返回列表 发帖
默数悲伤 该用户已被删除
楼主 跳转到 » 倒序看帖
打印
tT
默数悲伤发表于 2006-9-4 21:24 | 只看该作者

[原创]winxp下监视进程的创建

在winxp下进程的创建无非是使用System,Winexec,ShellExecute,CreateProcess等库函数和系统API.但是为了实现对进程创建的监视,我们一般都是拦截这些api,这样工作量会很大.而实际上这些函数最终都会调用ntdll.dll所导出的ZwCreateProcessEx函数,由他填入服务索引号,并软中断进入内核模式.只要Hook了该函数就能有效地从用户层监视进程的创建.但是有人会说,在2000和Xp下不是有NtCreateProcess和ZwCreateProcess么,实际上今天晚上我自己动手试了下,上述这两者,首先他们是一个函数,其次,在Xp下创建进程的时候,根本不会使用到他们... 首先看下ZwCreateProcessEx的定义(参考win2k/xp native api refernce): typedef NTSTATUS (*NTCREATEPROCESSEX)( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ParentProcess, IN BOOLEAN InheritObjectTable, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL, IN HANDLE Unknown ); 我们需要的只是拦截他,目前暂时具体参数的功能就不谈了,具体实现方式就不说了,在前面的<用户层下拦截API的原理与实现>中已经讲得很清楚拉.如果你忘记了,具体见:http://redcoder.blog.sohu.com/2183228.html下面是这次实验的代码,拦截了ZwCreateProcessEx函数: 编译环境:WinXp Sp2 + vc6.0
  1. &#35;include <stdio.h>
  2. &#35;include <windows.h>
  3. &#35;define STATUS_SUCCESS 0
  4. &#35;define HOOKFUCTIONSIZE 10240 //定义拦截函数体的大小,以字节为单位,且以4kb为基本单位
  5. &#35;define HOOKEDAPIPARAMNUMINBYTE 36 //定义被拦截的api的函数的参数的大小,以字节为单位
  6. typedef unsigned long NTSTATUS;
  7. typedef unsigned long SYSTEM_INFORMATION_CLASS;
  8. typedef struct _RemoteParam{
  9. LPVOID lpFunAddr;
  10. LPVOID lpWriteProcessMemory;
  11. unsigned char szOldCode[12];
  12. unsigned char szNewCode[12];
  13. LPVOID lpMessageBox;
  14. }RemoteParam, * PRemoteParam;
  15. typedef BOOL (__stdcall * PFN_WRITEPROCESSMEMORY)(HANDLE, LPVOID, LPCVOID, SIZE_T, SIZE_T*);
  16. typedef int (__stdcall * PFN_MESSAGEBOX)(HWND, LPCTSTR, LPCTSTR, DWORD);
  17. typedef
  18. NTSTATUS
  19. (__stdcall * PFN_ZWCREATEPROCESSEX)(
  20. PHANDLE,
  21. ACCESS_MASK,
  22. LPVOID,
  23. HANDLE,
  24. BOOLEAN,
  25. HANDLE,
  26. HANDLE,
  27. HANDLE,
  28. HANDLE
  29. );
  30. VOID HookApi(LPVOID lParam)
  31. {
  32. RemoteParam* Rpm = (RemoteParam*)lParam;
  33. PFN_ZWCREATEPROCESSEX pfnZwCreateprocessEx = (PFN_ZWCREATEPROCESSEX)Rpm->lpFunAddr;
  34. PFN_WRITEPROCESSMEMORY pfnWriteProcessMemory = (PFN_WRITEPROCESSMEMORY)Rpm->lpWriteProcessMemory;
  35. PFN_MESSAGEBOX pfnMessageBox = (PFN_MESSAGEBOX)Rpm->lpMessageBox;
  36. char sztest[8] = {';h';, ';e';, ';l';, ';l';, ';o';, ';.';, ';.';, ';\0';};
  39. PHANDLE ProcessHandle = NULL;
  40. ACCESS_MASK DesiredAccess = 0;
  41. LPVOID ObjectAttributes = NULL;
  42. HANDLE InheritFromProcessHandle = NULL;
  43. BOOLEAN InheritHandles = TRUE;
  44. HANDLE SectionHandle = NULL;
  45. HANDLE DebugPort = NULL;
  46. HANDLE ExceptionPort = NULL;
  47. HANDLE reserv = NULL;
  49. NTSTATUS Retvalue = STATUS_SUCCESS; //定义要拦截的api的默认返回植
  50. DWORD NextIpAddr = 0;
  51. DWORD dwParamaAddr = 0;
  52. DWORD temp1 = 0;
  54. __asm
  55. {
  56. MOV EAX, [EBP + 12]
  57. MOV [NextIpAddr], EAX
  58. MOV EAX, [EBP + 16]
  59. MOV [ProcessHandle], EAX
