应用层隐藏服务的项目 2006-03-28
HideService
　

// *****************************************************************************//
//
// 文件名: AgentHk.cpp
// 所属项目名称：
// 所属模块名称： AGENT Service Hook
// 所属项目版本： 2.0
// 文件用途 :
// 文件作者 : horse_b
// 创建日期 : 2004-11-30
//
// 文件修改说明：
// 文件修改人：
// 修改日期：
//
//
//
//********************************************************************************//
#include <stdio.h>#include <tchar.h> // Make program ansi AND unicode safe
#include <windows.h> // Most Windows functions
#include <commctrl.h> // Used for TreeView controls
#include <setupapi.h> // Used for SetupDiXxx functions
#include <basetsd.h>#include <cfgmgr32.h> // Used for CM_Xxxx functions
#include <regstr.h> // Extract Registry Strings
#include <devguid.h>


//API HOOK方式
#define APIHOOK16

#ifdef APIHOOK16
#include "apihook16.h"#define CAPIHook CAPIHook16
#else#include "apihook32.h"#define CAPIHook CAPIHook32
#endif#pragma comment(lib, "setupapi.lib")#pragma comment(lib, "advapi32.lib")

//setupapi.dll中的函数声明
/*
BOOL
WINAPI
mySetupDiSetClassInstallParamsA(
IN HDEVINFO DeviceInfoSet,
IN PSP_DEVINFO_DATA DeviceInfoData,
IN PSP_CLASSINSTALL_HEADER ClassInstallParams,
IN DWORD ClassInstallParamsSize
);
*/

BOOL
WINAPI
mySetupDiSetClassInstallParamsW(
IN HDEVINFO DeviceInfoSet,
IN PSP_DEVINFO_DATA DeviceInfoData,
IN PSP_CLASSINSTALL_HEADER ClassInstallParams,
IN DWORD ClassInstallParamsSize
);


//setupapi.dll hook
CAPIHook g_hook_setupapi_paramsw("setupapi.dll", "SetupDiSetClassInstallParamsW", (FARPROC)mySetupDiSetClassInstallParamsW);
//CAPIHook g_hook_setupapi_paramsa("setupapi.dll", "SetupDiSetClassInstallParamsA", (FARPROC)mySetupDiSetClassInstallParamsA);

//advapi32.lib
BOOL
WINAPI
myChangeServiceConfigW(
SC_HANDLE hService,
DWORD dwServiceType,
DWORD dwStartType,
DWORD dwErrorControl,
LPCWSTR lpBinaryPathName,
LPCWSTR lpLoadOrderGroup,
LPDWORD lpdwTagId,
LPCWSTR lpDependencies,
LPCWSTR lpServiceStartName,
LPCWSTR lpPassword,
LPCWSTR lpDisplayName
);

 

//CAPIHook g_hook_advapi32_ChangeA("advapi32.dll", "ChangeServiceConfigA", (FARPROC)myChangeServiceConfigA);
CAPIHook g_hook_advapi32_ChangeW("advapi32.dll", "ChangeServiceConfigW", (FARPROC)myChangeServiceConfigW);

LPSTR WideStringToAnsiString(LPCWSTR lpcsUnicode)
{
LPSTR lpAnsiString = NULL;

if (lpcsUnicode)
{
DWORD dwSize = wcstombs(NULL, lpcsUnicode, 0);
lpAnsiString = new char[dwSize+1];
size_t rc = wcstombs(lpAnsiString, lpcsUnicode, dwSize);
//ASSERT(rc != (size_t)(-1));
lpAnsiString[dwSize] = '\0';
}

return lpAnsiString;
}

void WriteLog(char *fmt,...)
{
/*
FILE *fp;
va_list args;
char modname[200];

if((fp =fopen("c:\\hooksetupapi.log", "a")) !=NULL)
{
va_start(args,fmt);

