<title>Hijack system process prohibit open any process (5)</title> Functions of the Windows creation process:
This function is hijacked and injected into the explore.exe process.
Now inject into the Evernote test:
#include<stdio.h>#include<windows.h>#include<string.h>#include"Detours.h"#pragma Comment (Lib ,"Detours.lib" )
BOOL(WINAPI * OLDCREATEPROCESSW) ( LPCWSTR Lpapplicationname, LPWSTR lpCommandLine, lpsecurity_attributes Lpprocessattributes, lpsecurity_attributes Lpthreadattributes, BOOL bInheritHandles, DWORD dwCreationFlags, lpvoid Lpenvironment, LPCWSTR Lpcurrentdirectory, lpstartupinfow Lpstartupinfo, lpprocess_information lpprocessinformation) = CREATEPROCESSW;
BOOL WINAPI NEWCREATEPROCESSW ( LPCWSTR Lpapplicationname, LPWSTR lpCommandLine, lpsecurity_attributes lpprocessattributes , lpsecurity_attributes lpthreadattributes , BOOL bInheritHandles, DWORD dwCreationFlags, lpvoid lpenvironment, LPCWSTR lpcurrentdirectory, lpstartupinfow Lpstartupinfo , lpprocess_information lpprocessinformation ) {messageboxa (0, "The system process has been hijacked!" " , "System Warning" , 0); return 0;}
void Hook (){
Detourrestoreafterwith (); //Return to its original state,Detourtransactionbegin (); //Intercept startDetourupdatethread (GetCurrentThread ()); //Refresh current threadDetourattach (( void * *) &OLDCREATEPROCESSW, NEWCREATEPROCESSW); //Implement function interceptiondetourtransactioncommit (); //interception takes effect
}
void unhook (){Detourtransactionbegin (); //Intercept startDetourupdatethread (GetCurrentThread ()); //Refresh current threadDetourdetach (( void * *) &OLDCREATEPROCESSW, NEWCREATEPROCESSW); //Undo Intercept functiondetourtransactioncommit (); //interception takes effect}
_declspec(dllexport ) void Go () {messageboxa (0, "System process hijacking succeeded!" " , "System Information" , 0); int i = 0; while (i++ <) {Hook ();Sleep (+); }unhook ();}
Hijacking success:
When you open the Help guide:
From for notes (Wiz)
Hijack system process prohibit open any process (5)