  60. MOV EAX, [EBP + 20]
  61. MOV [DesiredAccess], EAX
  62. MOV EAX, [EBP + 24]
  63. MOV [ObjectAttributes], EAX
  64. MOV EAX, [EBP + 28]
  65. MOV [InheritFromProcessHandle], EAX
  66. MOV EAX, [EBP + 32]
  67. MOV [temp1], EAX
  68. MOV EAX, [EBP + 36]
  69. MOV [SectionHandle], EAX
  70. MOV EAX, [EBP + 40]
  71. MOV [DebugPort], EAX
  72. MOV EAX, [EBP + 44]
  73. MOV [ExceptionPort], EAX
  74. MOV EAX, [EBP + 48]
  75. MOV [reserv], EAX
  76. }
  77. InheritHandles = (BOOLEAN)temp1;
  79. //这里可以做你的事情了,比如我只想弹出一个对话框,其实也可以在让api完成之后再做些东西
  80. pfnMessageBox(NULL, sztest, sztest, 0);
  81. pfnWriteProcessMemory((HANDLE)0XFFFFFFFF, Rpm->lpFunAddr, (LPCVOID)Rpm->szOldCode, 12, NULL);
  82. //让api真正执行,这里换成你要拦截的api
  83. Retvalue = pfnZwCreateprocessEx(ProcessHandle,
  84. DesiredAccess,
  85. ObjectAttributes,
  86. InheritFromProcessHandle,
  87. InheritHandles,
  88. SectionHandle,
  89. DebugPort,
  90. ExceptionPort,
  91. reserv);
  93. //再次恢复对他的拦截
  94. pfnWriteProcessMemory((HANDLE)0XFFFFFFFF, Rpm->lpFunAddr, (LPCVOID)Rpm->szNewCode, 12, NULL);
  96. DWORD dwStackSize = 12 + HOOKEDAPIPARAMNUMINBYTE;
  98. //这里对拦截函数堆栈的恢复,必须放在最后
  99. __asm
  100. {
  101. POP EDI //注意如果你编译生成的debug版本的程序则需要把这
  102. POP ESI //三个注释去掉
  103. POP EBX
  104. MOV ECX, [dwStackSize]
  105. MOV EDX, [NextIpAddr]
  106. MOV EAX, [Retvalue]
  107. MOV ESP, EBP
  108. POP EBP
  109. ADD ESP, ECX //12 + HOOKEDAPIPARAMNUMINBYTE //恢复堆栈
  110. PUSH EDX
  111. RET
  112. }
  113. }
  115. //////////////////////////////////////////////////////////////////////////
  116. //************************************************************************
  117. //模块名字:AdjustProcessPrivileges(LPCSTR)
  118. //模块功能:修改调用进程的权限
  119. //返回数值:成功返回TRUE,失败返回FALSE
  120. //参数可以为下列值:
  121. // &#35;define SE_BACKUP_NAME TEXT("SeBackupPrivilege")
  122. // &#35;define SE_RESTORE_NAME TEXT("SeRestorePrivilege")
  123. // &#35;define SE_SHUTDOWN_NAME TEXT("SeShutdownPrivilege")
  124. // &#35;define SE_DEBUG_NAME TEXT("SeDebugPrivilege")
  125. //////////////////////////////////////////////////////////////////////////
  126. BOOL AdjustProcessPrivileges(LPCSTR lpPrivilegesName)
  127. {
  128. HANDLE hToken;
  129. TOKEN_PRIVILEGES tkp;
  130. if(!OpenProcessToken((HANDLE)0XFFFFFFFF,
  131. TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
  132. {
  133. return FALSE;
  134. }
  135. if(!LookupPrivilegeV&#97;lue(NULL, lpPrivilegesName, &tkp.Privileges[0].Luid))
  136. {
  137. CloseHandle(hToken);
  138. return FALSE;
  139. }
  141. tkp.PrivilegeCount = 1;
  142. tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
  143. if(!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
  144. {
  145. CloseHandle(hToken);
  146. return FALSE;
  147. }
  148. CloseHandle(hToken);
  149. return TRUE;
  150. }