GetModuleFileName(NULL, modname, sizeof(modname));
fprintf(fp, ":%s:", modname);
vfprintf(fp, fmt, args);
fprintf(fp, "\n");
fclose(fp);

va_end(args);
}
*/

}

BOOL
WINAPI
mySetupDiSetClassInstallParamsW(
IN HDEVINFO DeviceInfoSet,
IN PSP_DEVINFO_DATA DeviceInfoData,
IN PSP_CLASSINSTALL_HEADER ClassInstallParams,
IN DWORD ClassInstallParamsSize
)
{
BOOL ret = FALSE;#ifdef APIHOOK16
g_hook_setupapi_paramsw.Hook(FALSE);
//g_hook_setupapi_paramsa.Hook(FALSE);
g_hook_advapi32_ChangeW.Hook(FALSE);#endif
if((InlineIsEqualGUID(DeviceInfoData->ClassGuid,GUID_DEVCLASS_NET)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid,GUID_DEVCLASS_PCMCIA)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_CDROM)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_PORTS)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_USB)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_PRINTER)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_1394)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_MODEM)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_FLOPPYDISK)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_INFRARED)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid , GUID_DEVCLASS_SCSIADAPTER)) ||
(InlineIsEqualGUID(DeviceInfoData->ClassGuid, GUID_DEVCLASS_DISKDRIVE))
)
{

WriteLog("SetupDiCallClassInstaller hook\n");
SP_PROPCHANGE_PARAMS PropChangeParams = {sizeof(SP_CLASSINSTALL_HEADER)};

PropChangeParams.ClassInstallHeader.InstallFunction = DIF_DETECT;
PropChangeParams.Scope = DICS_FLAG_GLOBAL;
PropChangeParams.StateChange = 0x0;

//ClassInstallParams->InstallFunction = DIF_DETECT;
ret = SetupDiSetClassInstallParamsW(DeviceInfoSet,DeviceInfoData,
(SP_CLASSINSTALL_HEADER *)&PropChangeParams,
sizeof(PropChangeParams));#ifdef APIHOOK16
g_hook_setupapi_paramsw.Hook(TRUE);
//g_hook_setupapi_paramsa.Hook(TRUE);
g_hook_advapi32_ChangeW.Hook(TRUE);#endif

return ret;
}

ret = SetupDiSetClassInstallParamsW(DeviceInfoSet,DeviceInfoData,
ClassInstallParams,
ClassInstallParamsSize);#ifdef APIHOOK16
g_hook_setupapi_paramsw.Hook(TRUE);
//g_hook_setupapi_paramsa.Hook(TRUE);
g_hook_advapi32_ChangeW.Hook(TRUE);#endif

 

return ret;
}


BOOL
WINAPI
myChangeServiceConfigW(
SC_HANDLE hService,
DWORD dwServiceType,
DWORD dwStartType,
DWORD dwErrorControl,
LPCWSTR lpBinaryPathName,
LPCWSTR lpLoadOrderGroup,
LPDWORD lpdwTagId,
LPCWSTR lpDependencies,
LPCWSTR lpServiceStartName,
LPCWSTR lpPassword,
LPCWSTR lpDisplayName
)
{
BOOL ret = FALSE;#ifdef APIHOOK16
// g_hook_advapi32_ChangeA.Hook(FALSE);
g_hook_advapi32_ChangeW.Hook(FALSE);
g_hook_setupapi_paramsw.Hook(FALSE);#endif

LPSTR lpDisplay;

lpDisplay = WideStringToAnsiString(lpDisplayName);
//if(lpDisplayName == NULL)
//{
// WriteLog("ChangeServiceConfigW hook :Display name is null:\n");
// goto XLOOP;
//}

if(strstr(lpDisplay ,"Cns Agent") != NULL)
{

WriteLog("ChangeServiceConfigW hook :Cns Agent:no_change:\n");


ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_AUTO_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);#ifdef APIHOOK16
// g_hook_advapi32_ChangeA.Hook(TRUE);
g_hook_advapi32_ChangeW.Hook(TRUE);
g_hook_setupapi_paramsw.Hook(TRUE);#endif

delete []lpDisplay;
return ret;

