Windows 回調監控 <二>

最後更新：2015-08-15 來源：互聯網

上載者：User

創建阿里雲帳戶，並獲得超過 40 款產品的免費試用版；而企業帳戶則可以享有總值 $1200 的免費試用版。立即註冊！

標籤：

在之前的文章Windows 回調監控 <一> 總結了關於CreateProcessNotify，CreateProcessNotifyEx和LoadImageNotify一些用法，之後產生了一個思路，既然在進程建立的時候載入.exe檔案會執行我們的回呼函數，那麼如果在我們回呼函數之中對記憶體中的.exe檔案的匯入表增加一個項，這樣進程會不會載入我們事先準備好的.dll檔案，如果成功載入我們的dll話，就注入成功了。

#pragma once#include <ntifs.h>#include <ntimage.h>#include <WINDEF.H>VOID WPOFF();VOID WPON();VOID UnloadDriver(PDRIVER_OBJECT DriverObject);VOID LoadImageNotifyRoutine(PUNICODE_STRING FullImageName,HANDLE  ProcessId,PIMAGE_INFO  ImageInfor);extern CHAR*  PsGetProcessImageFileName(PEPROCESS EProcess);VOID UnicodeToChar(PUNICODE_STRING uniSource, CHAR *szDest);#include "LoadImage.h"PIMAGE_IMPORT_DESCRIPTOR g_OldImportDesc;KIRQL Irql;PEPROCESS g_TargetProcess;HANDLE    g_TargetProcessId;NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath){    DbgPrint("驅動載入\r\n");    DriverObject->DriverUnload = UnloadDriver;    PsSetLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)LoadImageNotifyRoutine);    return STATUS_SUCCESS;}VOID UnloadDriver(PDRIVER_OBJECT DriverObject){    PsRemoveLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)LoadImageNotifyRoutine);    DbgPrint("驅動卸載\r\n");}VOID LoadImageNotifyRoutine(PUNICODE_STRING FullImageName,HANDLE  ProcessId,PIMAGE_INFO  ImageInfor){    NTSTATUS Status;    PVOID DriverEntryAddress = NULL;    char szFullImageName[260]={0};    PEPROCESS TatgetProcess = NULL;    KAPC_STATE apcState;    BOOLEAN       bAttached =FALSE;    HANDLE    hProcess;    Status  = PsLookupProcessByProcessId(ProcessId,&TatgetProcess);    if (!NT_SUCCESS(Status))    {        return ;    }    if (strstr(PsGetProcessImageFileName(TatgetProcess),"cc.exe")) //當前進程是cc.exe    {        UnicodeToChar(FullImageName,szFullImageName);        if (strstr(szFullImageName,"cc.exe"))  //載入的是cc.exe        {            g_TargetProcessId = ProcessId;            Status = ObOpenObjectByPointer(TatgetProcess,                 OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,                 NULL,                 GENERIC_ALL,                 *PsProcessType,                 KernelMode,                 &hProcess                );            if (!NT_SUCCESS(Status))            {                ObDereferenceObject(TatgetProcess);                return;             }            g_TargetProcess = TatgetProcess;            __try            {                //KeStackAttachProcess(TatgetProcess,&apcState);                if (MmIsAddressValid(ImageInfor->ImageBase))                {                    PIMAGE_DOS_HEADER pDos;                    PIMAGE_NT_HEADERS pHeader = NULL;                    PIMAGE_IMPORT_DESCRIPTOR  pImportDesc;                    //ZwUnmapViewOfSection(hProcess,ImageInfor->ImageBase);                    ULONG nImportDllCount;                    PVOID ulImageBase = ImageInfor->ImageBase;                    ULONG nNewImportSize;                    ULONG nNewDllNameSize = 0x20;                    PIMAGE_IMPORT_DESCRIPTOR lpNewImportDesc = NULL;                    PVOID lpDllName = NULL;                    IMAGE_IMPORT_DESCRIPTOR Add_ImportDesc;                    PIMAGE_THUNK_DATA        lpNewThunkData = NULL;                    ULONG nNewThunkDataSize = 0x20;                    PIMAGE_IMPORT_BY_NAME lpImportApi = NULL;                    ULONG nNewImportApiSize  = 0x20;                    pDos =(PIMAGE_DOS_HEADER) ulImageBase;                    pHeader = (PIMAGE_NT_HEADERS)((ULONG)ulImageBase+(ULONG)pDos->e_lfanew);                    pImportDesc  = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG)pHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress                         + (ULONG)ulImageBase);                    //匯入表項個數                    nImportDllCount = pHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size / sizeof(IMAGE_IMPORT_DESCRIPTOR);                    g_OldImportDesc = pImportDesc;//原始的匯入表                    nNewImportSize = sizeof(IMAGE_IMPORT_DESCRIPTOR)*(nImportDllCount+1);//加上自己的                    Status = ZwAllocateVirtualMemory(NtCurrentProcess(), &lpNewImportDesc, 0, &nNewImportSize,                        MEM_COMMIT, PAGE_EXECUTE_READWRITE);                    if (!NT_SUCCESS(Status))                    {                        ObDereferenceObject(TatgetProcess);                        ObDereferenceObject(TatgetProcess);                        return;                    }                    RtlZeroMemory(lpNewImportDesc,nNewImportSize);                    Status = ZwAllocateVirtualMemory(hProcess, &lpDllName, 0, &nNewDllNameSize,                        MEM_COMMIT, PAGE_EXECUTE_READWRITE);                    if (!NT_SUCCESS(Status))                    {                        ZwFreeVirtualMemory(hProcess,&lpNewImportDesc,0,MEM_RELEASE);                        ObDereferenceObject(TatgetProcess);                        ObDereferenceObject(TatgetProcess);                        return;                    }                    RtlZeroMemory(lpDllName,nNewDllNameSize);                    //ThunkData                    Status = ZwAllocateVirtualMemory(hProcess, &lpNewThunkData, 0, &nNewThunkDataSize,                        MEM_COMMIT, PAGE_EXECUTE_READWRITE);                    if (!NT_SUCCESS(Status))                    {                        ZwFreeVirtualMemory(hProcess,&lpNewImportDesc,0,MEM_RELEASE);                        ZwFreeVirtualMemory(hProcess,&lpDllName,0,MEM_RELEASE);                        ObDereferenceObject(TatgetProcess);                        ObDereferenceObject(TatgetProcess);                        return;                    }                    RtlZeroMemory(lpNewThunkData,nNewThunkDataSize);                                        //IMAGE_IMPORT_BY_NAME                    Status = ZwAllocateVirtualMemory(hProcess, &lpImportApi, 0, &nNewImportApiSize,                        MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE);                    if (!NT_SUCCESS(Status))                    {                        ZwFreeVirtualMemory(hProcess,&lpNewImportDesc,0,MEM_RELEASE);                        ZwFreeVirtualMemory(hProcess,&lpDllName,0,MEM_RELEASE);                        ZwFreeVirtualMemory(hProcess,&lpNewThunkData,0,MEM_RELEASE);                        ObDereferenceObject(TatgetProcess);                        ObDereferenceObject(TatgetProcess);                        return;                    }                    RtlZeroMemory(lpImportApi,nNewImportApiSize);                    //原始的匯入表，留出一個表項                    RtlCopyMemory(lpNewImportDesc+1,pImportDesc,sizeof(IMAGE_IMPORT_DESCRIPTOR)*nImportDllCount);                    lpImportApi->Hint = 0;                    RtlCopyMemory(lpImportApi->Name,"DllMain",0x20);                    lpNewThunkData->u1.AddressOfData = (ULONG)lpImportApi-(ULONG)ulImageBase;                                    Add_ImportDesc.OriginalFirstThunk = (ULONG)lpNewThunkData-(ULONG)ulImageBase;                    Add_ImportDesc.TimeDateStamp = 0;                    Add_ImportDesc.ForwarderChain = 0;                    RtlCopyMemory(lpDllName,"test.dll",0x20);                    Add_ImportDesc.Name = (ULONG)lpDllName-(ULONG)ulImageBase;                    Add_ImportDesc.FirstThunk = Add_ImportDesc.OriginalFirstThunk;                                        RtlCopyMemory(lpNewImportDesc,&Add_ImportDesc,sizeof(IMAGE_IMPORT_DESCRIPTOR));                    WPOFF(); //修改Descriptor                    pHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size += sizeof(IMAGE_IMPORT_DESCRIPTOR);                    pHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = (ULONG_PTR)lpNewImportDesc - (ULONG_PTR)ulImageBase;                    WPON();                }                //KeUnstackDetachProcess(&apcState);            }__except(EXCEPTION_EXECUTE_HANDLER){            }            ObDereferenceObject(TatgetProcess);        }    }    ObDereferenceObject(TatgetProcess);}VOID WPOFF(){    ULONG_PTR cr0 = 0;    Irql = KeRaiseIrqlToDpcLevel();    cr0 =__readcr0();    cr0 &= 0xfffffffffffeffff;    __writecr0(cr0);}VOID WPON(){    ULONG_PTR cr0=__readcr0();    cr0 |= 0x10000;    __writecr0(cr0);    KeLowerIrql(Irql);}VOID UnicodeToChar(PUNICODE_STRING uniSource, CHAR *szDest){                                                      ANSI_STRING ansiTemp;                                    RtlUnicodeStringToAnsiString(&ansiTemp,uniSource,TRUE);       strcpy(szDest,ansiTemp.Buffer);    RtlFreeAnsiString(&ansiTemp);}

然而卻並沒沒有什麼卵用，注入成功了，但是不知道為啥，最後顯示程式初始化錯誤。

希望有懂的大俠指點一下。

Windows 回調監控 <二>

本文章原先以中文撰寫並發佈於 aliyun.com，亦設英文版本，僅作資訊用途。本網站不對文章的準確性，完整性或可靠性或其任何翻譯作出任何明示或暗示的陳述或保證。如對該文章有任何疑慮或投訴，請傳送電郵至 info-contact@alibabacloud.com 並提供相關疑慮或投訴的詳細說明。職員會於 5 個工作天內與您聯絡，一經驗證之後，即會刪除該侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Windows 回調監控 <二>

聯繫我們

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support