WinXP下监视进程的创建

本文主要是介绍WinXP下监视进程的创建，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

在winxp下进程的创建无非是使用System,Winexec,ShellExecute,CreateProcess等库函数和系统API.但是为了实现对进程创建的监视,我们一般都是拦截这些api,这样工作量会很大.而实际上这些函数最终都会调用ntdll.dll所导出的ZwCreateProcessEx函数,由他填入服务索引号,并软中断进入内核模式.只要Hook了该函数就能有效地从用户层监视进程的创建.但是有人会说,在2000和Xp下不是有NtCreateProcess和ZwCreateProcess么,实际上今天晚上我自己动手试了下,上述这两者,首先他们是一个函数,其次,在Xp下创建进程的时候,根本不会使用到他们...

 首先看下ZwCreateProcessEx的定义(参考win2k/xp native api refernce):

typedef NTSTATUS (*NTCREATEPROCESSEX)(
   OUT PHANDLE ProcessHandle,
   IN ACCESS_MASK DesiredAccess,
   IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
   IN HANDLE ParentProcess,
   IN BOOLEAN InheritObjectTable,
   IN HANDLE SectionHandle OPTIONAL,
   IN HANDLE DebugPort OPTIONAL,
   IN HANDLE ExceptionPort OPTIONAL,
   IN HANDLE Unknown ); 

我们需要的只是拦截他,目前暂时具体参数的功能就不谈了,具体实现方式就不说了,在前面的<用户层下拦截API的原理与实现>中已经讲得很清楚拉.如果你忘记了,具体见:http://redcoder.blog.sohu.com/2183228.html下面是这次实验的代码,拦截了ZwCreateProcessEx函数:

编译环境:WinXp Sp2 + vc6.0

代码：
--------------------------------------------------------------------------------

#include <stdio.h>
#include <windows.h>

#define STATUS_SUCCESS  0
#define HOOKFUCTIONSIZE 10240      //定义拦截函数体的大小，以字节为单位，且以4kb为基本单位
#define HOOKEDAPIPARAMNUMINBYTE 36 //定义被拦截的api的函数的参数的大小，以字节为单位

typedef unsigned long NTSTATUS;
typedef unsigned long SYSTEM_INformATION_CLASS;

typedef struct _RemoteParam{
LPVOID          lpFunAddr;
LPVOID          lpWriteProcessMemory;
unsigned char   szOldCode[12];
unsigned char   szNewCode[12];
LPVOID          lpMessageBox;
}RemoteParam, * PRemoteParam;

typedef BOOL (__stdcall * PFN_WRITEPROCESSMEMORY)(HANDLE, LPVOID, LPCVOID, SIZE_T, SIZE_T*);
typedef int  (__stdcall * PFN_MESSAGEBOX)(HWND, LPCTSTR, LPCTSTR, DWORD);

typedef
NTSTATUS
(__stdcall * PFN_ZWCREATEPROCESSEX)(
PHANDLE,
ACCESS_MASK,
LPVOID,
HANDLE,
BOOLEAN,
HANDLE,
HANDLE,
HANDLE,
HANDLE
);

VOID HookApi(LPVOID lParam)
{
RemoteParam* Rpm = (RemoteParam*)lParam;
PFN_ZWCREATEPROCESSEX pfnZwCreateprocessEx = (PFN_ZWCREATEPROCESSEX)Rpm->lpFunAddr;
PFN_WRITEPROCESSMEMORY pfnWriteProcessMemory = (PFN_WRITEPROCESSMEMORY)Rpm->lpWriteProcessMemory;
PFN_MESSAGEBOX pfnMessageBox = (PFN_MESSAGEBOX)Rpm->lpMessageBox;

char sztest[8] = {'h', 'e', 'l', 'l', 'o', '.', '.', '/0'};
  

PHANDLE ProcessHandle = NULL;
ACCESS_MASK DesiredAccess = 0;
LPVOID ObjectAttributes = NULL;
HANDLE InheritFromProcessHandle = NULL;
BOOLEAN InheritHandles = TRUE;
HANDLE SectionHandle = NULL;
HANDLE DebugPort = NULL;
HANDLE ExceptionPort = NULL;
HANDLE reserv = NULL;

NTSTATUS Retvalue = STATUS_SUCCESS; //定义要拦截的api的默认返回植
DWORD NextIpAddr = 0;
DWORD dwParamaAddr = 0;

DWORD temp1 = 0;