}
else if(strstr(lpDisplay ,"HookNdis") != NULL)
{

WriteLog("ChangeServiceConfigW hook :HookNdis:no_change:\n");

if( dwStartType != SERVICE_AUTO_START)
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_SYSTEM_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
else
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_AUTO_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);#ifdef APIHOOK16
// g_hook_advapi32_ChangeA.Hook(TRUE);
g_hook_advapi32_ChangeW.Hook(TRUE);
g_hook_setupapi_paramsw.Hook(TRUE);#endif
delete []lpDisplay;
return ret;

}

else if(strstr(lpDisplay ,"Hooktdi") != NULL)
{

WriteLog("ChangeServiceConfigW hook :Hooktdi:no_change:\n");

if( dwStartType != SERVICE_AUTO_START)
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_SYSTEM_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
else
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_AUTO_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);#ifdef APIHOOK16
// g_hook_advapi32_ChangeA.Hook(TRUE);
g_hook_advapi32_ChangeW.Hook(TRUE);
g_hook_setupapi_paramsw.Hook(TRUE);#endif
delete []lpDisplay;
return ret;

}

else if(strstr(lpDisplay ,"Hideprocess") != NULL)
{

WriteLog("ChangeServiceConfigW hook :Hideprocess:no_change:\n");

if( dwStartType != SERVICE_AUTO_START)
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_SYSTEM_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
else
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_AUTO_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);#ifdef APIHOOK16
// g_hook_advapi32_ChangeA.Hook(TRUE);
g_hook_advapi32_ChangeW.Hook(TRUE);
g_hook_setupapi_paramsw.Hook(TRUE);#endif
delete []lpDisplay;
return ret;

}

else if(strstr(lpDisplay ,"ZzFilesensor") != NULL)
{

WriteLog("ChangeServiceConfigW hook :ZzFilesensor:no_change:\n");

if( dwStartType != SERVICE_AUTO_START)
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_SYSTEM_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
else
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_AUTO_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);#ifdef APIHOOK16
// g_hook_advapi32_ChangeA.Hook(TRUE);
g_hook_advapi32_ChangeW.Hook(TRUE);
g_hook_setupapi_paramsw.Hook(TRUE);#endif
delete []lpDisplay;
return ret;

}

else if(strstr(lpDisplay ,"Zzregsensor") != NULL)
{

WriteLog("ChangeServiceConfigW hook :Zzregsensor:no_change:\n");

if( dwStartType != SERVICE_AUTO_START)
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_SYSTEM_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);
else
ret = ChangeServiceConfigW(
hService,
dwServiceType,
SERVICE_AUTO_START,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);#ifdef APIHOOK16
// g_hook_advapi32_ChangeA.Hook(TRUE);
g_hook_advapi32_ChangeW.Hook(TRUE);
g_hook_setupapi_paramsw.Hook(TRUE);#endif
delete []lpDisplay;
return ret;

}

XLOOP:

WriteLog("ChangeServiceConfigW hook \n");

ret = ChangeServiceConfigW(
hService,
dwServiceType,
dwStartType,
dwErrorControl,
lpBinaryPathName,
lpLoadOrderGroup,
lpdwTagId,
lpDependencies,
lpServiceStartName,
lpPassword,
lpDisplayName);#ifdef APIHOOK16
// g_hook_advapi32_ChangeA.Hook(TRUE);
g_hook_advapi32_ChangeW.Hook(TRUE);
g_hook_setupapi_paramsw.Hook(TRUE);#endif
delete []lpDisplay;
return ret;

}


void HookAll(BOOL bHook)
{#ifdef APIHOOK16
// g_hook_advapi32_ChangeA.Hook(bHook);
g_hook_advapi32_ChangeW.Hook(bHook);

g_hook_setupapi_paramsw.Hook(bHook);
// g_hook_setupapi_paramsa.Hook(bHook);
#endif
}

extern "C" int APIENTRY
DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
switch (dwReason) {
case DLL_PROCESS_ATTACH:
HookAll(TRUE);
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
HookAll(FALSE);
break;
}
return 1;
}
　

