C++ code colored by C++2HTML
应用层隐藏服务的项目 2006-03-28
HideService
 

// *****************************************************************************//
//
// 文件名: AgentHk.cpp
// 所属项目名称:
// 所属模块名称: AGENT Service Hook
// 所属项目版本: 2.0
// 文件用途 :
// 文件作者 : horse_b
// 创建日期 : 2004-11-30
//
// 文件修改说明:
// 文件修改人:
// 修改日期:
//
//
//
//********************************************************************************//
#include <stdio.h>#include <tchar.h> // Make program ansi AND unicode safe
#include <windows.h> // Most Windows functions
#include <commctrl.h> // Used for TreeView controls
#include <setupapi.h> // Used for SetupDiXxx functions
#include <basetsd.h>#include <cfgmgr32.h> // Used for CM_Xxxx functions
#include <regstr.h> // Extract Registry Strings
#include <devguid.h> //API HOOK方式 #define APIHOOK16

#ifdef APIHOOK16
#include "apihook16.h"#define CAPIHook CAPIHook16
#else#include "apihook32.h"#define CAPIHook CAPIHook32
#endif#pragma comment(lib, "setupapi.lib")#pragma comment(lib, "advapi32.lib") //setupapi.dll中的函数声明 /*
BOOL
WINAPI
mySetupDiSetClassInstallParamsA(
IN HDEVINFO DeviceInfoSet,
IN PSP_DEVINFO_DATA DeviceInfoData,
IN PSP_CLASSINSTALL_HEADER ClassInstallParams,
IN DWORD ClassInstallParamsSize
);
*/
BOOL WINAPI mySetupDiSetClassInstallParamsW( IN HDEVINFO DeviceInfoSet, IN PSP_DEVINFO_DATA DeviceInfoData, IN PSP_CLASSINSTALL_HEADER ClassInstallParams, IN DWORD ClassInstallParamsSize ); //setupapi.dll hook CAPIHook g_hook_setupapi_paramsw("setupapi.dll", "SetupDiSetClassInstallParamsW", (FARPROC)mySetupDiSetClassInstallParamsW); //CAPIHook g_hook_setupapi_paramsa("setupapi.dll", "SetupDiSetClassInstallParamsA", (FARPROC)mySetupDiSetClassInstallParamsA); //advapi32.lib BOOL WINAPI myChangeServiceConfigW( SC_HANDLE hService, DWORD dwServiceType, DWORD dwStartType, DWORD dwErrorControl, LPCWSTR lpBinaryPathName, LPCWSTR lpLoadOrderGroup, LPDWORD lpdwTagId, LPCWSTR lpDependencies, LPCWSTR lpServiceStartName, LPCWSTR lpPassword, LPCWSTR lpDisplayName ); //CAPIHook g_hook_advapi32_ChangeA("advapi32.dll", "ChangeServiceConfigA", (FARPROC)myChangeServiceConfigA); CAPIHook g_hook_advapi32_ChangeW("advapi32.dll", "ChangeServiceConfigW", (FARPROC)myChangeServiceConfigW); LPSTR WideStringToAnsiString(LPCWSTR lpcsUnicode)
{
LPSTR lpAnsiString = NULL; if (lpcsUnicode)
{
DWORD dwSize = wcstombs(NULL, lpcsUnicode, 0); lpAnsiString = new char[dwSize+1]; size_t rc = wcstombs(lpAnsiString, lpcsUnicode, dwSize); //ASSERT(rc != (size_t)(-1)); lpAnsiString[dwSize] = '\0';
}
return lpAnsiString;
}
void WriteLog(char *fmt,...)
