Подскажите пожалуйста по перехвату данной API что то везде лазил не шгде нормального ответа так и не встретил (Builder 5)
Есть код dll
#include <windows.h>
#include <imagehlp.h>
#include <stdio.h>
#define MakePtr(cast, base, offset) (cast)((DWORD_PTR)(base) + (DWORD_PTR)(offset))
typedef BOOL (WINAPI *PFNCreateProcessW)(
LPCTSTR pszApplicationName,
PTSTR pszCommandLine,
LPSECURITY_ATTRIBUTES psaProcess,
LPSECURITY_ATTRIBUTES psaThiead,
BOOL bInheritHandles,
DWORD fdwCreate,
LPVOID pvEnvironment,
LPCTSTR pszCurDir,
LPSTARTUPINFO psiStartInfo,
LPPROCESS_INFORMATION ppiProcInfo
);
PFNCreateProcessW OldCreateProcessW;
typedef BOOL (WINAPI *PFNCreateProcessA)(
LPCTSTR pszApplicationName,
PTSTR pszCommandLine,
LPSECURITY_ATTRIBUTES psaProcess,
LPSECURITY_ATTRIBUTES psaThiead,
BOOL bInheritHandles,
DWORD fdwCreate,
LPVOID pvEnvironment,
LPCTSTR pszCurDir,
LPSTARTUPINFO psiStartInfo,
LPPROCESS_INFORMATION ppiProcInfo
);
PFNCreateProcessA OldCreateProcessA;
HRESULT WriteProtectedMemory(LPVOID lpvDest, LPVOID lpvSrc, DWORD dwSize) {
DWORD dwOldProtect = 0;
__try {
if( VirtualProtect(lpvDest, dwSize, PAGE_READWRITE, &dwOldProtect) ) {
InterlockedExchange((LONG*)lpvDest, (LONG)lpvSrc);
VirtualProtect(lpvDest, dwSize, dwOldProtect, &dwOldProtect);
return S_OK;
}
}
__except( EXCEPTION_EXECUTE_HANDLER ) {
}
return HRESULT_FROM_WIN32(GetLastError());
}
BOOL HookImportsOfImage(HMODULE hModule, PCHAR pchDllTarget, PCHAR pchFuncTarget, LPVOID lpvMineFunc) {
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS pNTHeaders;
PIMAGE_IMPORT_DESCRIPTOR pImpDesc;
PIMAGE_IMPORT_BY_NAME pImageImpByName;
DWORD dwImportsStartRVA;
PDWORD pdwIAT, pdwINTO;
int iCount, iIndex;
PCHAR pchDllName = NULL;
pDosHeader = (PIMAGE_DOS_HEADER)hModule;
pNTHeaders = MakePtr(PIMAGE_NT_HEADERS, hModule, pDosHeader->e_lfanew);
if( pNTHeaders->Signature != IMAGE_NT_SIGNATURE || pDosHeader->e_magic != IMAGE_DOS_SIGNATURE )
return FALSE;
dwImportsStartRVA = pNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
if( !dwImportsStartRVA )
return FALSE;
pImpDesc = (PIMAGE_IMPORT_DESCRIPTOR)(dwImportsStartRVA+(DWORD)pDosHeader);
for( iCount = 0; pImpDesc[iCount].Characteristics != 0; iCount++ ) {
pchDllName = (PCHAR)(pImpDesc[iCount].Name + (DWORD)pDosHeader);
pdwIAT = (PDWORD)(((DWORD)pDosHeader) + (DWORD)pImpDesc[iCount].FirstThunk);
pdwINTO = (PDWORD)(((DWORD)pDosHeader) + (DWORD)pImpDesc[iCount].OriginalFirstThunk);
for( iIndex = 0; pdwIAT[iIndex] != 0; iIndex++ ) {
if( (pdwIAT[iIndex] & IMAGE_ORDINAL_FLAG) != IMAGE_ORDINAL_FLAG ) {
pImageImpByName = (PIMAGE_IMPORT_BY_NAME)(pdwINTO[iIndex] + ((DWORD)pDosHeader));
if( (stricmp(pchDllName, pchDllTarget) == 0 ) && (strcmp((PCHAR)(pImageImpByName->Name), pchFuncTarget) == 0) ) {
WriteProtectedMemory((LPVOID)&pdwIAT[iIndex], (LPVOID)lpvMineFunc, sizeof(LPVOID));
}
}
}
}
return TRUE;
}
BOOL __stdcall NewCreateProcessW(
LPCTSTR lpApplicationName,
LPTSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory,
LPSTARTUPINFO lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation )
{
MessageBoxA(0,"wewqe","CreateProcessW",0);
PROCESS_INFORMATION *pinfo, *pinfo_last;
LPSTARTUPINFO psi;
dwCreationFlags |= CREATE_SUSPENDED;
char sbuf [256]="";
DWORD SaveFlags = dwCreationFlags;
dwCreationFlags |= CREATE_SUSPENDED;
BOOL nResult=((PFNCreateProcessW)OldCreateProcessW)
(lpApplicationName,lpCommandLine,lpProcessAttributes,lpThreadAttributes,\
bInheritHandles,dwCreationFlags,lpEnvironment,lpCurrentDirectory,lpStartupInfo,lpProcessInformation);
pinfo = (PROCESS_INFORMATION *)lpProcessInformation;
sprintf(sbuf,"AppName: %s\nCmdLine: %s\ndwProcessId :%d",lpApplicationName,lpCommandLine,pinfo->dwProcessId);
MessageBoxA(0,sbuf,"CreateProcessW",0);//-ничего не происходит
if (! (SaveFlags && CREATE_SUSPENDED) ) //Запускаем поток только если об этом "просили"
