1. 首頁
  2. 問答
  3. Windows命令掛鉤不工作

Windows命令掛鉤不工作

2016-08-21 208 views
1

我想掛鉤cmd.exe下的CreateProcess。 我設法注入DLL的CMD過程,但注入後的DLL進程分離消息接收,我無法鉤住createprocess函數調用。 我正在使用easyhook。 我的代碼:Windows命令掛鉤不工作

#include <windows.h> 
#include <Shlwapi.h> 
#include <tchar.h> 
#include <stdio.h> 
#include <strsafe.h> 
#include <easyhook.h> 

BOOL WINAPI myCreateProcess(
_In_opt_ LPCTSTR    lpApplicationName, 
_Inout_opt_ LPTSTR    lpCommandLine, 
_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, 
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, 
_In_  BOOL     bInheritHandles, 
_In_  DWORD     dwCreationFlags, 
_In_opt_ LPVOID    lpEnvironment, 
_In_opt_ LPCTSTR    lpCurrentDirectory, 
_In_  LPSTARTUPINFO   lpStartupInfo, 
_Out_  LPPROCESS_INFORMATION lpProcessInformation 
){ 
OutputDebugString(L"\n !!!!!! In CreateProcess HOOK\n !!!!!!!!"); 
return CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCommandLine, lpStartupInfo, lpProcessInformation); 
} 
BOOL APIENTRY DllMain(HMODULE hModule, 
DWORD ul_reason_for_call, 
LPVOID lpReserved 
) 
{ 
BOOL bErrorFlag = FALSE; 
DWORD dwBytesToWrite = (DWORD)strlen(DataBuffer); 
DWORD dwBytesWritten = 0; 
switch (ul_reason_for_call) 
{ 
case DLL_PROCESS_ATTACH: 
{ 


    HOOK_TRACE_INFO hHook = { NULL }; // keep track of our hook 

    // Install the hook 

    NTSTATUS result = LhInstallHook(
     GetProcAddress(GetModuleHandle(TEXT("kernel32")), "CreateProcessW"), 
     myCreateProcess, 
     NULL, 
     &hHook); 
    if (FAILED(result)) 
    { 
     OutputDebugString(L"!!!!!!!!!!!FAIL!!!!!!!!"); 
     return 1; 
    } 

    ULONG ACLEntries[1] = { 0 }; 
    LhSetInclusiveACL(ACLEntries, 1, &hHook); 
    OutputDebugString(L"!!!!!!!!!!!!Injection Succeed!!!!!!!!!!!!"); 
    break; 
} 
case DLL_THREAD_ATTACH:{ 
    OutputDebugString(L"!!!!!!!!!!!!dll thread attach!!!!!!!!!!!!"); 
    break; 
} 
case DLL_THREAD_DETACH: 
{ 
     OutputDebugString(L"!!!!!!!!!!!!dll thread Detach!!!!!!!!!!!!"); 
    break; 
} 

case DLL_PROCESS_DETACH: 
{ 
      OutputDebugString(L"!!!!!!!!!!!!dll process Detach!!!!!!!!!!!!"); 
    break; 
} 
} 
}

我收到「成功注入」消息和「DLL進程分離」的消息之後。 有什麼想法?

來源

2016-08-21 Omega Doe

回答

1

嘗試改變:

LhSetInclusiveACL(ACLEntries, 1, &hHook);

到:

LhSetExclusiveACL(ACLEntries, 1, &hHook);

來源

2016-08-22 16:12:29

相關問題

 相關問題