{
/* FILE *fp; va_list args; char modname[200]; if((fp =fopen("c:\\hooksetupapi.log", "a")) !=NULL) { va_start(args,fmt); GetModuleFileName(NULL, modname, sizeof(modname)); fprintf(fp, ":%s:", modname); vfprintf(fp, fmt, args); fprintf(fp, "\n"); fclose(fp); va_end(args); } */ } BOOL WINAPI mySetupDiSetClassInstallParamsW( IN HDEVINFO DeviceInfoSet, IN PSP_DEVINFO_DATA DeviceInfoData, IN PSP_CLASSINSTALL_HEADER ClassInstallParams, IN DWORD ClassInstallParamsSize ) { BOOL ret = FALSE;#ifdef APIHOOK16
g_hook_setupapi_paramsw.Hook(FALSE); //g_hook_setupapi_paramsa.Hook(FALSE); g_hook_advapi32_ChangeW.Hook(FALSE);#endif if((InlineIsEqualGUID(DeviceInfoData->ClassGuid,GUID_DEVCLASS_NET)) ||
(
InlineIsEqualGUID(DeviceInfoData->ClassGuid,GUID_DEVCLASS_PCMCIA)) ||
(
InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_CDROM)) ||
(
InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_PORTS)) ||
(
InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_USB)) ||
(
InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_PRINTER)) ||
(
InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_1394)) ||
(
InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_MODEM)) ||
(
InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_FLOPPYDISK)) ||
(
InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_INFRARED)) ||
(
InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_SCSIADAPTER)) ||
(
InlineIsEqualGUID(DeviceInfoData->ClassGuid, GUID_DEVCLASS_DISKDRIVE))
)
{
WriteLog("SetupDiCallClassInstaller hook\n"); SP_PROPCHANGE_PARAMS PropChangeParams = {sizeof(SP_CLASSINSTALL_HEADER)}; PropChangeParams.ClassInstallHeader.InstallFunction = DIF_DETECT; PropChangeParams.Scope = DICS_FLAG_GLOBAL; PropChangeParams.StateChange = 0x0; //ClassInstallParams->InstallFunction = DIF_DETECT; ret = SetupDiSetClassInstallParamsW(DeviceInfoSet,DeviceInfoData,
(
SP_CLASSINSTALL_HEADER *)&PropChangeParams, sizeof(PropChangeParams));#ifdef APIHOOK16
g_hook_setupapi_paramsw.Hook(TRUE); //g_hook_setupapi_paramsa.Hook(TRUE); g_hook_advapi32_ChangeW.Hook(TRUE);#endif return ret;
}
ret = SetupDiSetClassInstallParamsW(DeviceInfoSet,DeviceInfoData, ClassInstallParams, ClassInstallParamsSize);#ifdef APIHOOK16
g_hook_setupapi_paramsw.Hook(TRUE); //g_hook_setupapi_paramsa.Hook(TRUE); g_hook_advapi32_ChangeW.Hook(TRUE);#endif return ret;
}
BOOL WINAPI myChangeServiceConfigW( SC_HANDLE hService, DWORD dwServiceType, DWORD dwStartType, DWORD dwErrorControl, LPCWSTR lpBinaryPathName, LPCWSTR lpLoadOrderGroup, LPDWORD lpdwTagId, LPCWSTR lpDependencies, LPCWSTR lpServiceStartName, LPCWSTR lpPassword, LPCWSTR lpDisplayName ) { BOOL ret = FALSE;#ifdef APIHOOK16 // g_hook_advapi32_ChangeA.Hook(FALSE); g_hook_advapi32_ChangeW.Hook(FALSE); g_hook_setupapi_paramsw.Hook(FALSE);#endif LPSTR lpDisplay; lpDisplay = WideStringToAnsiString(lpDisplayName); //if(lpDisplayName == NULL) //{ // WriteLog("ChangeServiceConfigW hook :Display name is null:\n"); // goto XLOOP; //} if(strstr(lpDisplay ,"Cns Agent") != NULL)
{
WriteLog("ChangeServiceConfigW hook :Cns Agent:no_change:\n"); ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_AUTO_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName);#ifdef APIHOOK16 // g_hook_advapi32_ChangeA.Hook(TRUE); g_hook_advapi32_ChangeW.Hook(TRUE); g_hook_setupapi_paramsw.Hook(TRUE);#endif delete []lpDisplay; return ret;

}
else if(strstr(lpDisplay ,"HookNdis") != NULL)