　

　

// *****************************************************************************//
//
// 文件名: main.CPP
// 所属项目名称：
// 所属模块名称： AGENT Service Hook MMC.EXE
// 所属项目版本： 2.0
// 文件用途 :
// 文件作者 : horse_b
// 创建日期 : 2004-11-15
//
// 文件修改说明：
// 文件修改人：
// 修改日期：
//
//
//
//********************************************************************************//
#include <windows.h>#include <stdio.h>#include <malloc.h> // For alloca
#include <TlHelp32.h> // For enum process
#define DEFAULT_LIB "AgentHk.DLL"

char g_szExeName[MAX_PATH] = {0};

BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
return TRUE;
}


BOOL WINAPI InjectLib(DWORD dwProcessId, PCSTR pszDllInject)
{
HANDLE hProcess = NULL, hThread = NULL;
char *pszDllInjectRemote = NULL;
char szLine[MAX_PATH] = {0};
BOOL bOk = FALSE;

__try {
// Get a handle for the target process.
hProcess = OpenProcess(
PROCESS_QUERY_INFORMATION | // Required by Alpha
PROCESS_CREATE_THREAD | // For CreateRemoteThread
PROCESS_VM_OPERATION | // For VirtualAllocEx/VirtualFreeEx
PROCESS_VM_WRITE, // For WriteProcessMemory
FALSE, dwProcessId);
if (hProcess == NULL) {
__leave;
}

// Calculate the number of bytes needed for the DLL's pathname
int cch = 1 + strlen(pszDllInject);
int cb = cch * sizeof(char);

// Allocate space in the remote process for the pathname
pszDllInjectRemote = (char *)
VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);
if (pszDllInjectRemote == NULL) {
__leave;
}

// Copy the DLL's pathname to the remote process's address space
if (!WriteProcessMemory(hProcess, pszDllInjectRemote,
(PVOID) pszDllInject, cb, NULL)) {
__leave;
}

// Get the real address of LoadLibraryA in Kernel32.dll
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA");
if (pfnThreadRtn == NULL) {
__leave;
}

// Create a remote thread that calls LoadLibraryA(DLLPathname)
hThread = CreateRemoteThread(hProcess, NULL, 0,
pfnThreadRtn, pszDllInjectRemote, 0, NULL);
if (hThread == NULL) {
__leave;
}

// Wait for the remote thread to terminate
WaitForSingleObject(hThread, INFINITE);

bOk = TRUE; // Everything executed successfully
}
__finally { // Now, we can clean everthing up

// Free the remote memory that contained the DLL's pathname
if (pszDllInjectRemote != NULL)
VirtualFreeEx(hProcess, pszDllInjectRemote, 0, MEM_RELEASE);

if (hThread != NULL)
CloseHandle(hThread);

if (hProcess != NULL)
CloseHandle(hProcess);
}

return(bOk);
}

BOOL WINAPI EjectLib(DWORD dwProcessId, PCSTR pszDllInject)
{
BOOL bOk = FALSE; // Assume that the function fails
HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL, hThread = NULL;

__try {
// Grab a new snapshot of the process
hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
if (hthSnapshot == NULL) __leave;

// Get the HMODULE of the desired library
MODULEENTRY32 me = { sizeof(me) };
BOOL bFound = FALSE;
BOOL bMoreMods = Module32First(hthSnapshot, &me);
for (; bMoreMods; bMoreMods = Module32Next(hthSnapshot, &me)) {
bFound = (stricmp(me.szModule, pszDllInject) == 0) ||
(stricmp(me.szExePath, pszDllInject) == 0);
if (bFound) break;
}
if (!bFound) __leave;

// Get a handle for the target process.
hProcess = OpenProcess(
PROCESS_QUERY_INFORMATION | // Required by Alpha
PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION, // For CreateRemoteThread
FALSE, dwProcessId);
if (hProcess == NULL) __leave;

// Get the real address of FreeLibrary in Kernel32.dll
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibrary");
if (pfnThreadRtn == NULL) __leave;

