此代码通过HOOK API来实现创建System进程用户
由于字符限制我把主要代码贴出来如果想要完整代码的可以到我博客去下载
地址是:http://blog.csdn.net/chenhui530/archive/2007/12/13/1932599.aspxPrivate Declare Function NtCreateProcessEx Lib "NTDLL.DLL" (ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long, ByVal reserv As Long) As Long
Private Declare Function NtCreateProcess Lib "NTDLL.DLL" (ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As Long
Private Const PROCESS_QUERY_INFORMATION As Long = (&H400)
Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Private Const SYNCHRONIZE As Long = &H100000
Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Private Type OBJECT_ATTRIBUTES
Length As Long
RootDirectory As Long
ObjectName As Long
Attributes As Long
SecurityDescriptor As Long
SecurityQualityOfService As Long
End TypePublic gclsHookNtCreateProcessEx As clsHookInfo
Public gclsHookNtCreateProcess As clsHookInfo
Public glngProcess As Long
Public glngSystemHandle As LongPublic Function NtCreateProcessExCallback(ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long, ByVal reserv As Long) As Long
Dim hReturn As Long
gclsHookNtCreateProcessEx.HookStatus False
hReturn = NtCreateProcessEx(ProcessHandle, AccessMask, ObjectAttributes, glngSystemHandle, InheritHandles, hSection, hDebugPort, hExceptionPort, reserv)
gclsHookNtCreateProcessEx.HookStatus True
NtCreateProcessExCallback = hReturn
End FunctionPublic Function NtCreateProcessCallback(ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long) As Long
Dim hReturn As Long
gclsHookNtCreateProcess.HookStatus False
hReturn = NtCreateProcess(ProcessHandle, AccessMask, ObjectAttributes, glngSystemHandle, InheritHandles, hSection, hDebugPort, hExceptionPort)
gclsHookNtCreateProcess.HookStatus True
NtCreateProcessCallback = hReturn
End FunctionPublic Function GetFunAddr(lngFunAddr As Long) As Long
GetFunAddr = lngFunAddr
End Function
由于字符限制我把主要代码贴出来如果想要完整代码的可以到我博客去下载
地址是:http://blog.csdn.net/chenhui530/archive/2007/12/13/1932599.aspxPrivate Declare Function NtCreateProcessEx Lib "NTDLL.DLL" (ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long, ByVal reserv As Long) As Long
Private Declare Function NtCreateProcess Lib "NTDLL.DLL" (ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As Long
Private Const PROCESS_QUERY_INFORMATION As Long = (&H400)
Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Private Const SYNCHRONIZE As Long = &H100000
Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Private Type OBJECT_ATTRIBUTES
Length As Long
RootDirectory As Long
ObjectName As Long
Attributes As Long
SecurityDescriptor As Long
SecurityQualityOfService As Long
End TypePublic gclsHookNtCreateProcessEx As clsHookInfo
Public gclsHookNtCreateProcess As clsHookInfo
Public glngProcess As Long
Public glngSystemHandle As LongPublic Function NtCreateProcessExCallback(ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long, ByVal reserv As Long) As Long
Dim hReturn As Long
gclsHookNtCreateProcessEx.HookStatus False
hReturn = NtCreateProcessEx(ProcessHandle, AccessMask, ObjectAttributes, glngSystemHandle, InheritHandles, hSection, hDebugPort, hExceptionPort, reserv)
gclsHookNtCreateProcessEx.HookStatus True
NtCreateProcessExCallback = hReturn
End FunctionPublic Function NtCreateProcessCallback(ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long) As Long
Dim hReturn As Long
gclsHookNtCreateProcess.HookStatus False
hReturn = NtCreateProcess(ProcessHandle, AccessMask, ObjectAttributes, glngSystemHandle, InheritHandles, hSection, hDebugPort, hExceptionPort)
gclsHookNtCreateProcess.HookStatus True
NtCreateProcessCallback = hReturn
End FunctionPublic Function GetFunAddr(lngFunAddr As Long) As Long
GetFunAddr = lngFunAddr
End Function
问题出在 NtCreateProcessExCallback函数中的:
gclsHookNtCreateProcessEx.HookStatus False
然后,我重新单步执行,好像是死循环执行NtCreateProcessExCallback函数,此时的mbytOldCode(5) 和mbytNewCode(5)内容完全一致!看样子是第一次程序退出时没有执行:
Private Sub Class_Terminate()
HookStatus False
' CloseHandle mhProcess
End Sub
可是:在
Private Sub Form_Unload(Cancel As Integer)
CloseHandle glngSystemHandle
CloseHandle glngProcess
Set gclsHookNtCreateProcess = Nothing
Set gclsHookNtCreateProcessEx = Nothing
End Sub
中已经将 Set gclsHookNtCreateProcess = Nothing,
难道在IDE下set 类名=nothing不执行行Class_Terminate??
不知道楼主注意到这个问题没有!
远程线程是最不稳定的,最容易被拦截,如果是这样不如用替换token的方法更好to zzyong00:
代码确实有点点稳定,由于条件不能修改