  152. int SetHook(DWORD dwPid, LPCTSTR lpApiName, LPCTSTR lpExportDllName, LPVOID lpHookFunAddr)
  153. {
  154. if(!AdjustProcessPrivileges(SE_DEBUG_NAME))
  155. {
  156. printf("-----AdjustProcessPrivileges error..\n");
  157. return -1;
  158. }
  159. printf("1:AdjustProcessPrivileges ok\n");
  161. //获取要拦截的api的地址
  162. HMODULE hExportDll = LoadLibrary(lpExportDllName);
  163. if(hExportDll == NULL)
  164. {
  165. printf("-----LoadLibrary error..\n");
  166. return -1;
  167. }
  169. LPVOID lpApiAddr = GetProcAddress(hExportDll, lpApiName);
  170. if(lpApiAddr == NULL)
  171. {
  172. printf("-----GetProcAddress %s error..\n", lpApiName);
  173. FreeLibrary(hExportDll);
  174. return -1;
  175. }
  177. //打开进程句柄
  178. HANDLE hTargetProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ,
  179. FALSE, dwPid);
  180. if(hTargetProcess == NULL)
  181. {
  182. printf("-----OpenProcess %d error..\n", dwPid);
  183. FreeLibrary(hExportDll);
  184. return -1;
  185. }
  187. //申请拦截函数内存空间
  188. LPVOID lpFunAddr = VirtualAllocEx(hTargetProcess, NULL, HOOKFUCTIONSIZE,
  189. MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  190. if(lpFunAddr == NULL)
  191. {
  192. printf("-----VirtualAllocEx for remotefuction error..\n");
  193. FreeLibrary(hExportDll);
  194. CloseHandle(hTargetProcess);
  195. return -1;
  196. }
  198. //申请远程参数空间
  199. LPVOID lpParamaAddr = VirtualAllocEx(hTargetProcess, NULL, sizeof(RemoteParam),
  200. MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  201. if(lpParamaAddr == NULL)
  202. {
  203. printf("-----VirtualAllocEx for remoteparam error..\n");
  204. FreeLibrary(hExportDll);
  205. VirtualFreeEx(hTargetProcess, lpFunAddr, 0, MEM_RELEASE);
  206. CloseHandle(hTargetProcess);
  207. return -1;
  208. }
  209. printf("2:Alloc remote memory for the hook fuction and param ok\n");
  212. //设置远程参数,下一步要把参数写入要拦截的远程进程地址空间
  213. RemoteParam RParam;
  214. ZeroMemory(&RParam, sizeof(RParam));
  216. unsigned char oldcode[12];
  217. unsigned char newcode[12];
  218. DWORD dwError = 0;
  219. if(!ReadProcessMemory((HANDLE)0XFFFFFFFF,
  220. lpApiAddr,
  221. oldcode,
  222. 12,
  223. &dwError))
  224. {
  225. printf("-----ReadProcessMemory from lpApiName error..\n");
  226. FreeLibrary(hExportDll);
  227. VirtualFreeEx(hTargetProcess, lpFunAddr, 0, MEM_RELEASE);
  228. VirtualFreeEx(hTargetProcess, lpParamaAddr, 0, MEM_RELEASE);
  229. CloseHandle(hTargetProcess);
  230. return -1;
  231. }
  232. //生成跳转指令,这将覆盖要拦截的api的前十个字节
  233. int praadd = (int)lpParamaAddr;
  234. int threadadd = (int)lpFunAddr;
  235. newcode[4] = praadd>>24;
  236. newcode[3] = (praadd<<8)>>24;
  237. newcode[2] = (praadd<<16)>>24;
  238. newcode[1] = (praadd<<24)>>24;
  239. newcode[0] = 0x68; //PUSH lpParamaAddr
  240. int offsetaddr = threadadd - (int)lpApiAddr - 10 ;
  241. newcode[9] = offsetaddr>>24;
