Mamor's Blog
0%

Detours使用

发表于 分类于
本文字数: 9.2k 阅读时长 ≈ 8 分钟

拦截文件创建

hook CreateFielA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#include <Windows.h>
#include <stdio.h>
#include <detours.h>
#pragma comment(lib,"detours.lib")

HANDLE (WINAPI* oldCreateFileA)(
     LPCSTR lpFileName,
     DWORD dwDesiredAccess,
     DWORD dwShareMode,
     LPSECURITY_ATTRIBUTES lpSecurityAttributes,
     DWORD dwCreationDisposition,
     DWORD dwFlagsAndAttributes,
     HANDLE hTemplateFile
)= CreateFileA;


HANDLE WINAPI MyCreateFileA(
    _In_ LPCSTR lpFileName,
    _In_ DWORD dwDesiredAccess,
    _In_ DWORD dwShareMode,
    _In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes,
    _In_ DWORD dwCreationDisposition,
    _In_ DWORD dwFlagsAndAttributes,
    _In_opt_ HANDLE hTemplateFile
) {
    char* str = "C:\\Users\\test\\Desktop\\testdemo.exe";
    if (!_strcmpi(str, lpFileName)) {
        
        char buf[1024] = { 0 };
        sprintf_s(buf, sizeof(buf), "拦截到创建文件请求:%s", lpFileName);
        MessageBoxA(0,buf,0,0);

        lpFileName = "";
        return oldCreateFileA(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes,\
            dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
    }
    return oldCreateFileA(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, \
        dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}
//挂钩
void hook() {
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
    DetourAttach((void**)&oldCreateFileA, MyCreateFileA);
    DetourTransactionCommit();
}
//脱钩
void unhook() {
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
    DetourAttach((void**)&oldCreateFileA, MyCreateFileA);
    DetourTransactionCommit();
}

//拦截创建的文件 CreateFileA
void  main() {
    hook();
    CreateFileA("C:\\Users\\test\\Desktop\\testdemo.exe", GENERIC_ALL, 0, 0, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL);
 

}

hook防dll注入

hook LoadLibraryA和GetProcAddress

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include <Windows.h>
#include <stdio.h>
#include <detours.h>
#include <WtsApi32.h>
#pragma comment(lib,"WtsApi32.lib")
#pragma comment(lib,"detours.lib")

HMODULE(WINAPI* oldLoadLibraryA)(LPCSTR lpLibFileName) = LoadLibraryA;
FARPROC(WINAPI* oldGetProcAddress)(HMODULE hModule, LPCSTR lpProcName) = GetProcAddress;


HMODULE WINAPI MyLoadLibraryA(LPCSTR lpLibFileName) {
    return oldLoadLibraryA("");
}

FARPROC WINAPI MyGetProcAddress(HMODULE hModule, LPCSTR lpProcName) {
    return oldGetProcAddress(0, "");
}


//挂钩
void hook() {
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
    DetourAttach((void**)&oldLoadLibraryA, MyLoadLibraryA);
    DetourAttach((void**)&oldGetProcAddress, MyGetProcAddress);
    DetourTransactionCommit();
}
//脱钩
void unhook() {
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
    DetourAttach((void**)&oldLoadLibraryA, MyLoadLibraryA);
    DetourAttach((void**)&oldGetProcAddress, MyGetProcAddress);
    DetourTransactionCommit();
}

BOOL APIENTRY DllMain(  HMODULE hModule,
                        DWORD  ul_reason_for_call,
                        LPVOID lpReserved
                      )
{
    LPWSTR  title = LPWSTR(L"title");
    LPWSTR  message = LPWSTR(L"inject success");
    DWORD resp;//不要定义成指针
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:

