1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105
| #include "InlineHookEngine.h" #include "LDasm.h"
typedef HANDLE(WINAPI* OpenProcessProc)( _In_ DWORD dwDesiredAccess, _In_ BOOL bInheritHandle, _In_ DWORD dwProcessId );
EXTERN_C HANDLE Hook( _In_ DWORD dwDesiredAccess, _In_ BOOL bInheritHandle, _In_ DWORD dwProcessId);
EXTERN_C HANDLE NewOpenProcess( _In_ DWORD dwDesiredAccess, _In_ BOOL bInheritHandle, _In_ DWORD dwProcessId ) { printf("-------------------------------------\r\n"); return 0; }
char* oldCode;
uint32_t GetAsmLength(PVOID psrc) { ldasm_data ld = { 0 }; uint32_t len = ldasm(psrc, &ld, is_x64); return len; }
UINT GetFuncOffset(PVOID funcAddress,UINT needOffsetNum,UINT currentNum = 0) { PVOID newfuncAddress = (PVOID)((UINT64)funcAddress + currentNum); currentNum += GetAsmLength(newfuncAddress); if (currentNum >= needOffsetNum) { return currentNum; } return GetFuncOffset(funcAddress, needOffsetNum,currentNum); }
EXTERN_C int main() { HMODULE hModule = GetModuleHandleA("kernelbase.dll"); PVOID64 funAddress = GetProcAddress(hModule, "OpenProcess");
UINT offset = GetFuncOffset(funAddress, 6);
oldCode = (char*)malloc(offset); memcpy(oldCode, funAddress, offset);
ULONG64 originalFuncLastAddress = (ULONG64)funAddress + offset;
char shellCode[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xFF,0x25,0xF2,0xff,0xff,0xff }; *(PULONG64)&shellCode = (ULONG64)Hook;
PVOID64 hookFunAddress = (PVOID64)((ULONG64)funAddress - 8); ULONG oldProtect; if (VirtualProtect(hookFunAddress, USN_PAGE_SIZE, PAGE_EXECUTE_READWRITE, &oldProtect)) { memcpy(hookFunAddress, shellCode, sizeof(shellCode)); VirtualProtect(hookFunAddress, USN_PAGE_SIZE, oldProtect, &oldProtect); } else { return 0; }
char CallOrginalFuncShellCode[] = { 0xFF,0x25,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, }; PVOID CallOrginalFunc = VirtualAlloc(NULL, USN_PAGE_SIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(CallOrginalFunc, oldCode, offset); *(PULONG64)&CallOrginalFuncShellCode[6] = originalFuncLastAddress; memcpy((PVOID)((ULONG64)CallOrginalFunc + offset), CallOrginalFuncShellCode, sizeof(CallOrginalFuncShellCode));
HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 10840); printf("句柄为 %llx\r\n", handle);
auto OrginalFunc = (OpenProcessProc)CallOrginalFunc; handle = OrginalFunc(PROCESS_ALL_ACCESS, FALSE, 10840); printf("句柄为 %llx\r\n", handle); return 0; }
|