ResumeThread(lpProcessInformation->hThread);
return(nResult);
}
BOOL __stdcall NewCreateProcessA(
LPCTSTR lpApplicationName,
LPTSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory,
LPSTARTUPINFO lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation )
{
MessageBoxA(0,"wewqe","CreateProcessA",0);
PROCESS_INFORMATION *pinfo, *pinfo_last;
LPSTARTUPINFO psi;
char sbuf [256]="";
DWORD SaveFlags = dwCreationFlags;
dwCreationFlags |= CREATE_SUSPENDED;
BOOL nResult=((PFNCreateProcessA)OldCreateProcessA)
(lpApplicationName,lpCommandLine,lpProcessAttributes,lpThreadAttributes,\
bInheritHandles,dwCreationFlags,lpEnvironment,lpCurrentDirectory,lpStartupInfo,lpProcessInformation);
pinfo = (PROCESS_INFORMATION *)lpProcessInformation;
sprintf(sbuf,"AppName: %s\nCmdLine: %s\ndwProcessId :%d",lpApplicationName,lpCommandLine,pinfo->dwProcessId);
MessageBoxA(0,sbuf,"CreateProcessW",0); //-ничего не происходит
if (! (SaveFlags && CREATE_SUSPENDED) ) //Запускаем поток только если об этом "просили"
ResumeThread(lpProcessInformation->hThread);
return(nResult);
}
#pragma argsused
int WINAPI DllEntryPoint(HINSTANCE hinst, unsigned long reason, void* lpReserved)
{
if(reason==DLL_PROCESS_ATTACH)
{
OldCreateProcessW =(PFNCreateProcessW)GetProcAddress(GetModuleHandle("kernel32.dll"), "CreateProcessW");
OldCreateProcessA= (PFNCreateProcessA)GetProcAddress(GetModuleHandle("kernel32.dll"), "CreateProcessA");
HookImportsOfImage(GetModuleHandle(NULL), "kernel32.dll", "CreateProcessW", (LPVOID)NewCreateProcessW);
HookImportsOfImage(GetModuleHandle(NULL), "kernel32.dll", "CreateProcessA", (LPVOID)NewCreateProcessA);
}
else if (reason == DLL_PROCESS_DETACH)
{
HookImportsOfImage(GetModuleHandle(NULL), "kernel32.dll", "CreateProcessW", (LPVOID)OldCreateProcessW);
HookImportsOfImage(GetModuleHandle(NULL), "kernel32.dll", "CreateProcessA", (LPVOID)OldCreateProcessA);
}
return 1;
}
Пытаюсь заинжектится в explorer.exe через удаленные потоки
BOOL EnableDebugPrivilege(BOOL fEnable) {
BOOL fOk = FALSE; // Assume function fails
HANDLE hToken;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,
&hToken)) {
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED : 0;
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
fOk = (GetLastError() == ERROR_SUCCESS);
CloseHandle(hToken);
}
return(fOk);
}
//---------------------------------------------------------------------------
bool IngectDll(DWORD dwProcessId,LPCTSTR lpString)
{
EnableDebugPrivilege(true);
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessId);
if (hProcess==NULL) return false;
int cch = 1 + lstrlen(lpString);
int cb = cch * sizeof(WCHAR);
LPVOID memory=VirtualAllocEx(hProcess, NULL,cb, MEM_COMMIT, PAGE_READWRITE);
if (memory==NULL) return false;
if (!WriteProcessMemory(hProcess,memory,(PVOID)lpString,cb,NULL)) return false;
LPTHREAD_START_ROUTINE pfnThreadRtn =(LPTHREAD_START_ROUTINE)\
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
if (pfnThreadRtn==NULL) return false;
HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,pfnThreadRtn,memory,0,NULL);
if (hThread==NULL) return false;
WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hProcess,memory, 0, MEM_RELEASE);
CloseHandle(hThread);
EnableDebugPrivilege(false);
return true;
}
void __fastcall TForm1::Button3Click(TObject *Sender)
{
if (IngectDll(StrToInt(Edit1->Text),"C:\\Project1.dll"))
{
ShowMessage("GOOD");
}
else {ShowMessage("NO GOOD");}
}
Но вот
MessageBoxA(0,sbuf,"CreateProcessW",0);
из dll не чего не показывает не подскажите почему
в procexp.exe смотрю что моя библиотека подгружается в explorer.exe
смотрю через RootkitUnhooker
[1048]explorer.exe-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x004010D8 [Project1.dll]
Hook вроде есть но вот почему то не работает.
Заранее премного благодарен.