- #include <windows.h>
- #include <stdio.h>
- void __declspec(naked) __stdcall jmp_back()
- {
- __asm{
- int 3
- int 3
- int 3
- int 3
- int 3
- int 3
- int 3
- int 3
- int 3
- int 3
- int 3
- int 3
- int 3
- int 3
- }
- }
- BOOL (WINAPI * Real_CreateProcessInternalW)(HANDLE hToken,
- LPCWSTR lpApplicationName,
- LPWSTR lpCommandLine,
- LPSECURITY_ATTRIBUTES lpProcessAttributes,
- LPSECURITY_ATTRIBUTES lpThreadAttributes,
- BOOL bInheritHandles,
- DWORD dwCreationFlags,
- LPVOID lpEnvironment,
- LPCWSTR lpCurrentDirectory,
- LPSTARTUPINFOW lpStartupInfo,
- LPPROCESS_INFORMATION lpProcessInformation,
- PHANDLE hNewToken);
- BOOL __stdcall Detour_CreateProcessInternalW(HANDLE hToken,
- LPCWSTR lpApplicationName,
- LPWSTR lpCommandLine,
- LPSECURITY_ATTRIBUTES lpProcessAttributes,
- LPSECURITY_ATTRIBUTES lpThreadAttributes,
- BOOL bInheritHandles,
- DWORD dwCreationFlags,
- LPVOID lpEnvironment,
- LPCWSTR lpCurrentDirectory,
- LPSTARTUPINFOW lpStartupInfo,
- LPPROCESS_INFORMATION lpProcessInformation,
- PHANDLE hNewToken)
- {
- PROCESS_INFORMATION pi;
- BOOL ret;
- __asm
- {
- push hNewToken
- lea eax,[pi]
- push eax
- push lpStartupInfo
- push lpCurrentDirectory
- push lpEnvironment
- push dwCreationFlags
- push bInheritHandles
- push lpThreadAttributes
- push lpProcessAttributes
- push lpCommandLine
- push lpApplicationName
- push hToken
- call offset jmp_back
- mov ret,eax
- }
- if(ret)
- {
- if(lpProcessInformation)
- {
- memcpy(lpProcessInformation,&pi,sizeof(PROCESS_INFORMATION));
- }
- printf("HOOK_CreateProcessInternalW try Inject New Process : %d ",pi.dwProcessId);
- //NewInject(pi.dwProcessId,(LPTHREAD_START_ROUTINE)InjectMain);
- }
- return ret;
- }
- void SetHook(DWORD pf_Func,DWORD pf_Detour)
- {
- DWORD old_protect;
- DWORD jmp_addr;
- VirtualProtect((void *)pf_Func,10,PAGE_EXECUTE_READWRITE,&old_protect);
- VirtualProtect((void *)jmp_back,10,PAGE_EXECUTE_READWRITE,&old_protect);
- __asm
- {
- mov eax,DWORD ptr[pf_Detour]
- sub eax,DWORD ptr[pf_Func]
- sub eax,5
- mov jmp_addr,eax
- mov eax,DWORD ptr[pf_Func]
- mov ecx,offset jmp_back
- push ebx
- mov bl,BYTE ptr[eax] //备份原函数的前 5 个字节
- mov BYTE ptr[ecx],bl
- mov ebx,DWORD ptr[eax+1]
- mov DWORD ptr[ecx+1],ebx
- mov BYTE ptr[eax],0xE9
- inc eax
- mov ebx,jmp_addr
- mov DWORD ptr[eax],ebx
- mov eax,DWORD ptr[pf_Func]
- add eax,5
- mov ebx,offset jmp_back
- add ebx,5
- sub eax,ebx
- sub eax,5
- mov BYTE ptr[ecx+5],0xE9
- mov DWORD ptr[ecx+6],eax
- pop ebx
- }
- }
- int main(int argc, char* argv[])
- {
- STARTUPINFO si={0};
- PROCESS_INFORMATION pi;
- HMODULE hKernel32 = LoadLibraryA("Kernel32.dll");
- Real_CreateProcessInternalW =(BOOL (__stdcall *)(HANDLE,
- LPCWSTR,LPWSTR,
- LPSECURITY_ATTRIBUTES,
- LPSECURITY_ATTRIBUTES,
- BOOL,
- DWORD,
- LPVOID,
- LPCWSTR,
- LPSTARTUPINFOW,
- LPPROCESS_INFORMATION,
- PHANDLE))GetProcAddress(hKernel32,"CreateProcessInternalW");
- if(Real_CreateProcessInternalW)
- {
- SetHook((DWORD)Real_CreateProcessInternalW,(DWORD)Detour_CreateProcessInternalW);
- OutputDebugStringA("try Hook CreateProcessInternalW");
- }
- si.cb = sizeof(STARTUPINFO);
- printf("%d",CreateProcess(NULL,"CMD.EXE",NULL,NULL,FALSE,0,NULL,NULL,&si,&pi));
- OutputDebugStringA("Go Out");
- return 0;
- }
- //该片段来自于http://www.codesnippet.cn/detail/101220137878.html
来源: http://www.codesnippet.cn/detail/101220137878.html