5th: HOOK Task Manager The 2nd method of injection

EXE injection program complete code:

#include "stdafx.h" typedef BOOL (*starthook) (), int apientry WinMain (hinstance hinstance,                     hinstance hprevinstance,                     LPSTR     lpcmdline,                     int       ncmdshow) {//Load DLL file Hmodule hmodule=loadlibrary ("ApiHook.dll"); if (hmodule= =null) {return 0;} Get Starthook address Starthook newstarthook= (starthook) GetProcAddress (hmodule, "Starthook"); if (newstarthook==null) { return 0;} BOOL Bret=newstarthook (); if (BRet) {MessageBox (NULL, "Hook installation succeeded", "Sethook", 0);} Else{messagebox (NULL, "Hook installation Failed", "Sethook", 0); return 0;} for (;;) {Sleep (10000);} return 0;}

　　

DLL complete code:

ApiHook.cpp:Defines the entry point for the DLL application.//#include "stdafx.h" #include <tlhelp32.h> #include <stdio.h>dword* lpaddr; PROC Oldproc = (PROC) openprocess; HINSTANCE g_hinstance = NULL; Hhook G_hhook = NULL; typedef HANDLE (__stdcall *openprocess) (Dword,bool,dword); DWORD GetProcessID (char *processname) {PROCESSENTRY32 pe32;pe32.dwsize=sizeof (PE32);//Get all process snapshots in the system handle Hprocesssnap=createtoolhelp32snapshot (th32cs_snapprocess,0); if (Hprocesssnap==invalid_handle_value) {return FALSE ;} The first process in the enumeration list is bool Bprocess=process32first (HPROCESSSNAP,&AMP;PE32), while (bprocess) {//compares the resulting process name with the name of the process to be protected if ( STRICMP (pe32.szexefile,processname) ==0) {//The same returns this process Idreturn pe32.th32processid;} Bprocess=process32next (HPROCESSSNAP,&AMP;PE32);} CloseHandle (HPROCESSSNAP);//return 0return 0;} HANDLE __stdcall Myopenprocess (DWORD dwdesiredaccess, BOOL bInheritHandle, DWORD dwprocessid) {//search for IDIF to protect the process ( GetProcessID ("SetHook.exe") ==dwprocessid) return 0;//If it is not a process to be protected, execute the OpenProcess function and return its return value of return (OPENProcess) (Oldproc) (dwDesiredAccess, bInheritHandle, dwprocessid);} int Apihook (char *dllname,//dll file name PROC oldfunaddr,//the function address to hook PROC newfunaddr//we made enough for the function address) {//Get function Process module base address hmodule LPBA SE = GetModuleHandle (NULL); Image_dos_header *dosheader;image_nt_headers *ntheader;image_import_by_name *ImportName ;//positioning to DOS head dosheader= (image_dos_header*) lpbase;//positioning to PE head ntheader= (image_nt_headers32*) ((byte*) lpbase+dosheader- >e_lfanew);//Navigate to Import Table Image_import_descriptor *pimportdesc= (image_import_descriptor*) ((byte*) lpBase+ntHeader- >optionalheader.datadirectory[image_directory_entry_import]. virtualaddress);//Loop through Image_import_descriptor mechanism array while (Pimportdesc->firstthunk) {//Get DLL file name char* Pszdllname = ( char*) ((byte*) lpbase + pimportdesc->name);//Compare the resulting DLL file name with the same DLL as the hook function if (Lstrcmpia (pszdllname, DllName) = = 0) {break;} pimportdesc++;} Navigate to the Image_thunk_data that the Firstthunk parameter points to, and this structure is already the function entry point address image_thunk_data* Pthunk = (image_thunk_data*) (byte*) Lpbase + pimportdesc->firstthunk);//traverse this part of the IAT table while (pthunk->u1. Function) {lpaddr = (dword*) & (PTHUNK-&GT;U1. function);//Compare the functions address if (*LPADDR = = (DWORD) oldfunaddr) {DWORD dwoldprotect;//Modify memory contains properties VirtualProtect (lpaddr, sizeof ( DWORD), Page_readwrite, &dwoldprotect); The entry point address of the//API function is changed to the address of the function we constructed WriteProcessMemory (GetCurrentProcess (), LPADDR, &newfunaddr, sizeof (DWORD), NULL);} pthunk++;} return 0;} LRESULT CALLBACK HookProc (int nCode, WPARAM WPARAM, LPARAM LPARAM) {//Pass the message to the next hook return CallNextHookEx (G_hhook, NCode, WParam, LParam);} BOOL Starthook () {if (g_hhook!=null) return false;//install hook G_hhook = SetWindowsHookEx (Wh_getmessage, HookProc, g_hinstance , NULL); return TRUE; }bool apientry DllMain (HANDLE hmodule, DWORD Ul_reason_for_call, LPVOID LP Reserved) {g_hinstance = (hinstance) hmodule;switch (ul_reason_for_call) {case dll_process_attach://when the DLL is loaded, Hook openprocess function Apihook ("kernel32.dll", Oldproc, (PROC) myopenprocess) break;case dll_process_detach://when the DLL is unloaded, Restore OpenProcess function WriteProcessMemory (getcurrentpRocess (), lpaddr, &oldproc, sizeof (DWORD), null), if (g_hhook! = NULL) UnhookWindowsHookEx (G_hhook); return TRUE;}

　　

5th: HOOK Task Manager The 2nd method of injection