  242. newcode[8] = (offsetaddr<<8)>>24;
  243. newcode[7] = (offsetaddr<<16)>>24;
  244. newcode[6] = (offsetaddr<<24)>>24;
  245. newcode[5] = 0xE8; //CALL lpFunAddr
  246. newcode[10] = 0x90;
  247. newcode[11] = 0x90;
  249. for(int j = 0; j < 12; j++)
  250. {
  251. RParam.szOldCode[j] = oldcode[j];
  252. RParam.szNewCode[j] = newcode[j];
  253. }
  254. RParam.lpFunAddr = lpApiAddr;
  256. HMODULE hKernel32 = LoadLibrary("Kernel32.dll");
  257. if(hKernel32 == NULL)
  258. {
  259. printf("-----LoadLibrary Kernel32.dll error..\n");
  260. FreeLibrary(hExportDll);
  261. VirtualFreeEx(hTargetProcess, lpFunAddr, 0, MEM_RELEASE);
  262. VirtualFreeEx(hTargetProcess, lpParamaAddr, 0, MEM_RELEASE);
  263. CloseHandle(hTargetProcess);
  264. return -1;
  265. }
  267. RParam.lpWriteProcessMemory = GetProcAddress(hKernel32, "WriteProcessMemory");
  268. if(RParam.lpWriteProcessMemory == NULL)
  269. {
  270. printf("-----GetProcAddress WriteProcessMemory from Kernel32.dll error..\n");
  271. FreeLibrary(hExportDll);
  272. VirtualFreeEx(hTargetProcess, lpFunAddr, 0, MEM_RELEASE);
  273. VirtualFreeEx(hTargetProcess, lpParamaAddr, 0, MEM_RELEASE);
  274. CloseHandle(hTargetProcess);
  275. FreeLibrary(hKernel32);
  276. return -1;
  277. }
  279. //以上皆为必须,下面可以为自己的拦截函数中所需要用的一些变量以及系统api放到参数中去
  280. HMODULE hUser32 = LoadLibrary("User32.dll");
  281. if(hUser32 == NULL)
  282. {
  283. printf("-----LoadLibrary User32.dll error..\n");
  284. FreeLibrary(hExportDll);
  285. VirtualFreeEx(hTargetProcess, lpFunAddr, 0, MEM_RELEASE);
  286. VirtualFreeEx(hTargetProcess, lpParamaAddr, 0, MEM_RELEASE);
  287. CloseHandle(hTargetProcess);
  288. FreeLibrary(hKernel32);
  289. return -1;
  290. }
  292. RParam.lpMessageBox = GetProcAddress(hUser32, "MessageBoxA");
  293. if(RParam.lpMessageBox == NULL)
  294. {
  295. printf("-----GetProcAddress MessageBoxA from User32.dll error..\n");
  296. FreeLibrary(hExportDll);
  297. VirtualFreeEx(hTargetProcess, lpFunAddr, 0, MEM_RELEASE);
  298. VirtualFreeEx(hTargetProcess, lpParamaAddr, 0, MEM_RELEASE);
  299. CloseHandle(hTargetProcess);
  300. FreeLibrary(hKernel32);
  301. FreeLibrary(hUser32);
  302. return -1;
  303. }
  305. FreeLibrary(hUser32);
  306. printf("3:Generate remoteparam ok\n");
  308. //下面为必须部分
  309. //把参数写入要拦截的远程进程地址空间
  310. if(!WriteProcessMemory(hTargetProcess, lpParamaAddr, (LPVOID)&RParam, sizeof(RParam), &dwError))
  311. {
  312. printf("-----WriteProcessMemory for remoteparam error..\n");
  313. FreeLibrary(hExportDll);
  314. VirtualFreeEx(hTargetProcess, lpFunAddr, 0, MEM_RELEASE);
  315. VirtualFreeEx(hTargetProcess, lpParamaAddr, 0, MEM_RELEASE);
  316. CloseHandle(hTargetProcess);
  317. FreeLibrary(hKernel32);
  318. return -1;
  319. }
  320. printf("4:WriteProcessMemory for remoteparam ok\n");
  321. //把拦截函数体写入目标进程地址空间
