#include <Windows.h>
DWORD APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved )
{
switch( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH:
// hInstance = (HINSTANCE) hModule;
MessageBox( 0, "HOHOHOOHOHOHO!", "DLLHOOK", MB_OK );
return TRUE;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
После инъекции в процес dll , сама dll не запускается
На Windows 7 x64:
1) CreateRemoteThread( ... ) - error code 5 - Access is denied.
2) CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) -
error code 1300 - Not all privileges or groups referenced are assigned to the caller.
На Windows 7 x32:
2) CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) -
error code 1300 - Not all privileges or groups referenced are assigned to the caller.
Вот он код:
Код:
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <shlwapi.h>
#include <iostream>
#include <conio.h>
using namespace std;
#pragma comment (lib, "Shlwapi.lib")
#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ)
bool IsWindowsNT()
{
// check current version of Windows
DWORD version = GetVersion();
// parse return
DWORD majorVersion = (DWORD)(LOBYTE(LOWORD(version)));
DWORD minorVersion = (DWORD)(HIBYTE(LOWORD(version)));
return (version < 0x80000000);
}
BOOL InjectDLL(DWORD ProcessID,char* DLL_NAME)
{
HANDLE Proc;
DWORD errorType;
char buf[50]={0};
LPVOID RemoteString, LoadLibAddy;
if(!ProcessID)
return false;
Proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);
errorType = GetLastError();
LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
errorType = GetLastError();
RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
errorType = GetLastError();
WriteProcessMemory(Proc, (LPVOID)RemoteString, DLL_NAME,strlen(DLL_NAME), NULL);
errorType = GetLastError();
CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL);
errorType = GetLastError();
CloseHandle(Proc);
return true;
}
DWORD GetPid(char *procName)
{
DWORD error;
PROCESSENTRY32 pe;
HANDLE thSnapshot;
BOOL retval, ProcFound = false;
thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
error = GetLastError();
if(thSnapshot == INVALID_HANDLE_VALUE)
{
cout << "Error: unable to create toolhelp snapshot" << endl;
// MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL);
return false;
}
pe.dwSize = sizeof(PROCESSENTRY32);
error = GetLastError();
retval = Process32First(thSnapshot, &pe);
error = GetLastError();
while(retval)
{
if(StrStrI(pe.szExeFile, procName) )
{
ProcFound = true;
break;
}
retval = Process32Next(thSnapshot,&pe);
pe.dwSize = sizeof(PROCESSENTRY32);
}
if (!ProcFound) return 0;
return pe.th32ProcessID;
}
DWORD GetTargetThreadIdFromWindow(char *className, char *windowName)
{
DWORD error;
HWND targetWnd;
HANDLE hProcess;
unsigned long processId, pTID, threadID;
targetWnd = FindWindow(className, windowName);
error = GetLastError();
GetWindowThreadProcessId(targetWnd, &processId);
_asm {
mov eax, fs:[0x18]
add eax, 36
mov [pTID], eax
}
hProcess = OpenProcess(PROCESS_VM_READ, false, processId);
error = GetLastError();
ReadProcessMemory(hProcess, (const void *)pTID, &threadID, 4, NULL);
error = GetLastError();
CloseHandle(hProcess);
return threadID;
}
BOOL LoadDll(char *procName, char *dllName,char* windowName )
{
DWORD ProcID = 0;
char buf[50]={0};
ProcID = GetTargetThreadIdFromWindow( NULL, windowName );
if(!(InjectDLL(ProcID, dllName)))
{
cout << "Process located, but injection failed" << endl;
_getch();
}
else
{
cout << " Injection successfull!" << endl;
_getch();
}
// MessageBox(NULL, "Process located, but injection failed", "Loader", NULL);
return true;
}
BOOL LoadDll(char *procName, char *dllName)
{