// Create a remote thread that calls FreeLibraryA(HANDLE)
hThread = CreateRemoteThread(hProcess, NULL, 0,
pfnThreadRtn, me.modBaseAddr, 0, NULL);
if (hThread == NULL) __leave;

// Wait for the remote thread to terminate
WaitForSingleObject(hThread, INFINITE);

bOk = TRUE; // Everything executed successfully
}
__finally { // Now we can clean everything up

if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);

if (hThread != NULL)
CloseHandle(hThread);

if (hProcess != NULL)
CloseHandle(hProcess);
}

return(bOk);
}

int WINAPI InjectLibAll(char *pszDllInject)
{
HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL, hThread = NULL;
int nRtn = 0;

__try {
// Grab a new snapshot of the process
hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hthSnapshot == NULL) __leave;

// Get the HMODULE of the desired library
PROCESSENTRY32 pe = { sizeof(pe) };
BOOL bFound = FALSE;
BOOL bMoreProcesses = Process32First(hthSnapshot, &pe);
for (; bMoreProcesses; bMoreProcesses = Process32Next(hthSnapshot, &pe)) {
if (stricmp(pe.szExeFile, g_szExeName) == 0)
continue;
if (InjectLib(pe.th32ProcessID, pszDllInject)) {
nRtn++;
printf("%s - %s\n", pe.szExeFile, "DLL Injection successful.");
}
else {
printf("%s - %s\n", pe.szExeFile, "DLL Injection failed.");
}
}
}
__finally { // Now we can clean everything up

if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);

if (hThread != NULL)
CloseHandle(hThread);

if (hProcess != NULL)
CloseHandle(hProcess);
}

return nRtn;
}

int WINAPI EjectLibAll(char *pszDllInject)
{
HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL, hThread = NULL;
int nRtn = 0;

__try {
// Grab a new snapshot of the process
hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hthSnapshot == NULL) __leave;

// Get the HMODULE of the desired library
PROCESSENTRY32 pe = { sizeof(pe) };
BOOL bFound = FALSE;
BOOL bMoreProcesses = Process32First(hthSnapshot, &pe);
for (; bMoreProcesses; bMoreProcesses = Process32Next(hthSnapshot, &pe)) {
if (stricmp(pe.szExeFile, g_szExeName) == 0)
continue;
if (EjectLib(pe.th32ProcessID, pszDllInject)) {
nRtn++;
printf("%s - %s\n", pe.szExeFile, "DLL Ejection successful.");
}
else {
printf("%s - %s\n", pe.szExeFile, "DLL Ejection failed.");
}
}
}
__finally { // Now we can clean everything up

if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);

if (hThread != NULL)
CloseHandle(hThread);

if (hProcess != NULL)
CloseHandle(hProcess);
}

return nRtn;
}

int WINAPI InjectLibByName(char *pszDllInject, char *pszProcName)
{
HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL, hThread = NULL;
int nRtn = 0;

__try {
// Grab a new snapshot of the process
hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hthSnapshot == NULL) __leave;

// Get the HMODULE of the desired library
PROCESSENTRY32 pe = { sizeof(pe) };
BOOL bFound = FALSE;
BOOL bMoreProcesses = Process32First(hthSnapshot, &pe);
for (; bMoreProcesses; bMoreProcesses = Process32Next(hthSnapshot, &pe)) {
if (stricmp(pe.szExeFile, pszProcName) == 0) {
if (InjectLib(pe.th32ProcessID, pszDllInject)) {
nRtn++;
printf("%s/%s - %s\n", pszDllInject, pe.szExeFile, "DLL Injection successful.");
}
else {
printf("%s/%s - %s\n", pszDllInject, pe.szExeFile, "DLL Injection failed");
}
}
}
}
__finally { // Now we can clean everything up

if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);

if (hThread != NULL)
CloseHandle(hThread);

if (hProcess != NULL)
CloseHandle(hProcess);
}

return nRtn;
}

int WINAPI EjectLibByName(char *pszDllInject, char *pszProcName)
{
HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL, hThread = NULL;
int nRtn = 0;