__asm
{
 MOV EAX, [EBP + 12]
 MOV [NextIpAddr], EAX
 MOV EAX, [EBP + 16]
 MOV [ProcessHandle], EAX
 MOV EAX, [EBP + 20]
 MOV [DesiredAccess], EAX
 MOV EAX, [EBP + 24]
 MOV [ObjectAttributes], EAX
 MOV EAX, [EBP + 28]
 MOV [InheritFromProcessHandle], EAX
 MOV EAX, [EBP + 32]
 MOV [temp1], EAX
 MOV EAX, [EBP + 36]
 MOV [SectionHandle], EAX 
 MOV EAX, [EBP + 40]
 MOV [DebugPort], EAX
 MOV EAX, [EBP + 44]
 MOV [ExceptionPort], EAX
 MOV EAX, [EBP + 48]
 MOV [reserv], EAX 
}

InheritHandles = (BOOLEAN)temp1;

//这里可以做你的事情了，比如我只想弹出一个对话框,其实也可以在让api完成之后再做些东西
   pfnMessageBox(NULL, sztest, sztest, 0);  

pfnWriteProcessMemory((HANDLE)0XFFFFFFFF, Rpm->lpFunAddr, (LPCVOID)Rpm->szOldCode, 12, NULL);
//让api真正执行,这里换成你要拦截的api
Retvalue = pfnZwCreateprocessEx(ProcessHandle,
                             DesiredAccess,
           ObjectAttributes,
           InheritFromProcessHandle,
           InheritHandles,
           SectionHandle,
           DebugPort,
           ExceptionPort,
           reserv);

//再次恢复对他的拦截
pfnWriteProcessMemory((HANDLE)0XFFFFFFFF, Rpm->lpFunAddr, (LPCVOID)Rpm->szNewCode, 12, NULL);

 
  DWORD dwStackSize = 12 + HOOKEDAPIPARAMNUMINBYTE;
 
  //这里对拦截函数堆栈的恢复，必须放在最后
  __asm
  {
   POP EDI     //注意如果你编译生成的debug版本的程序则需要把这
   POP ESI     //三个注释去掉
   POP EBX
   MOV ECX, [dwStackSize]
   MOV EDX, [NextIpAddr]
   MOV EAX, [Retvalue]
   MOV ESP, EBP
   POP EBP
   ADD ESP, ECX //12 + HOOKEDAPIPARAMNUMINBYTE  //恢复堆栈
   PUSH EDX
   RET
  }
}

//
//************************************************************************
//模块名字：AdjustProcessPrivileges(LPCSTR)
//模块功能：修改调用进程的权限
//返回数值：成功返回TRUE，失败返回FALSE
//参数可以为下列值：
// #define SE_BACKUP_NAME        TEXT("SeBackupPrivilege")
// #define SE_RESTORE_NAME       TEXT("SeRestorePrivilege")
// #define SE_SHUTDOWN_NAME      TEXT("SeShutdownPrivilege")
// #define SE_DEBUG_NAME         TEXT("SeDebugPrivilege")
//

BOOL AdjustProcessPrivileges(LPCSTR lpPrivilegesName)
{
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
if(!OpenProcessToken((HANDLE)0XFFFFFFFF,
 TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
 return FALSE;
}

if(!LookupPrivilegeValue(NULL, lpPrivilegesName, &tkp.Privileges[0].Luid))
{
 CloseHandle(hToken);
 return FALSE;
}

tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

if(!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
{
 CloseHandle(hToken);
 return FALSE;
}

CloseHandle(hToken);
return TRUE;
}

int SetHook(DWORD dwPid, LPCTSTR lpApiName, LPCTSTR lpExportDllName, LPVOID lpHookFunAddr)
{
if(!AdjustProcessPrivileges(SE_DEBUG_NAME))
{
 printf("-----AdjustProcessPrivileges error../n");
 return -1;
}
printf("1:AdjustProcessPrivileges ok/n");

//获取要拦截的api的地址
HMODULE hExportDll = LoadLibrary(lpExportDllName);
if(hExportDll == NULL)
{
 printf("-----LoadLibrary error../n");
 return -1;
}

LPVOID lpApiAddr = GetProcAddress(hExportDll, lpApiName);
if(lpApiAddr == NULL)
{
 printf("-----GetProcAddress %s error../n", lpApiName);
 FreeLibrary(hExportDll);
 return -1;
}

//打开进程句柄
HANDLE hTargetProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ,
                                       FALSE, dwPid);
if(hTargetProcess == NULL)
{
 printf("-----OpenProcess %d error../n", dwPid);
 FreeLibrary(hExportDll);
 return -1;
}

