Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <windows.h>
- #include <stdio.h>
- #include <tchar.h>
- //修改API入口为 mov eax, 00400000;jmp eax是程序能跳转到自己的函数
- BYTE NewBytes[8] = {0xB8, 0x0, 0x0, 0x40, 0x0, 0xFF, 0xE0, 0x0};
- BYTE OldBytes[8] = {0};
- FARPROC CreateFile_Addr;
- HANDLE WINAPI MyCreateFile(
- __in LPCTSTR lpFileName,
- __in DWORD dwDesiredAccess,
- __in DWORD dwShareMode,
- __in LPSECURITY_ATTRIBUTES lpSecurityAttributes,
- __in DWORD dwCreationDisposition,
- __in DWORD dwFlagsAndAttributes,
- __in HANDLE hTemplateFile
- )
- {
- MessageBox(0, TEXT("MyCreateFile"), 0, 0);
- //恢复API头8个字节
- WriteProcessMemory(INVALID_HANDLE_VALUE, (void*)CreateFile_Addr,
- (void*)OldBytes, 8, NULL);
- printf("lpFileName is %S\n",lpFileName);
- //调用正确的函数
- HANDLE hFile = CreateFile(lpFileName,dwDesiredAccess,dwShareMode,
- lpSecurityAttributes,dwCreationDisposition,dwFlagsAndAttributes,hTemplateFile);
- //写入跳转语句,继续Hook
- WriteProcessMemory(INVALID_HANDLE_VALUE, (void*)CreateFile_Addr,
- (void*)NewBytes, 8, NULL);
- return hFile;
- }
- void main()
- {
- HMODULE hModule_Kernel32 = LoadLibrary(TEXT("Kernel32.dll"));
- CreateFile_Addr = GetProcAddress(hModule_Kernel32, "CreateFileW");
- printf("CreateFileW_Addr is %x\n",CreateFile_Addr);
- printf("MyCreateFile Addr is %x\n",MyCreateFile);
- //读CreateFile函数的前8个字节
- if(ReadProcessMemory(INVALID_HANDLE_VALUE,CreateFile_Addr,OldBytes,8,NULL)==0)
- {
- printf("ReadProcessMemory error\n");
- return;
- }
- printf("OldBytes is %x%x%x%x%x%x%x%x\n",OldBytes[0],OldBytes[1],OldBytes[2],
- OldBytes[3],OldBytes[4],OldBytes[5],OldBytes[6],OldBytes[7]);
- //将NewBytes改成My函数地址
- *(DWORD*)(NewBytes + 1) = (DWORD)MyCreateFile;
- printf("NewBytes is %x%x%x%x%x%x%x%x\n",NewBytes[0],NewBytes[1],NewBytes[2],NewBytes[3],
- NewBytes[4],NewBytes[5],NewBytes[6],NewBytes[7]);
- //写入跳转,开始Hook
- WriteProcessMemory(INVALID_HANDLE_VALUE,CreateFile_Addr,NewBytes,8,NULL);
- //调用CreateFileA测试一下。
- //HANDLE hFile=CreateFileA("C:\\1.txt",GENERIC_ALL,FILE_SHARE_READ,0,CREATE_ALWAYS,0,0);
- SHELLEXECUTEINFO ShExecInfo;
- TCHAR pszParseName[MAX_PATH] = TEXT("C:\\Windows\\System32\\notepad.exe");
- ShExecInfo.cbSize = sizeof(SHELLEXECUTEINFO);
- ShExecInfo.fMask = SEE_MASK_WAITFORINPUTIDLE | SEE_MASK_NOCLOSEPROCESS;
- ShExecInfo.hwnd = NULL;
- ShExecInfo.lpVerb = NULL;
- ShExecInfo.lpFile = pszParseName;
- ShExecInfo.lpParameters = NULL;
- ShExecInfo.lpDirectory = NULL;
- ShExecInfo.nShow = SW_SHOWNORMAL;
- ShExecInfo.hInstApp = NULL;
- ShellExecuteEx(&ShExecInfo);
- WaitForSingleObject(ShExecInfo.hProcess, INFINITE);
- CloseHandle(ShExecInfo.hProcess);
- //CloseHandle(hFile);
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement