c language ----- hijacking systems 03

1. Recalls

　　The front section 2 we have achieved some of the concepts hijack principle, function pointers, the system hijacking below

2. Tools

　　vs2017

　　Detours

3. windows How to create a process?

　　(1) create a process function

CreateProcessW ( 
    LPCWSTR lpApplicationName,         // execute the program name 
    LPWSTR lpCommandLine,         // command line 
    LPSECURITY_ATTRIBUTES lpProcessAttributes,   // process installation 
    LPSECURITY_ATTRIBUTES lpThreadAttributes, // Process main thread installation 
    BOOL bInheritHandles,     // additional parameters 
    DWORD dwCreationFlags, // create a parameter 
    LPVOID lpEnvironment, // environment variable pointer 
    LPCWSTR lpCurrentDirectory, // current path process 
    LPSTARTUPINFOW lpStartupInfo, // process starts additional information 
    LPPROCESS_INFORMATION lpProcessInformation //Process identifier 
);

　　(2) What are the parameters we need to use?

　　  wchar_t str [100]; for example, specifies the input command notepad mspaint ... corresponding to the second parameter

         STARTUPINFO si; save process information that is second to last parameter

　　 PROCESS_INFORMATION pi; process identifier that is the last parameter

　　 Others are NULL

　　(3) Complete program code

#include <the Windows.h> 
#include <stdio.h> 
#include <stdlib.h>
 int main () { 
    the STARTUPINFO Si = { the sizeof (Si)};   // save process information 
    si.dwFlags = STARTF_USESHOWWINDOW; // display window 
    si.wShowWindow = . 1 ; // display window 
    the PROCESS_INFORMATION PI; // process information 
    wchar_t STR [ 100 ] = L " Notepad " ; 
    CreateProcessW to (NULL, STR, NULL, NULL, 0 , CREATE_NEW_CONSOLE, NULL, NULL, & Si, & PI);
     return  0 ; 
}

　　(4) the principle of interpretation

　　Why is wchar_t, not char?

　　　　Chinese accounted for two bytes, one byte English, windows system for compatibility function, you can create a wide input Chinese characters wchar_t directly, without garbled

4. The system processes hijacking

　　(1) Last hijacking principle review

void (* Pold) (parameter) = System;
 void Pnew (parameter) { 
  ...   
} 
void Hook () { 
    ... 
}

 (2) The function of a system () to CreateProcess

　Step 1: Create a function pointer

BOOL(WINAPI *poldcreateprocess)(
    LPCWSTR lpApplicationName,
    LPWSTR lpCommandLine,
    LPSECURITY_ATTRIBUTES lpProcessAttributes,
    LPSECURITY_ATTRIBUTES lpThreadAttributes,
    BOOL bInheritHandles,
    DWORD dwCreationFlags,
    LPVOID lpEnvironment,
    LPCWSTR lpCurrentDirectory,
    LPSTARTUPINFOW lpStartupInfo,
    LPPROCESS_INFORMATION lpProcessInformation
    ) = CreateProcessW;//在中国使用宽字符更精准

 Step 2: Create a new function

BOOL  NEWCreateProcessW(
    LPCWSTR lpApplicationName,
    LPWSTR lpCommandLine,
    LPSECURITY_ATTRIBUTES lpProcessAttributes,
    LPSECURITY_ATTRIBUTES lpThreadAttributes,
    BOOL bInheritHandles,
    DWORD dwCreationFlags,
    LPVOID lpEnvironment,
    LPCWSTR lpCurrentDirectory,
    LPSTARTUPINFOW lpStartupInfo,
    LPPROCESS_INFORMATION lpProcessInformation
)
{
    
    MessageBoxA(0, "劫持系统", "点有用吗？？？", 0);
    return 0;//执行失败
    
}

 The third step: to achieve hijacking

void Hook () 
{ 
    DetourRestoreAfterWith (); // restore state 
    DetourTransactionBegin (); // start 
    DetourUpdateThread (GetCurrentThread ()); // refresh the current thread 
    DetourAttach (( void **) & poldcreateprocess, NEWCreateProcessW); 
    DetourTransactionCommit (); / / effect immediately 
}

 Step Four: Writing dll function

_declspec(dllexport)void go()
{

    hook();

}

 Step five: change Debug mode -> Rease Mode -> Build Solution

Complete source code

#include <stdio.h>
#include <stdlib.h>
#include <Windows.h>
#include "detours.h"
#pragma comment(lib,"detours.lib")

BOOL(WINAPI *poldcreateprocess)(
    LPCWSTR lpApplicationName,
    LPWSTR lpCommandLine,
    LPSECURITY_ATTRIBUTES lpProcessAttributes,
    LPSECURITY_ATTRIBUTES lpThreadAttributes,
    BOOL bInheritHandles,
    DWORD dwCreationFlags,
    LPVOID lpEnvironment,
    LPCWSTR lpCurrentDirectory,
    LPSTARTUPINFOW lpStartupInfo,
    LPPROCESS_INFORMATION lpProcessInformation
    ) = CreateProcessW;// create a process of wide characters 
BOOL NEWCreateProcessW ( 
    LPCWSTR lpApplicationName, 
    LPWSTR lpCommandLine, 
    LPSECURITY_ATTRIBUTES lpProcessAttributes, 
    LPSECURITY_ATTRIBUTES lpThreadAttributes, 
    BOOL bInheritHandles, 
    DWORD dwCreationFlags, 
    LPVOID lpEnvironment, 
    LPCWSTR lpCurrentDirectory, 
    LPSTARTUPINFOW lpStartupInfo, 
    LPPROCESS_INFORMATION lpProcessInformation 
) 
{ 
    MessageBoxA ( 0 , " hijack " , " point helpful ??? " , 0 );
     return  0 ; //Execution failed 
}
 void Hook () 
{ 
    DetourRestoreAfterWith (); // restore state 
    DetourTransactionBegin (); // start 
    DetourUpdateThread (GetCurrentThread ()); // refresh the current thread 
    DetourAttach (( void **) & poldcreateprocess, NEWCreateProcessW); 
    DetourTransactionCommit ( ); // effect immediately 
} 
_declspec (dllexport) void Go () 
{ 
    Hook (); 
}

4. dll injection

　　After opening the dll injection tool, landing qq qq refresh dll injection tool selection　　

　　Find dll written, written input function go () Click injected, open space on the qq qq

 

      If you have a choice explore.exe inject explorer.exe process after any failure to open