//申请拦截函数内存空间
LPVOID lpFunAddr = VirtualAllocEx(hTargetProcess, NULL, HOOKFUCTIONSIZE,
                                     MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if(lpFunAddr == NULL)
{
 printf("-----VirtualAllocEx for remotefuction error../n");
 FreeLibrary(hExportDll);
 CloseHandle(hTargetProcess);
 return -1;
}

//申请远程参数空间
LPVOID lpParamaAddr = VirtualAllocEx(hTargetProcess, NULL, sizeof(RemoteParam),
                                        MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if(lpParamaAddr == NULL)
{
 printf("-----VirtualAllocEx for remoteparam error../n");
 FreeLibrary(hExportDll);
 VirtualFreeEx(hTargetProcess, lpFunAddr, 0, MEM_RELEASE);
 CloseHandle(hTargetProcess);
 return -1;
}

printf("2:Alloc remote memory for the hook fuction and param ok/n");

//设置远程参数，下一步要把参数写入要拦截的远程进程地址空间
RemoteParam RParam;
ZeroMemory(&RParam, sizeof(RParam));

unsigned char oldcode[12];
unsigned char newcode[12];
DWORD dwError = 0;
if(!ReadProcessMemory((HANDLE)0XFFFFFFFF,
 lpApiAddr,
 oldcode,
 12,
 &dwError))
{
 printf("-----ReadProcessMemory from lpApiName error../n");
 FreeLibrary(hExportDll);
 VirtualFreeEx(hTargetProcess, lpFunAddr, 0, MEM_RELEASE);
 VirtualFreeEx(hTargetProcess, lpParamaAddr, 0, MEM_RELEASE);
 CloseHandle(hTargetProcess);
 return -1;
}
//生成跳转指令，这将覆盖要拦截的api的前十个字节
int praadd = (int)lpParamaAddr;
int threadadd = (int)lpFunAddr;
newcode[4] = praadd>>24;
newcode[3] = (praadd<<8)>>24;
newcode[2] = (praadd<<16)>>24;
newcode[1] = (praadd<<24)>>24;
newcode[0] = 0x68;  //PUSH lpParamaAddr

int offsetaddr = threadadd - (int)lpApiAddr - 10 ;
newcode[9] = offsetaddr>>24;
newcode[8] = (offsetaddr<<8)>>24;
newcode[7] = (offsetaddr<<16)>>24;
newcode[6] = (offsetaddr<<24)>>24;
newcode[5] = 0xE8;  //CALL lpFunAddr

newcode[10] = 0x90;
newcode[11] = 0x90;

for(int j = 0; j < 12; j++)
{
 RParam.szOldCode[j] = oldcode[j];
 RParam.szNewCode[j] = newcode[j];
}
RParam.lpFunAddr = lpApiAddr;

HMODULE hKernel32 = LoadLibrary("Kernel32.dll");
if(hKernel32 == NULL)
{
 printf("-----LoadLibrary Kernel32.dll error../n");
 FreeLibrary(hExportDll);
 VirtualFreeEx(hTargetProcess, lpFunAddr, 0, MEM_RELEASE);
 VirtualFreeEx(hTargetProcess, lpParamaAddr, 0, MEM_RELEASE);
 CloseHandle(hTargetProcess);
 return -1;
}

RParam.lpWriteProcessMemory = GetProcAddress(hKernel32, "WriteProcessMemory");
if(RParam.lpWriteProcessMemory == NULL)
{
 printf("-----GetProcAddress WriteProcessMemory from Kernel32.dll error../n");
 FreeLibrary(hExportDll);
 VirtualFreeEx(hTargetProcess, lpFunAddr, 0, MEM_RELEASE);
 VirtualFreeEx(hTargetProcess, lpParamaAddr, 0, MEM_RELEASE);
 CloseHandle(hTargetProcess);
 FreeLibrary(hKernel32);
 return -1;
}

//以上皆为必须，下面可以为自己的拦截函数中所需要用的一些变量以及系统api放到参数中去
HMODULE hUser32 = LoadLibrary("User32.dll");
if(hUser32 == NULL)
{
 printf("-----LoadLibrary User32.dll error../n");
 FreeLibrary(hExportDll);
 VirtualFreeEx(hTargetProcess, lpFunAddr, 0, MEM_RELEASE);
 VirtualFreeEx(hTargetProcess, lpParamaAddr, 0, MEM_RELEASE);
 CloseHandle(hTargetProcess);
 FreeLibrary(hKernel32);
 return -1;
}

