EXE injection program complete code:
#include "stdafx.h"
#include <tlhelp32.h>
#include <stdio.h>
int Enabledebugpriv (const char * name)
{
HANDLE Htoken;
token_privileges tp;
LUID LUID;
//Open process Token Ring
if (! OpenProcessToken (GetCurrentProcess (),
token_adjust_privileges| Token_query,
&htoken))
{
printf ("OpenProcessToken error\n");
return 1;
}
//Get process local unique ID
if (! Lookupprivilegevalue (null,name,&luid))
{
printf ("Lookupprivilege error!\n");
}
TP. Privilegecount = 1;
TP. Privileges[0]. Attributes =se_privilege_enabled;
TP. Privileges[0]. Luid = Luid;
//Adjust process permissions
if (! AdjustTokenPrivileges (Htoken,0,&tp,sizeof (token_privileges), null,null))
{
printf ("AdjustTokenPrivileges error!\n");
return 1;
}
return 0;
}
BOOL injectdll (const char *dllfullpath, const DWORD DWREMOTEPROCESSID)
{
HANDLE hremoteprocess;
Get Debug permissions
if (Enabledebugpriv (se_debug_name))
{
printf ("Add privilege Error");
return FALSE;
}
Open Target Process
if ((Hremoteprocess=openprocess (PROCESS_ALL_ACCESS,FALSE,DWREMOTEPROCESSID)) ==null)
{
printf ("OpenProcess error\n");
return FALSE;
}
Char *pszlibfileremote;
The path where the DLL file name is requested
Pszlibfileremote= (char *) VirtualAllocEx (hremoteprocess,
NULL, Lstrlen (Dllfullpath) +1,
Mem_commit, Page_readwrite);
if (pszlibfileremote==null)
{
printf ("VirtualAllocEx error\n");
return FALSE;
}
Writes the full path of the DLL to memory,
if (WriteProcessMemory (hremoteprocess,
Pszlibfileremote, (void *) Dllfullpath,lstrlen (dllfullpath) +1,null) = = 0)
{
printf ("WriteProcessMemory error\n");
return FALSE;
}
Get LoadLibraryA function Address
Pthread_start_routine pfnstartaddr= (Pthread_start_routine)
GetProcAddress (GetModuleHandle (TEXT ("Kernel32")), "LoadLibraryA");
if (pfnstartaddr = = NULL)
{
printf ("GetProcAddress error\n");
return FALSE;
}
HANDLE Hremotethread;
Starting a remote thread
if (Hremotethread = CreateRemoteThread (hremoteprocess,null,0,
pfnstartaddr,pszlibfileremote,0,null)) ==null)
{
printf ("CreateRemoteThread error\n");
return FALSE;
}
return TRUE;
}
DWORD GetProcessID (char *processname)
{
PROCESSENTRY32 pe32;
Pe32.dwsize=sizeof (PE32);
//Get all process snapshots within the system
HANDLE hprocesssnap=createtoolhelp32snapshot (th32cs_snapprocess,0);
if (Hprocesssnap==invalid_handle_value)
{
printf ("CreateToolhelp32Snapshot error");
return 0;
}
//The first process in the enumeration list
BOOL Bprocess=process32first (hprocesssnap,&pe32);
while (bprocess)
{
//compares the process name found with the process name we are looking for, returns the process ID
if (strcmp (STRUPR (Pe32.szexefile), STRUPR (ProcessName) ) ==0)
return pe32.th32processid;
Continue to find
Bprocess=process32next (hprocesssnap,&pe32);
}
CloseHandle (HPROCESSSNAP);
return 0;
}
int Apientry WinMain (hinstance hinstance,
HInstance hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
Char selfpath[256];
Char syspath[256];
GetCurrentDirectory (256,selfpath);
strcat (Selfpath, "\\SimpleHook.dll");
GetSystemDirectory (syspath,256);
strcat (Syspath, "\\SimpleHook.dll");
CopyFile (Selfpath,syspath,false);
DWORD pid=getprocessid ("Taskmgr.exe");
Injectdll ("SimpleHook.dll", Pid);
return 0;
}
DLL Program complete code:
SimpleHook.cpp:Defines the entry point for the DLL application.
//
#include "stdafx.h"
dword* lpaddr;
PROC Oldproc;
BOOL __stdcall myterminateprocess (HANDLE hprocess,uint uexitcode)
{
MessageBox (NULL, "Can't finish the process", "API HOOK", 0);
return 0;
}
int Apihook (char *dllname,//dll file name
PROC oldfunaddr,//The function address to hook
PROC newfunaddr//we made enough. function address
)
{
Get the base address of the function process module, that is, with our last class
LPVOID Lpbase=mapviewoffile (hmap,file_map_read,0,0,0); Returns a memory file mapping handle
Hmodule lpbase = GetModuleHandle (NULL);
Image_dos_header *dosheader;
Image_nt_headers *ntheader;
Image_import_by_name *importname;
Position to DOS header
Dosheader= (image_dos_header*) lpbase;
Positioning to PE head
Ntheader= (image_nt_headers32*) ((byte*) lpbase+dosheader->e_lfanew);
Navigate to Import Table
Image_import_descriptor *pimportdesc= (image_import_descriptor*) (byte*) lpbase+ntheader-> Optionalheader.datadirectory[image_directory_entry_import]. virtualaddress);
Looping through an array of image_import_descriptor mechanisms
while (Pimportdesc->firstthunk)
{
Get DLL file name
char* pszdllname = (char*) ((byte*) lpbase + pimportdesc->name);
Compare the resulting DLL file name with the same DLL as the hook function
if (Lstrcmpia (pszdllname, DllName) = = 0)
{
Break
}
pimportdesc++;
}
Navigate to the Image_thunk_data that the Firstthunk parameter points to, at which point the structure is already the function entry address.
image_thunk_data* Pthunk = (image_thunk_data*)
((byte*) lpbase + pimportdesc->firstthunk);
Traverse this part of the IAT table
while (PTHUNK->U1. Function)
{
Lpaddr = (dword*) & (PTHUNK->U1. function);//Get the address of the entry point for the API functions we want to hook in the IAT table
Compare function addresses are the same
if (*lpaddr = = (DWORD) oldfunaddr)
{
DWORD Dwoldprotect;
Modifying memory inclusion Properties
VirtualProtect (lpaddr, sizeof (DWORD), Page_readwrite, &dwoldprotect);
The entry point address of the API function is changed to the address of the function we constructed.
WriteProcessMemory (GetCurrentProcess (), lpaddr, &newfunaddr, sizeof (DWORD), NULL);
}
pthunk++;
}
return 0;
}
BOOL apientry DllMain (HANDLE hmodule,
DWORD Ul_reason_for_call,
LPVOID lpreserved
)
{
Switch (Ul_reason_for_call)
{
Case Dll_process_attach:
Get TerminateProcess function Address
Oldproc = (PROC) terminateprocess;
Positioning, modifying the IAT table
Apihook ("Kernel32.dll", Oldproc, (PROC) myterminateprocess);
Break
Case Dll_process_detach:
Restore the entry point address of an API function in the IAT table
WriteProcessMemory (GetCurrentProcess (), lpaddr, &oldproc, sizeof (DWORD), NULL);
Break
}
return TRUE;
}
4th: HOOK Task Manager cannot end process