  322. if(!WriteProcessMemory(hTargetProcess, lpFunAddr, lpHookFunAddr, HOOKFUCTIONSIZE, &dwError))
  323. {
  324. printf("-----WriteProcessMemory for remotefuction error..\n");
  325. FreeLibrary(hExportDll);
  326. VirtualFreeEx(hTargetProcess, lpFunAddr, 0, MEM_RELEASE);
  327. VirtualFreeEx(hTargetProcess, lpParamaAddr, 0, MEM_RELEASE);
  328. CloseHandle(hTargetProcess);
  329. FreeLibrary(hKernel32);
  330. return -1;
  331. }
  332. printf("5:WriteProcessMemory for remotefuction ok\n");
  333. //把新的跳转指令写入要拦截的目标进程的要拦截的api的函数的前十字节
  334. if(!WriteProcessMemory(hTargetProcess, lpApiAddr , (LPVOID)newcode, 12, &dwError))
  335. {
  336. printf("-----Modify remote api error..\n");
  337. FreeLibrary(hExportDll);
  338. VirtualFreeEx(hTargetProcess, lpFunAddr, 0, MEM_RELEASE);
  339. VirtualFreeEx(hTargetProcess, lpParamaAddr, 0, MEM_RELEASE);
  340. CloseHandle(hTargetProcess);
  341. FreeLibrary(hKernel32);
  342. return -1;
  343. }
  344. printf("6:Modify remote api %s ok\n", lpApiName);
  345. //show..
  346. printf("---------------------------------------------------------------------------\n"
  347. "You hava hooked pid: %d ,and the infomation of this hooking are as follows:\n"
  348. "API name: %s\n"
  349. "API addr: 0x%.8x\n"
  350. "Module name: %s\n"
  351. "Module addr: 0x%.8x\n"
  352. "Remote parama addr: 0x%.8x\n"
  353. "Remote thread addr: 0x%.8x\n"
  354. "RemoteParam.lpFunAddr: 0x%.8x\n"
  355. "RemoteParam.lpWriteProcessMemory: 0x%.8x\n"
  356. "RemoteParam.lpMessageBox: 0x%.8x\n",
  357. dwPid,
  358. lpApiName,
  359. lpApiAddr,
  360. lpExportDllName,
  361. hExportDll,
  362. lpParamaAddr,
  363. lpFunAddr,
  364. RParam.lpFunAddr,
  365. RParam.lpWriteProcessMemory,
  366. RParam.lpMessageBox);
  368. printf("RemoteParam.szOldCode: ");
  369. for(int i = 0; i < 12; i++)
  370. {
  371. printf("0x%x ", RParam.szOldCode[i]);
  372. }
  373. printf("\nRemoteParam.szNewCode: ");
  374. for(i = 0; i < 12; i++)
  375. {
  376. printf("0x%x ", RParam.szNewCode[i]);
  377. }
  378. printf("\nThat';s all, good luck ^_^\n");
  379. Sleep(10000);
  381. //收工,清理资源
  382. FreeLibrary(hExportDll);
  383. CloseHandle(hTargetProcess);
  384. FreeLibrary(hKernel32);
  385. return 0;
  386. }
  388. int main(void)
  389. {//注意这里第一个参数是你要选择监视的进程的ID,我这里是选的我的explorer.exe
  390. SetHook(1564, "NtCreateProcessEx", "ntdll.dll", &HookApi);
  391. return 0;
  392. }
复制代码
最后当你的文件夹或者其他地方双击鼠标来运行一个程序的时候,首先会弹出一个hello窗口,点ok,该程序才会运行.
收藏 分享

☆一往情深☆ 该用户已被删除
沙发
☆一往情深☆发表于 2006-9-6 16:21 | 只看该作者

[原创]winxp下监视进程的创建

看得似懂非懂啊,我的VC编程真是要命,还得在学啊.

TOP

shadow3 该用户已被删除
板凳
shadow3发表于 2006-9-14 03:19 | 只看该作者

[原创]winxp下监视进程的创建

不错,其实操作系统提供给了我们在进程创建的时候进程回调操作的机会,看一下DDK里的
NTSTATUS
  PsSetCreateProcessNotifyRoutine(
    IN PCREATE_PROCESS_NOTIFY_ROUTINE  NotifyRoutine,
    IN BOOLEAN  Remove
    );

TOP

返回列表 回复 发帖