DWORD ProcID = 0;
ProcID = GetPid(procName);
if(!(InjectDLL(ProcID, dllName)))
{
cout << "Process located, but injection failed" << endl;
_getch();
exit(1);
} // MessageBox(NULL, "Process located, but injection failed", "Loader", NULL);
else
{
cout << " Injection successfull!" << endl;
_getch();
}
return true;
}
void EnablePriv(LPCSTR lpszPriv)
{
/* HANDLE hToken;
LUID luid;
TOKEN_PRIVILEGES tkprivs;
DWORD error;
ZeroMemory(&tkprivs, sizeof(tkprivs));
if(!OpenProcessToken(GetCurrentProcess(), (TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY), &hToken)) return FALSE;
error = GetLastError();
if(!LookupPrivilegeValue(NULL, lpszPriv, &luid))
{
error = GetLastError();
CloseHandle(hToken);
return FALSE;
}
tkprivs.PrivilegeCount = 1;
tkprivs.Privileges[0].Luid = luid;
tkprivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
BOOL bRet = AdjustTokenPrivileges(hToken, FALSE, &tkprivs, sizeof(tkprivs), NULL, NULL);
error = GetLastError();
CloseHandle(hToken);
return bRet;*/
HANDLE hToken; /* process token */
TOKEN_PRIVILEGES tp; /* token provileges */
TOKEN_PRIVILEGES oldtp; /* old token privileges */
DWORD dwSize = sizeof (TOKEN_PRIVILEGES);
LUID luid;
/* now, set the SE_SYSTEMTIME_NAME privilege to our current
* process, so we can call SetSystemTime()
*/
if (!OpenProcessToken (GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hToken))
{
printf ("OpenProcessToken() failed with code %dn", GetLastError());
_getch();
exit(1);
}
if (!LookupPrivilegeValue (NULL, SE_DEBUG_NAME, &luid))
{
printf ("LookupPrivilege() failed with code %dn", GetLastError());
CloseHandle (hToken);
_getch();
exit(1);
}
ZeroMemory (&tp, sizeof (tp));
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
/* Adjust Token privileges */
if (!AdjustTokenPrivileges (hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES),
&oldtp, &dwSize))
{
printf ("AdjustTokenPrivileges() failed with code %dn", GetLastError());
CloseHandle (hToken);
_getch();
exit(1);
}
CloseHandle (hToken);
}
int main()
{
//Call
EnablePriv(SE_DEBUG_NAME);
char* ProcName = "notepad.exe";
char* DllName = "C:UsersPsychoDocumentsVisual Studio 2012ProjectsTestDebugMain.dll";
LoadDll( ProcName, DllName );
return 0;
}
#include <stdio.h>
#include <tlhelp32.h>
#include <shlwapi.h>
#include <iostream>
#include <conio.h>
using namespace std;
#pragma comment (lib, "Shlwapi.lib")
#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ)
bool IsWindowsNT()
{
// check current version of Windows
DWORD version = GetVersion();
// parse return
DWORD majorVersion = (DWORD)(LOBYTE(LOWORD(version)));
DWORD minorVersion = (DWORD)(HIBYTE(LOWORD(version)));
return (version < 0x80000000);
}
BOOL InjectDLL(DWORD ProcessID,char* DLL_NAME)
{
HANDLE Proc;
DWORD errorType;
char buf[50]={0};
LPVOID RemoteString, LoadLibAddy;
if(!ProcessID)
return false;
Proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);
errorType = GetLastError();
LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
errorType = GetLastError();
RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
errorType = GetLastError();
WriteProcessMemory(Proc, (LPVOID)RemoteString, DLL_NAME,strlen(DLL_NAME), NULL);
errorType = GetLastError();
CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL);
errorType = GetLastError();
CloseHandle(Proc);
return true;
}
DWORD GetPid(char *procName)
{
DWORD error;
PROCESSENTRY32 pe;
HANDLE thSnapshot;
BOOL retval, ProcFound = false;
thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
error = GetLastError();
if(thSnapshot == INVALID_HANDLE_VALUE)
{
cout << "Error: unable to create toolhelp snapshot" << endl;
// MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL);