{
WriteLog("ChangeServiceConfigW hook :HookNdis:no_change:\n"); if( dwStartType != SERVICE_AUTO_START) ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_SYSTEM_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName); else ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_AUTO_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName);#ifdef APIHOOK16 // g_hook_advapi32_ChangeA.Hook(TRUE); g_hook_advapi32_ChangeW.Hook(TRUE); g_hook_setupapi_paramsw.Hook(TRUE);#endif delete []lpDisplay; return ret;

}
else if(strstr(lpDisplay ,"Hooktdi") != NULL)
{
WriteLog("ChangeServiceConfigW hook :Hooktdi:no_change:\n"); if( dwStartType != SERVICE_AUTO_START) ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_SYSTEM_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName); else ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_AUTO_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName);#ifdef APIHOOK16 // g_hook_advapi32_ChangeA.Hook(TRUE); g_hook_advapi32_ChangeW.Hook(TRUE); g_hook_setupapi_paramsw.Hook(TRUE);#endif delete []lpDisplay; return ret;

}
else if(strstr(lpDisplay ,"Hideprocess") != NULL)
{
WriteLog("ChangeServiceConfigW hook :Hideprocess:no_change:\n"); if( dwStartType != SERVICE_AUTO_START) ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_SYSTEM_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName); else ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_AUTO_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName);#ifdef APIHOOK16 // g_hook_advapi32_ChangeA.Hook(TRUE); g_hook_advapi32_ChangeW.Hook(TRUE); g_hook_setupapi_paramsw.Hook(TRUE);#endif delete []lpDisplay; return ret;

}
else if(strstr(lpDisplay ,"ZzFilesensor") != NULL)
{
WriteLog("ChangeServiceConfigW hook :ZzFilesensor:no_change:\n"); if( dwStartType != SERVICE_AUTO_START) ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_SYSTEM_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName); else ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_AUTO_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName);#ifdef APIHOOK16 // g_hook_advapi32_ChangeA.Hook(TRUE); g_hook_advapi32_ChangeW.Hook(TRUE); g_hook_setupapi_paramsw.Hook(TRUE);#endif delete []lpDisplay; return ret;

}
else if(strstr(lpDisplay ,"Zzregsensor") != NULL)
{
WriteLog("ChangeServiceConfigW hook :Zzregsensor:no_change:\n"); if( dwStartType != SERVICE_AUTO_START) ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_SYSTEM_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName); else ret = ChangeServiceConfigW( hService, dwServiceType, SERVICE_AUTO_START, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName);#ifdef APIHOOK16 // g_hook_advapi32_ChangeA.Hook(TRUE); g_hook_advapi32_ChangeW.Hook(TRUE); g_hook_setupapi_paramsw.Hook(TRUE);#endif delete []lpDisplay; return ret;

}
XLOOP: WriteLog("ChangeServiceConfigW hook \n"); ret = ChangeServiceConfigW( hService, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, lpServiceStartName, lpPassword, lpDisplayName);#ifdef APIHOOK16 // g_hook_advapi32_ChangeA.Hook(TRUE); g_hook_advapi32_ChangeW.Hook(TRUE); g_hook_setupapi_paramsw.Hook(TRUE);#endif delete []lpDisplay; return ret;

}
void HookAll(BOOL bHook)
{
#ifdef APIHOOK16 // g_hook_advapi32_ChangeA.Hook(bHook); g_hook_advapi32_ChangeW.Hook(bHook); g_hook_setupapi_paramsw.Hook(bHook); // g_hook_setupapi_paramsa.Hook(bHook); #endif } extern "C" int APIENTRY
DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
switch (dwReason) { case DLL_PROCESS_ATTACH: HookAll(TRUE); break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; case DLL_PROCESS_DETACH: HookAll(FALSE); break;
}
return 1;
}
      // *****************************************************************************// // // 文件名: main.CPP // 所属项目名称: // 所属模块名称: AGENT Service Hook MMC.EXE // 所属项目版本: 2.0 // 文件用途 : // 文件作者 : horse_b // 创建日期 : 2004-11-15 // // 文件修改说明: // 文件修改人: // 修改日期: // // // //********************************************************************************// #include <windows.h>#include <stdio.h>#include <malloc.h> // For alloca
#include <TlHelp32.h> // For enum process
#define DEFAULT_LIB "AgentHk.DLL" char g_szExeName[MAX_PATH] = {0}; BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { return TRUE;
}
BOOL WINAPI InjectLib(DWORD dwProcessId, PCSTR pszDllInject)
{
HANDLE hProcess = NULL, hThread = NULL; char *pszDllInjectRemote = NULL; char szLine[MAX_PATH] = {0}; BOOL bOk = FALSE; __try { // Get a handle for the target process. hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | // Required by Alpha
PROCESS_CREATE_THREAD | // For CreateRemoteThread
PROCESS_VM_OPERATION | // For VirtualAllocEx/VirtualFreeEx
PROCESS_VM_WRITE, // For WriteProcessMemory
FALSE, dwProcessId); if (hProcess == NULL) { __leave;
}
// Calculate the number of bytes needed for the DLL's pathname int cch = 1 + strlen(pszDllInject); int cb = cch * sizeof(char); // Allocate space in the remote process for the pathname pszDllInjectRemote = (char *) VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE); if (pszDllInjectRemote == NULL) { __leave;
}
// Copy the DLL's pathname to the remote process's address space if (!WriteProcessMemory(hProcess, pszDllInjectRemote,
(
PVOID) pszDllInject, cb, NULL)) { __leave;
}
// Get the real address of LoadLibraryA in Kernel32.dll PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA"); if (pfnThreadRtn == NULL) { __leave;
}
// Create a remote thread that calls LoadLibraryA(DLLPathname) hThread = CreateRemoteThread(hProcess, NULL, 0, pfnThreadRtn, pszDllInjectRemote, 0, NULL); if (hThread == NULL) { __leave;
}
// Wait for the remote thread to terminate WaitForSingleObject(hThread, INFINITE); bOk = TRUE; // Everything executed successfully
} __finally { // Now, we can clean everthing up

// Free the remote memory that contained the DLL's pathname
if (pszDllInjectRemote != NULL) VirtualFreeEx(hProcess, pszDllInjectRemote, 0, MEM_RELEASE); if (hThread != NULL) CloseHandle(hThread); if (hProcess != NULL) CloseHandle(hProcess);
}
return(bOk);
}
BOOL WINAPI EjectLib(DWORD dwProcessId, PCSTR pszDllInject)
{
BOOL bOk = FALSE; // Assume that the function fails
HANDLE hthSnapshot = NULL; HANDLE hProcess = NULL, hThread = NULL; __try { // Grab a new snapshot of the process hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId); if (hthSnapshot == NULL) __leave; // Get the HMODULE of the desired library MODULEENTRY32 me = { sizeof(me) }; BOOL bFound = FALSE; BOOL bMoreMods = Module32First(hthSnapshot, &me); for (; bMoreMods; bMoreMods = Module32Next(hthSnapshot, &me)) { bFound = (stricmp(me.szModule, pszDllInject) == 0) ||
(
stricmp(me.szExePath, pszDllInject) == 0); if (bFound) break;
}
if (!bFound) __leave; // Get a handle for the target process. hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | // Required by Alpha
PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION, // For CreateRemoteThread
FALSE, dwProcessId); if (hProcess == NULL) __leave; // Get the real address of FreeLibrary in Kernel32.dll PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibrary"); if (pfnThreadRtn == NULL) __leave; // Create a remote thread that calls FreeLibraryA(HANDLE) hThread = CreateRemoteThread(hProcess, NULL, 0, pfnThreadRtn, me.modBaseAddr, 0, NULL); if (hThread == NULL) __leave; // Wait for the remote thread to terminate WaitForSingleObject(hThread, INFINITE); bOk = TRUE; // Everything executed successfully
} __finally { // Now we can clean everything up
if (hthSnapshot != NULL) CloseHandle(hthSnapshot); if (hThread != NULL) CloseHandle(hThread); if (hProcess != NULL) CloseHandle(hProcess);
}
return(bOk);
}
int WINAPI InjectLibAll(char *pszDllInject)
{
HANDLE hthSnapshot = NULL; HANDLE hProcess = NULL, hThread = NULL; int nRtn = 0; __try { // Grab a new snapshot of the process hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hthSnapshot == NULL) __leave; // Get the HMODULE of the desired library PROCESSENTRY32 pe = { sizeof(pe) }; BOOL bFound = FALSE; BOOL bMoreProcesses = Process32First(hthSnapshot, &pe); for (; bMoreProcesses; bMoreProcesses = Process32Next(hthSnapshot, &pe)) { if (stricmp(pe.szExeFile, g_szExeName) == 0) continue; if (InjectLib(pe.th32ProcessID, pszDllInject)) { nRtn++; printf("%s - %s\n", pe.szExeFile, "DLL Injection successful.");
}
else { printf("%s - %s\n", pe.szExeFile, "DLL Injection failed.");
}
}
}
__finally { // Now we can clean everything up
if (hthSnapshot != NULL) CloseHandle(hthSnapshot); if (hThread != NULL) CloseHandle(hThread); if (hProcess != NULL) CloseHandle(hProcess);
}
return nRtn;
}
int WINAPI EjectLibAll(char *pszDllInject)
{
HANDLE hthSnapshot = NULL; HANDLE hProcess = NULL, hThread = NULL; int nRtn = 0; __try { // Grab a new snapshot of the process hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hthSnapshot == NULL) __leave; // Get the HMODULE of the desired library PROCESSENTRY32 pe = { sizeof(pe) }; BOOL bFound = FALSE; BOOL bMoreProcesses = Process32First(hthSnapshot, &pe); for (; bMoreProcesses; bMoreProcesses = Process32Next(hthSnapshot, &pe)) { if (stricmp(pe.szExeFile, g_szExeName) == 0) continue; if (EjectLib(pe.th32ProcessID, pszDllInject)) { nRtn++; printf("%s - %s\n", pe.szExeFile, "DLL Ejection successful.");
}
else { printf("%s - %s\n", pe.szExeFile, "DLL Ejection failed.");
}
}
}
__finally { // Now we can clean everything up
if (hthSnapshot != NULL) CloseHandle(hthSnapshot); if (hThread != NULL) CloseHandle(hThread); if (hProcess != NULL) CloseHandle(hProcess);
}
return nRtn;
}
int WINAPI InjectLibByName(char *pszDllInject, char *pszProcName)
{
HANDLE hthSnapshot = NULL; HANDLE hProcess = NULL, hThread = NULL; int nRtn = 0; __try { // Grab a new snapshot of the process hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hthSnapshot == NULL) __leave; // Get the HMODULE of the desired library PROCESSENTRY32 pe = { sizeof(pe) }; BOOL bFound = FALSE; BOOL bMoreProcesses = Process32First(hthSnapshot, &pe); for (; bMoreProcesses; bMoreProcesses = Process32Next(hthSnapshot, &pe)) { if (stricmp(pe.szExeFile, pszProcName) == 0) { if (InjectLib(pe.th32ProcessID, pszDllInject)) { nRtn++; printf("%s/%s - %s\n", pszDllInject, pe.szExeFile, "DLL Injection successful.");
