MFC/VC++进程自我保护(通过远程线程注入或HOOK)
就是令进程本身无法被关闭或者一关闭就重启,请知道的大侠们不吝赐教,写过的同学把代码贴给小弟看看,谢谢 //dll 代码:#include <windows.h>
char pNew = {0};
char pOld = {0};
HMODULE hModu = NULL;
DWORD dwOldApi = 0;
void HookApiOn(char* pDllName, char* pApiName,FARPROC pFunc)
{
DWORD dwOld = 0;
DWORD flag = 0;
hModu = LoadLibrary(pDllName);
dwOldApi = (DWORD)GetProcAddress(hModu,pApiName);
VirtualProtect((LPVOID)dwOldApi,5,PAGE_READWRITE,&dwOld);
char*p = (char*)dwOldApi;
DWORD dd = (DWORD)pFunc - dwOldApi -5 ;//jmplebel:5个字节
pNew = 0xE9;
*(DWORD*)&(pNew) = dd;
ReadProcessMemory(GetCurrentProcess(),(LPVOID)dwOldApi,(LPVOID)pOld,5,&flag);
//memcpy((void*)pOld,(const void*)dwOldApi,5);
WriteProcessMemory(GetCurrentProcess(),(LPVOID)dwOldApi,(LPVOID)pNew,5,&flag);
VirtualProtect((LPVOID)dwOldApi,5,dwOld,NULL);
return ;
}
void HookApiOff()
{
DWORD dwOld = 0;
DWORD flag = 0;
VirtualProtect((LPVOID)dwOldApi,5,PAGE_READWRITE,&dwOld);
WriteProcessMemory(GetCurrentProcess(),(LPVOID)dwOldApi,(LPVOID)pOld,5,&flag);
VirtualProtect((LPVOID)dwOldApi,5,dwOld,NULL);
return ;
}
void _stdcall my_MessageBoxW( HWND hWnd ,LPCWSTR lpText,LPCWSTR lpCaption,UINT uType)
{
HookApiOff();
if(IDNO == MessageBoxW(NULL,L"程序非法调用了MessageBoxW函数,是否阻止?",L"提示",MB_YESNO))
MessageBoxW(hWnd,lpText,lpCaption,uType);
HookApiOn("user32.dll","MessageBoxW",(FARPROC)my_MessageBoxW);
}
void InstallAllHook()
{
HookApiOn("user32.dll","MessageBoxW",(FARPROC)my_MessageBoxW);
return ;
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORDul_reason_for_call,
LPVOID lpReserved
)
{
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
InstallAllHook();
break;
}
return TRUE;
//.exe实现进程注入的代码:<此处注入到任务管理器中>
#include <windows.h>
#include <stdio.h>
#define Dll_Name "F:\\workspqce\\Jmp_Hook\\Debug\\jmp_dll.dll"
BOOL EnablePrivilege()
{
HANDLE hToken = NULL;
if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken))
{
TOKEN_PRIVILEGES tkp= {0};
LookupPrivilegeValue( NULL,SE_DEBUG_NAME,&tkp.Privileges.Luid );//修改进程权限
tkp.PrivilegeCount=1;
tkp.Privileges.Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges( hToken,FALSE,&tkp,sizeof tkp,NULL,NULL );//通知系统修改进程权限
return( (GetLastError()==ERROR_SUCCESS) );
}
return FALSE;
}
BOOL InjectDll(DWORD dwProcessId)
{
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessId);
if(!hProcess)
return FALSE;
LPVOIDpszDllName = VirtualAllocEx(hProcess,NULL,strlen(Dll_Name)+1,MEM_COMMIT,PAGE_READWRITE);
if(!pszDllName)
return FALSE;
if(!WriteProcessMemory(hProcess,pszDllName,Dll_Name,strlen(Dll_Name),NULL))
return FALSE;
PTHREAD_START_ROUTINEtsr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"LoadLibraryA");
if(!tsr)
return FALSE;
HANDLE hRemote = CreateRemoteThread(hProcess,NULL,0,tsr,pszDllName,0,NULL);
if(!hRemote)
return FALSE;
WaitForSingleObject(hRemote,INFINITE);
VirtualFreeEx(hProcess,pszDllName,strlen(Dll_Name)+1,MEM_RELEASE);
return true;
}
int main()
{
DWORD dwProcessId = 0;
HWND hWindow = FindWindow(NULL,"Windows 任务管理器");
GetWindowThreadProcessId(hWindow,&dwProcessId);
if(EnablePrivilege())
InjectDll(dwProcessId);
return 0;
}
页:
[1]