return false;
}
pe.dwSize = sizeof(PROCESSENTRY32);
error = GetLastError();
retval = Process32First(thSnapshot, &pe);
error = GetLastError();
while(retval)
{
if(StrStrI(pe.szExeFile, procName) )
{
ProcFound = true;
break;
}
retval = Process32Next(thSnapshot,&pe);
pe.dwSize = sizeof(PROCESSENTRY32);
}
if (!ProcFound) return 0;
return pe.th32ProcessID;
}
DWORD GetTargetThreadIdFromWindow(char *className, char *windowName)
{
DWORD error;
HWND targetWnd;
HANDLE hProcess;
unsigned long processId, pTID, threadID;
targetWnd = FindWindow(className, windowName);
error = GetLastError();
GetWindowThreadProcessId(targetWnd, &processId);
_asm {
mov eax, fs:[0x18]
add eax, 36
mov [pTID], eax
}
hProcess = OpenProcess(PROCESS_VM_READ, false, processId);
error = GetLastError();
ReadProcessMemory(hProcess, (const void *)pTID, &threadID, 4, NULL);
error = GetLastError();
CloseHandle(hProcess);
return threadID;
}
BOOL LoadDll(char *procName, char *dllName,char* windowName )
{
DWORD ProcID = 0;
char buf[50]={0};
ProcID = GetTargetThreadIdFromWindow( NULL, windowName );
if(!(InjectDLL(ProcID, dllName)))
{
cout << "Process located, but injection failed" << endl;
_getch();
}
else
{
cout << " Injection successfull!" << endl;
_getch();
}
// MessageBox(NULL, "Process located, but injection failed", "Loader", NULL);
return true;
}
BOOL LoadDll(char *procName, char *dllName)
{
DWORD ProcID = 0;
ProcID = GetPid(procName);
if(!(InjectDLL(ProcID, dllName)))
{
cout << "Process located, but injection failed" << endl;
_getch();
exit(1);
} // MessageBox(NULL, "Process located, but injection failed", "Loader", NULL);
else
{
cout << " Injection successfull!" << endl;
_getch();
}
return true;
}
void EnablePriv(LPCSTR lpszPriv)
{
/* HANDLE hToken;
LUID luid;
TOKEN_PRIVILEGES tkprivs;
DWORD error;
ZeroMemory(&tkprivs, sizeof(tkprivs));
if(!OpenProcessToken(GetCurrentProcess(), (TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY), &hToken)) return FALSE;
error = GetLastError();
if(!LookupPrivilegeValue(NULL, lpszPriv, &luid))
{
error = GetLastError();
CloseHandle(hToken);
return FALSE;
}
tkprivs.PrivilegeCount = 1;
tkprivs.Privileges[0].Luid = luid;
tkprivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
BOOL bRet = AdjustTokenPrivileges(hToken, FALSE, &tkprivs, sizeof(tkprivs), NULL, NULL);
error = GetLastError();
CloseHandle(hToken);
return bRet;*/
HANDLE hToken; /* process token */
TOKEN_PRIVILEGES tp; /* token provileges */
TOKEN_PRIVILEGES oldtp; /* old token privileges */
DWORD dwSize = sizeof (TOKEN_PRIVILEGES);
LUID luid;
/* now, set the SE_SYSTEMTIME_NAME privilege to our current
* process, so we can call SetSystemTime()
*/
if (!OpenProcessToken (GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hToken))
{
printf ("OpenProcessToken() failed with code %dn", GetLastError());
_getch();
exit(1);
}
if (!LookupPrivilegeValue (NULL, SE_DEBUG_NAME, &luid))
{
printf ("LookupPrivilege() failed with code %dn", GetLastError());
CloseHandle (hToken);
_getch();
exit(1);
}
ZeroMemory (&tp, sizeof (tp));
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
/* Adjust Token privileges */
if (!AdjustTokenPrivileges (hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES),
&oldtp, &dwSize))
{
printf ("AdjustTokenPrivileges() failed with code %dn", GetLastError());
CloseHandle (hToken);
_getch();
exit(1);
}
CloseHandle (hToken);
}
int main()
{
//Call
EnablePriv(SE_DEBUG_NAME);
char* ProcName = "notepad.exe";
char* DllName = "C:UsersPsychoDocumentsVisual Studio 2012ProjectsTestDebugMain.dll";
LoadDll( ProcName, DllName );
return 0;
}
Код:
Спасибо за ответ.