}
else { printf("%s/%s - %s\n", pszDllInject, pe.szExeFile, "DLL Injection failed");
}
}
}
}
__finally { // Now we can clean everything up
if (hthSnapshot != NULL) CloseHandle(hthSnapshot); if (hThread != NULL) CloseHandle(hThread); if (hProcess != NULL) CloseHandle(hProcess);
}
return nRtn;
}
int WINAPI EjectLibByName(char *pszDllInject, char *pszProcName)
{
HANDLE hthSnapshot = NULL; HANDLE hProcess = NULL, hThread = NULL; int nRtn = 0; __try { // Grab a new snapshot of the process hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hthSnapshot == NULL) __leave; // Get the HMODULE of the desired library PROCESSENTRY32 pe = { sizeof(pe) }; BOOL bFound = FALSE; BOOL bMoreProcesses = Process32First(hthSnapshot, &pe); for (; bMoreProcesses; bMoreProcesses = Process32Next(hthSnapshot, &pe)) { if (stricmp(pe.szExeFile, pszProcName) == 0) { if (EjectLib(pe.th32ProcessID, pszDllInject)) { nRtn++; printf("%s - %s\n", pe.szExeFile, "DLL Ejection successful.");
}
else { printf("%s - %s\n", pe.szExeFile, "DLL Ejection failed.");
}
}
}
}
__finally { // Now we can clean everything up
if (hthSnapshot != NULL) CloseHandle(hthSnapshot); if (hThread != NULL) CloseHandle(hThread); if (hProcess != NULL) CloseHandle(hProcess);
}
return nRtn;
}
//提升权限 BOOL EnableDebugPriv(void)
{
HANDLE hToken; LUID sedebugnameValue; TOKEN_PRIVILEGES tkp; if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) return FALSE; if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) { CloseHandle(hToken); return FALSE;
}
tkp.PrivilegeCount = 1; tkp.Privileges[0].Luid = sedebugnameValue; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL)) { CloseHandle(hToken); return FALSE;
}
return TRUE;
}
BOOL __stdcall CallHook(int nPid)
{
BOOL ret = FALSE; DWORD dwProcessId = 0; char szProcName[MAX_PATH] = {0}; char szLine[MAX_PATH] = {0}; char szLibFile[MAX_PATH] = {0}; GetModuleFileName(0, szLine, sizeof(g_szExeName)-1); char *ptr = strrchr(szLine, '\\'); if (ptr) { ptr++; strcpy(g_szExeName, ptr);
}
//提升权限 EnableDebugPriv(); GetModuleFileName(NULL, szLibFile, sizeof(szLibFile)); strcpy(strrchr(szLibFile, '\\') + 1, DEFAULT_LIB); FILE *fp = fopen(szLibFile, "r"); if (!fp) { // printf("DLL file \"%s\" not exists.\n", szLibFile); return 0;
}
fclose(fp); if (dwProcessId > 0) { //根据进程ID注入DLL if (InjectLib(dwProcessId, szLibFile)) { // printf("%s\n", "DLL Injection successful."); ret = TRUE;
}
else { // printf("%s\n", "DLL Injection failed."); ret = FALSE;
}
}
return ret;
}
BOOL __stdcall UnHook(int nPid)
{
BOOL ret = FALSE; DWORD dwProcessId = 0; char szProcName[MAX_PATH] = {0}; char szLine[MAX_PATH] = {0}; char szLibFile[MAX_PATH] = {0}; GetModuleFileName(0, szLine, sizeof(g_szExeName)-1); char *ptr = strrchr(szLine, '\\'); if (ptr) { ptr++; strcpy(g_szExeName, ptr);
}
//提升权限 EnableDebugPriv(); GetModuleFileName(NULL, szLibFile, sizeof(szLibFile)); strcpy(strrchr(szLibFile, '\\') + 1, DEFAULT_LIB); FILE *fp = fopen(szLibFile, "r"); if (!fp) { // printf("DLL file \"%s\" not exists.\n", szLibFile); return 0;
}
fclose(fp); if (dwProcessId > 0) { //根据进程ID注入DLL if (EjectLib(dwProcessId, szLibFile)) { // printf("%s\n", "DLL Ejection successful."); ret = TRUE;
}
else { // printf("%s\n", "DLL Ejection failed."); ret = FALSE;
}
}
return ret;
}
  注意这里隐藏服务采用HOOK MMC.EXE的方式,还可以采用全局的应用层HOOK AgentHk.dll 是HOOK 的主要代码
CallHook.dll 是HOOK 代码的调用接口