        WTSSendMessageW(
            WTS_CURRENT_SERVER_HANDLE,
            WTSGetActiveConsoleSessionId(),
            title, lstrlen((LPCSTR)title),
            message, lstrlen((LPCSTR)message),
            0, 0, &resp, FALSE);
        hook();
        break;
    case DLL_THREAD_ATTACH:
        break;
    case DLL_THREAD_DETACH:
        break;
    case DLL_PROCESS_DETACH:
        unhook();
        break;
    }
    return TRUE;
}

进程监控

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include <Windows.h>
#include <stdio.h>
#include <detours.h>
#include <WtsApi32.h>
#pragma comment(lib,"WtsApi32.lib")
#pragma comment(lib,"detours.lib")

BOOL (WINAPI* _CreateProcessA)(
     LPCSTR lpApplicationName,
     LPSTR lpCommandLine,
     LPSECURITY_ATTRIBUTES lpProcessAttributes,
     LPSECURITY_ATTRIBUTES lpThreadAttributes,
     BOOL bInheritHandles,
     DWORD dwCreationFlags,
     LPVOID lpEnvironment,
     LPCSTR lpCurrentDirectory,
     LPSTARTUPINFOA lpStartupInfo,
     LPPROCESS_INFORMATION lpProcessInformation
) = CreateProcessA;

BOOL(WINAPI* _CreateProcessW)(
     LPCWSTR lpApplicationName,
     LPWSTR lpCommandLine,
     LPSECURITY_ATTRIBUTES lpProcessAttributes,
     LPSECURITY_ATTRIBUTES lpThreadAttributes,
     BOOL bInheritHandles,
     DWORD dwCreationFlags,
     LPVOID lpEnvironment,
     LPCWSTR lpCurrentDirectory,
     LPSTARTUPINFOW lpStartupInfo,
     LPPROCESS_INFORMATION lpProcessInformation
) = CreateProcessW;



BOOL(WINAPI MyCreateProcessA)(
     LPCSTR lpApplicationName,
     LPSTR lpCommandLine,
     LPSECURITY_ATTRIBUTES lpProcessAttributes,
     LPSECURITY_ATTRIBUTES lpThreadAttributes,
     BOOL bInheritHandles,
     DWORD dwCreationFlags,
     LPVOID lpEnvironment,
     LPCSTR lpCurrentDirectory,
     LPSTARTUPINFOA lpStartupInfo,
     LPPROCESS_INFORMATION lpProcessInformation
    ) {
    int ret = _CreateProcessA( lpApplicationName,
        lpCommandLine,
        lpProcessAttributes,
        lpThreadAttributes,
        bInheritHandles,
        dwCreationFlags,
        lpEnvironment,
        lpCurrentDirectory,
        lpStartupInfo,
        lpProcessInformation);

    LPWSTR  title = LPWSTR(L"新进程创建提示");
    DWORD resp;//不要定义成指针
    WTSSendMessageW(
        WTS_CURRENT_SERVER_HANDLE,
        WTSGetActiveConsoleSessionId(),
        title, lstrlen((LPCSTR)title),
        (LPWSTR)lpApplicationName, lstrlen(lpApplicationName),
        0, 0, &resp, FALSE);
    return ret;
}


BOOL WINAPI MyCreateProcessW(
    _In_opt_ LPCWSTR lpApplicationName,
    _Inout_opt_ LPWSTR lpCommandLine,
    _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,
    _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
    _In_ BOOL bInheritHandles,
    _In_ DWORD dwCreationFlags,
    _In_opt_ LPVOID lpEnvironment,
    _In_opt_ LPCWSTR lpCurrentDirectory,
    _In_ LPSTARTUPINFOW lpStartupInfo,
    _Out_ LPPROCESS_INFORMATION lpProcessInformation
) {

    int ret = _CreateProcessW(
        lpApplicationName,
        lpCommandLine,
        lpProcessAttributes,
        lpThreadAttributes,
        bInheritHandles,
        dwCreationFlags,
        lpEnvironment,
        lpCurrentDirectory,
        lpStartupInfo,
        lpProcessInformation
    );
    LPWSTR  title = LPWSTR(L"新进程创建提示");