__try {
// Grab a new snapshot of the process
hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hthSnapshot == NULL) __leave;

// Get the HMODULE of the desired library
PROCESSENTRY32 pe = { sizeof(pe) };
BOOL bFound = FALSE;
BOOL bMoreProcesses = Process32First(hthSnapshot, &pe);
for (; bMoreProcesses; bMoreProcesses = Process32Next(hthSnapshot, &pe)) {
if (stricmp(pe.szExeFile, pszProcName) == 0) {
if (EjectLib(pe.th32ProcessID, pszDllInject)) {
nRtn++;
printf("%s - %s\n", pe.szExeFile, "DLL Ejection successful.");
}
else {
printf("%s - %s\n", pe.szExeFile, "DLL Ejection failed.");
}
}
}
}
__finally { // Now we can clean everything up

if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);

if (hThread != NULL)
CloseHandle(hThread);

if (hProcess != NULL)
CloseHandle(hProcess);
}

return nRtn;
}

//提升权限
BOOL EnableDebugPriv(void)
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;

if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
return FALSE;
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) {
CloseHandle(hToken);
return FALSE;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL)) {
CloseHandle(hToken);
return FALSE;
}

return TRUE;
}

BOOL __stdcall CallHook(int nPid)
{
BOOL ret = FALSE;
DWORD dwProcessId = 0;
char szProcName[MAX_PATH] = {0};
char szLine[MAX_PATH] = {0};
char szLibFile[MAX_PATH] = {0};

GetModuleFileName(0, szLine, sizeof(g_szExeName)-1);
char *ptr = strrchr(szLine, '\\');
if (ptr) {
ptr++;
strcpy(g_szExeName, ptr);
}

//提升权限
EnableDebugPriv();

GetModuleFileName(NULL, szLibFile, sizeof(szLibFile));
strcpy(strrchr(szLibFile, '\\') + 1, DEFAULT_LIB);


FILE *fp = fopen(szLibFile, "r");
if (!fp) {
// printf("DLL file \"%s\" not exists.\n", szLibFile);
return 0;
}
fclose(fp);

if (dwProcessId > 0) {
//根据进程ID注入DLL
if (InjectLib(dwProcessId, szLibFile)) {
// printf("%s\n", "DLL Injection successful.");
ret = TRUE;
}
else {
// printf("%s\n", "DLL Injection failed.");
ret = FALSE;
}
}


return ret;
}

BOOL __stdcall UnHook(int nPid)
{

BOOL ret = FALSE;
DWORD dwProcessId = 0;
char szProcName[MAX_PATH] = {0};
char szLine[MAX_PATH] = {0};
char szLibFile[MAX_PATH] = {0};

GetModuleFileName(0, szLine, sizeof(g_szExeName)-1);
char *ptr = strrchr(szLine, '\\');
if (ptr) {
ptr++;
strcpy(g_szExeName, ptr);
}

//提升权限
EnableDebugPriv();

GetModuleFileName(NULL, szLibFile, sizeof(szLibFile));
strcpy(strrchr(szLibFile, '\\') + 1, DEFAULT_LIB);


FILE *fp = fopen(szLibFile, "r");
if (!fp) {
// printf("DLL file \"%s\" not exists.\n", szLibFile);
return 0;
}
fclose(fp);

if (dwProcessId > 0) {
//根据进程ID注入DLL
if (EjectLib(dwProcessId, szLibFile)) {
// printf("%s\n", "DLL Ejection successful.");
ret = TRUE;
}
else {
// printf("%s\n", "DLL Ejection failed.");
ret = FALSE;
}
}

return ret;
}
　
 
注意这里隐藏服务采用ＨＯＯＫ　ＭＭＣ．ＥＸＥ的方式，还可以采用全局的应用层ＨＯＯＫ
AgentHk.dll 是ＨＯＯＫ　的主要代码
CallHook.dll　是ＨＯＯＫ　代码的调用接口