监控进程创建代码,C代码库,德仔网

代码语言

代码分类

【C】监控进程创建

作者:戏子行者 / 发布于2013/3/18/ 658


	#include <windows.h>
	#include <stdio.h>

	void __declspec(naked) __stdcall jmp_back()
	{
	__asm{
	 int 3
	 int 3
	 int 3
	 int 3
	 int 3
	 int 3
	 int 3
	 int 3
	 int 3
	 int 3
	 int 3
	 int 3
	 int 3
	 int 3
	}
	}

	BOOL (WINAPI * Real_CreateProcessInternalW)(HANDLE hToken,
	LPCWSTR lpApplicationName,
	LPWSTR lpCommandLine,
	LPSECURITY_ATTRIBUTES lpProcessAttributes,
	LPSECURITY_ATTRIBUTES lpThreadAttributes,
	BOOL bInheritHandles,
	DWORD dwCreationFlags,
	LPVOID lpEnvironment,
	LPCWSTR lpCurrentDirectory,
	LPSTARTUPINFOW lpStartupInfo,
	LPPROCESS_INFORMATION lpProcessInformation,
	PHANDLE hNewToken);

	
	BOOL __stdcall Detour_CreateProcessInternalW(HANDLE hToken,
	LPCWSTR lpApplicationName,
	LPWSTR lpCommandLine,
	LPSECURITY_ATTRIBUTES lpProcessAttributes,
	LPSECURITY_ATTRIBUTES lpThreadAttributes,
	BOOL bInheritHandles,
	DWORD dwCreationFlags,
	LPVOID lpEnvironment,
	LPCWSTR lpCurrentDirectory,
	LPSTARTUPINFOW lpStartupInfo,
	LPPROCESS_INFORMATION lpProcessInformation,
	PHANDLE hNewToken)
	{
	PROCESS_INFORMATION pi;
	BOOL ret;
	__asm
	{
	 push hNewToken
	 lea eax,[pi]
	 push eax
	 push lpStartupInfo
	 push lpCurrentDirectory
	 push lpEnvironment
	 push dwCreationFlags
	 push bInheritHandles
	 push lpThreadAttributes
	 push lpProcessAttributes
	 push lpCommandLine
	 push lpApplicationName
	 push hToken
	 call offset jmp_back
	 mov ret,eax
	}
	if(ret)
	{
	 if(lpProcessInformation)
	 {
	 memcpy(lpProcessInformation,&pi,sizeof(PROCESS_INFORMATION));
	 }
	 printf("HOOK_CreateProcessInternalW try Inject New Process : %d ",pi.dwProcessId);
	 //NewInject(pi.dwProcessId,(LPTHREAD_START_ROUTINE)InjectMain);
	}
	return ret;
	}

	void SetHook(DWORD pf_Func,DWORD pf_Detour)
	{
	DWORD old_protect;
	DWORD jmp_addr;
	VirtualProtect((void *)pf_Func,10,PAGE_EXECUTE_READWRITE,&old_protect);
	VirtualProtect((void *)jmp_back,10,PAGE_EXECUTE_READWRITE,&old_protect);
	__asm
	{
	 mov eax,DWORD ptr[pf_Detour]
	 sub eax,DWORD ptr[pf_Func]
	 sub eax,5
	 mov jmp_addr,eax
	 mov eax,DWORD ptr[pf_Func]
	 mov ecx,offset jmp_back
	 push ebx
	 mov bl,BYTE ptr[eax] //备份原函数的前 5 个字节
	 mov BYTE ptr[ecx],bl
	 mov ebx,DWORD ptr[eax+1]
	 mov DWORD ptr[ecx+1],ebx
	 mov BYTE ptr[eax],0xE9
	 inc eax
	 mov ebx,jmp_addr
	 mov DWORD ptr[eax],ebx
	 mov eax,DWORD ptr[pf_Func]
	 add eax,5
	 mov ebx,offset jmp_back
	 add ebx,5
	 sub eax,ebx
	 sub eax,5
	 mov BYTE ptr[ecx+5],0xE9
	 mov DWORD ptr[ecx+6],eax
	 pop ebx
	}
	}

	int main(int argc, char* argv[])
	{
	STARTUPINFO si={0};
	PROCESS_INFORMATION pi;
	HMODULE hKernel32 = LoadLibraryA("Kernel32.dll");
	Real_CreateProcessInternalW =(BOOL (__stdcall *)(HANDLE,
	 LPCWSTR,LPWSTR,
	 LPSECURITY_ATTRIBUTES,
	 LPSECURITY_ATTRIBUTES,
	 BOOL,
	 DWORD,
	 LPVOID,
	 LPCWSTR,
	 LPSTARTUPINFOW,
	 LPPROCESS_INFORMATION,
	 PHANDLE))GetProcAddress(hKernel32,"CreateProcessInternalW");
	if(Real_CreateProcessInternalW)
	{
	 SetHook((DWORD)Real_CreateProcessInternalW,(DWORD)Detour_CreateProcessInternalW);
	 OutputDebugStringA("try Hook CreateProcessInternalW");
	}

	si.cb = sizeof(STARTUPINFO);
	printf("%d",CreateProcess(NULL,"CMD.EXE",NULL,NULL,FALSE,0,NULL,NULL,&si,&pi));
	OutputDebugStringA("Go Out");
	return 0;
	}

评论列表

本站所提供的代码，版权归原作者所有，若有侵犯作者版权，请与我们联系，我们将立即删除或修改。谢谢!
本站所有代码发布及提供者。

试试其它关键字

　监控进程　

同语言下

可能有用的

戏子行者贡献的其它代码(5)