调试易

有2个知识点获取进程路径注入DLL获取路径#include <stdio.h>#include <windows.h>#include "PSAPI.H"#pragma comment( lib, "PSAPI.LIB" ) BOOL EnablePrivilege(HANDLE hToken,LPCSTR szPrivName); int main(void){      DWORD processid[1024],needed,processcount,i;     HANDLE hProcess;     HMODULE hModule;     char path[MAX_PATH] = "",temp[256];      HANDLE hToken;      printf("ShowProcessPath 2.0 with [Process Status API]\n\n");      if ( OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )     {         if (EnablePrivilege(hToken,SE_DEBUG_NAME))         {               EnumProcesses(processid, sizeof(processid), &needed);              processcount=needed/sizeof(DWORD);               for (i=0;i<processcount;i++)              {                   hProcess=OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,false,processid[i]);                   if (hProcess)                   {                       EnumProcessModules(hProcess, &hModule, sizeof(hModule), &needed);                       GetModuleFileNameEx(hProcess, hModule, path, sizeof(path));                       GetShortPathName(path,path,256);                       itoa(processid[i],temp,10);                       printf("%s --- %s\n",path,temp);                   }                   else                   {                       printf("Failed!!!\n");                   }              }         }     }      CloseHandle(hProcess);     CloseHandle(hModule);      itoa(processcount,temp,10);     printf("\nProcess Count:%s\n\n",temp);      return 0;} BOOL EnablePrivilege(HANDLE hToken,LPCSTR szPrivName){      TOKEN_PRIVILEGES tkp;      LookupPrivilegeValue( NULL,szPrivName,&tkp.Privileges[0].Luid );     tkp.PrivilegeCount=1;     tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;     AdjustTokenPrivileges( hToken,FALSE,&tkp,sizeof tkp,NULL,NULL );      return( (GetLastError()==ERROR_SUCCESS) ); }
注入有很多方法，最简单用钩子
SetWindowsHookEx (WH_GETMESSAGE,proc,GetModuleHandle (NULL),ThreadId);

遍历进程，获得进程路径GetModuleFileNameEx，获得前面的文件夹，然后对比，提权，注入