RParam.lpMessageBox = GetProcAddress(hUser32, "MessageBoxA");
if(RParam.lpMessageBox == NULL)
{
 printf("-----GetProcAddress MessageBoxA from User32.dll error../n");
 FreeLibrary(hExportDll);
 VirtualFreeEx(hTargetProcess, lpFunAddr, 0, MEM_RELEASE);
 VirtualFreeEx(hTargetProcess, lpParamaAddr, 0, MEM_RELEASE);
 CloseHandle(hTargetProcess);
 FreeLibrary(hKernel32);
 FreeLibrary(hUser32);
 return -1;
}

FreeLibrary(hUser32);
printf("3:Generate remoteparam ok/n");

//下面为必须部分
//把参数写入要拦截的远程进程地址空间
if(!WriteProcessMemory(hTargetProcess, lpParamaAddr, (LPVOID)&RParam, sizeof(RParam), &dwError))
{
 printf("-----WriteProcessMemory for remoteparam error../n");
 FreeLibrary(hExportDll);
 VirtualFreeEx(hTargetProcess, lpFunAddr, 0, MEM_RELEASE);
 VirtualFreeEx(hTargetProcess, lpParamaAddr, 0, MEM_RELEASE);
 CloseHandle(hTargetProcess);
 FreeLibrary(hKernel32);
 return -1;
}
printf("4:WriteProcessMemory for remoteparam ok/n");
//把拦截函数体写入目标进程地址空间
if(!WriteProcessMemory(hTargetProcess, lpFunAddr, lpHookFunAddr, HOOKFUCTIONSIZE, &dwError))
{
 printf("-----WriteProcessMemory for remotefuction error../n");
 FreeLibrary(hExportDll);
 VirtualFreeEx(hTargetProcess, lpFunAddr, 0, MEM_RELEASE);
 VirtualFreeEx(hTargetProcess, lpParamaAddr, 0, MEM_RELEASE);
 CloseHandle(hTargetProcess);
 FreeLibrary(hKernel32);
 return -1;
}
printf("5:WriteProcessMemory for remotefuction ok/n");
//把新的跳转指令写入要拦截的目标进程的要拦截的api的函数的前十字节
if(!WriteProcessMemory(hTargetProcess, lpApiAddr , (LPVOID)newcode, 12, &dwError))
{
 printf("-----Modify remote api error../n");
 FreeLibrary(hExportDll);
 VirtualFreeEx(hTargetProcess, lpFunAddr, 0, MEM_RELEASE);
 VirtualFreeEx(hTargetProcess, lpParamaAddr, 0, MEM_RELEASE);
 CloseHandle(hTargetProcess);
 FreeLibrary(hKernel32);
 return -1;
}
   printf("6:Modify remote api %s ok/n", lpApiName);

//show..
printf("---------------------------------------------------------------------------/n"
    "You hava hooked pid: %d ,and the infomation of this hooking are as follows:/n"
    "API name: %s/n"
    "API addr: 0x%.8x/n"
    "Module name: %s/n"
    "Module addr: 0x%.8x/n"
    "Remote parama addr: 0x%.8x/n"
    "Remote thread addr: 0x%.8x/n"
    "RemoteParam.lpFunAddr: 0x%.8x/n"
    "RemoteParam.lpWriteProcessMemory: 0x%.8x/n"
    "RemoteParam.lpMessageBox: 0x%.8x/n",
    dwPid,
    lpApiName,
          lpApiAddr,
    lpExportDllName,
    hExportDll,
    lpParamaAddr,
    lpFunAddr,
    RParam.lpFunAddr,
    RParam.lpWriteProcessMemory,
    RParam.lpMessageBox);

printf("RemoteParam.szOldCode: ");
for(int i = 0; i < 12; i++)
{
 printf("0x%x ", RParam.szOldCode[i]);
}

printf("/nRemoteParam.szNewCode: ");
for(i = 0; i < 12; i++)
{
 printf("0x%x ", RParam.szNewCode[i]);
}

printf("/nThat's all, good luck ^_^/n");
Sleep(10000);

//收工，清理资源
FreeLibrary(hExportDll);
CloseHandle(hTargetProcess);
FreeLibrary(hKernel32);
return 0;
}

int main(void)
{//注意这里第一个参数是你要选择监视的进程的ID,我这里是选的我的explorer.exe
SetHook(1564, "NtCreateProcessEx", "ntdll.dll", &HookApi);
 

 

引自： http://www.hacker.cn/Get/xtaq/0691410230498975.shtml
 

这篇关于WinXP下监视进程的创建的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！

---