    DWORD resp;//不要定义成指针
    WTSSendMessageW(
        WTS_CURRENT_SERVER_HANDLE,
        WTSGetActiveConsoleSessionId(),
        title, lstrlen((LPCSTR)title),
        (LPWSTR)lpApplicationName, lstrlen((LPCSTR)lpApplicationName),
        0, 0, &resp, FALSE);
    return ret;

}



//挂钩
void hook() {
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
    DetourAttach((void**)&_CreateProcessA, MyCreateProcessA);
    DetourAttach((void**)&_CreateProcessW, MyCreateProcessW);
    DetourTransactionCommit();
}
//脱钩
void unhook() {
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
    DetourAttach((void**)&_CreateProcessA, MyCreateProcessA);
    DetourAttach((void**)&_CreateProcessW, MyCreateProcessW);
    DetourTransactionCommit();
}


BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    LPWSTR  title = LPWSTR(L"提示");
    LPWSTR  message = LPWSTR(L"注入成功");
    DWORD resp;//不要定义成指针
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        WTSSendMessageW(
            WTS_CURRENT_SERVER_HANDLE,
            WTSGetActiveConsoleSessionId(),
            title, lstrlen(LPCSTR(title)),
            message, lstrlen(LPCSTR(message)),
            0, 0, &resp, FALSE);
        hook();
        break;
    case DLL_THREAD_ATTACH:
        break;
    case DLL_THREAD_DETACH:
        break;
    case DLL_PROCESS_DETACH:
        unhook();
        break;
    }
    return TRUE;
}

防止任务管理器结束某进程

调用TerminateProcess 结束进程

hook住openprocess 那么任务管理器在调用TerminateProcess时找不到相关句柄就无法结束任务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include <Windows.h>
#include <stdio.h>
#include <detours.h>
#include <WtsApi32.h>
#pragma comment(lib,"WtsApi32.lib")
#pragma comment(lib,"detours.lib")


HANDLE(WINAPI* _OpenProcess)(
    _In_ DWORD dwDesiredAccess,
    _In_ BOOL bInheritHandle,
    _In_ DWORD dwProcessId
) = OpenProcess;

HANDLE WINAPI MyOpenProcess(
    _In_ DWORD dwDesiredAccess,
    _In_ BOOL bInheritHandle,
    _In_ DWORD dwProcessId
) {

    HWND hwnd = FindWindowW(L"Notepad", L"无标题 - 记事本"); 

    if (hwnd != NULL ) {
        _OpenProcess(dwDesiredAccess, bInheritHandle, 0);
    }

    HANDLE ret = _OpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
    return ret;
}


//挂钩
void hook() {
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
    DetourAttach((void**)&_OpenProcess, MyOpenProcess);
    DetourTransactionCommit();
}
//脱钩
void unhook() {
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
    DetourAttach((void**)&_OpenProcess, MyOpenProcess);
    DetourTransactionCommit();
}

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
    
    LPWSTR  title = LPWSTR(L"提示");
    LPWSTR  message = LPWSTR(L"注入成功");
    DWORD resp;//不要定义成指针
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        WTSSendMessageW(
            WTS_CURRENT_SERVER_HANDLE,
            WTSGetActiveConsoleSessionId(),
            title, lstrlen(LPCWSTR(title)),
            message, lstrlen(LPCWSTR(message)),
            0, 0, &resp, FALSE);
        hook();
        break;
    case DLL_THREAD_ATTACH:
        break;
    case DLL_THREAD_DETACH:
        break;
    case DLL_PROCESS_DETACH:
        unhook();
        break;
    }
    return TRUE;
}

将dll注入到任务管理器中 然后在任务管理器下强制关闭新建的记事本 会无法关闭

欢迎关注我的其它发布渠道

------------- 💖 🌞 本 文 结 束 😚 感 谢 您 的 阅 读 🌞 💖 -------------