NULL, 8192,
219 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
220
221 if((LPVOID)dwFunAddr == NULL)
222 {
223 printf("申请线程内存失败!n");
224 CloseHandle(hTargetProcess);
225 return -1;
226 }
227
228 DWORD dwPramaAddr = (DWORD)VirtualAllocEx(hTargetProcess, NULL, sizeof(RemoteParam),
229 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
230
231 if((LPVOID)dwPramaAddr == NULL)
232 {
233 printf("申请参数内存失败!n");
234 CloseHandle(hTargetProcess);
235 return -1;
236 }
237
238 printf("n线程内存地址:%.8xn"
239 "参数内存地址:%.8xn",
240 dwFunAddr, dwPramaAddr);
241 RemoteParam RParam;
242 ZeroMemory(&RParam, sizeof(RParam));
243 HMODULE hKernel32 = LoadLibrary("kernel32.dll");
244 HMODULE hUser32 = LoadLibrary("user32.dll");
245
246 RParam.dwCreateFile = (DWORD)GetProcAddress(hKernel32, MYCREATEFILE);
247 RParam.dwGetCurrentProcess = (DWORD)GetProcAddress(hKernel32, "GetCurrentProcess");
248 RParam.dwWriteProcessMemory = (DWORD)GetProcAddress(hKernel32, "WriteProcessMemory");
249 RParam.dwMessageBox = (DWORD)GetProcAddress(hUser32, MYMESSAGEBOX);
250
251 unsigned char oldcode[10];
252 unsigned char newcode[10];
253 int praadd = (int)dwPramaAddr;
254 int threadadd = (int)dwFunAddr;
255 newcode[4] = praadd>>24;
256 newcode[3] = (praadd<<8)>>24;
257 newcode[2] = (praadd<<16)>>24;
258 newcode[1] = (praadd<<24)>>24;
259 newcode[0] = 0x68;
260
261 int offsetaddr = threadadd - (int)RParam.dwCreateFile - 10 ;
262 newcode[9] = offsetaddr>>24;
263 newcode[8] = (offsetaddr<<8)>>24;
264 newcode[7] = (offsetaddr<<16)>>24;
265 newcode[6] = (offsetaddr<<24)>>24;
266 newcode[5] = 0xE8;
267
268 printf("NewCode:");
269 for(int j = 0; j < 10; j++)
270 printf("0x%.2x ",newcode[j]);
271 printf("nn");
272
273
274
275 if(!ReadProcessMemory(GetCurrentProcess(),
276 (LPCVOID)RParam.dwCreateFile,
277 oldcode,
278 10,
279 &dwPid))
280 {
281 printf("read error");
282 CloseHandle(hTargetProcess);
283 FreeLibrary(hKernel32);
284 return -1;
285 }
286
287 strcat((char*)RParam.szOldCode, (char*)oldcode);
288 RParam.FunAddr = dwFunAddr;
289
290 printf(
291 "RParam.dwCreate文件:%.8xn"
292 "RParam.dwMessageBox:%.8xn"
293 "RParam.dwGetCurrentProcess:%.8xn"
294 "RParam.dwWriteProcessMemory:%.8xn"
295 "RParam.FunAddr:%.8xn",
296 RParam.dwCreateFile,
297 RParam.dwMessageBox,
298 RParam.dwGetCurrentProcess,
299 RParam.dwWriteProcessMemory,
300 RParam.FunAddr);
301 printf("RParam.szOldCode:");
302 for( int i = 0; i< 10; i++)
303 printf("0x%.2x ", RParam.szOldCode);
304 printf("n");
305
306
307 if(!WriteProcessMemory(hTargetProcess, (LPVOID)dwFunAddr, (LPVOID)&HookCreateFile, 8192, &dwPid))
308 {
309 printf("WriteRemoteProcessesMemory Error!n");
310 CloseHandle(hTargetProcess);
311 FreeLibrary(hKernel32);
312 return -1;
313 }
314
315 if(!WriteProcessMemory(hTargetProcess, (LPVOID)dwPramaAddr, (LPVOID)&RParam, sizeof(RemoteParam), &dwPid))
316 {
317 printf("WriteRemoteProcessesMemory Error!n");
318 CloseHandle(hTargetProcess);
319 FreeLibrary(hKernel32);
320 return -1;
321 }
322
323 if(!WriteProcessMemory(hTargetProcess, (LPVOID)RParam.dwCreateFile, (LPVOID)newcode, 10, &dwPid))
324 {
325 printf("WriteRemoteProcessesMemory Error!n");
326 CloseHandle(hTargetProcess);
327 FreeLibrary(hKernel32);
328 return -1;
329 }
330
331 printf("nThat's all, good luck :)n");
332 CloseHandle(hTargetProcess);
333 FreeLibrary(hKernel32);
334 return 0;
335 }