1. Recalls
The front section 2 we have achieved some of the concepts hijack principle, function pointers, the system hijacking below
2. Tools
vs2017
Detours
3. windows How to create a process?
(1) create a process function
CreateProcessW ( LPCWSTR lpApplicationName, // execute the program name LPWSTR lpCommandLine, // command line LPSECURITY_ATTRIBUTES lpProcessAttributes, // process installation LPSECURITY_ATTRIBUTES lpThreadAttributes, // Process main thread installation BOOL bInheritHandles, // additional parameters DWORD dwCreationFlags, // create a parameter LPVOID lpEnvironment, // environment variable pointer LPCWSTR lpCurrentDirectory, // current path process LPSTARTUPINFOW lpStartupInfo, // process starts additional information LPPROCESS_INFORMATION lpProcessInformation //Process identifier );
(2) What are the parameters we need to use?
wchar_t str [100]; for example, specifies the input command notepad mspaint ... corresponding to the second parameter
STARTUPINFO si; save process information that is second to last parameter
PROCESS_INFORMATION pi; process identifier that is the last parameter
Others are NULL
(3) Complete program code
#include <the Windows.h> #include <stdio.h> #include <stdlib.h> int main () { the STARTUPINFO Si = { the sizeof (Si)}; // save process information si.dwFlags = STARTF_USESHOWWINDOW; // display window si.wShowWindow = . 1 ; // display window the PROCESS_INFORMATION PI; // process information wchar_t STR [ 100 ] = L " Notepad " ; CreateProcessW to (NULL, STR, NULL, NULL, 0 , CREATE_NEW_CONSOLE, NULL, NULL, & Si, & PI); return 0 ; }
(4) the principle of interpretation
Why is wchar_t, not char?
Chinese accounted for two bytes, one byte English, windows system for compatibility function, you can create a wide input Chinese characters wchar_t directly, without garbled
4. The system processes hijacking
(1) Last hijacking principle review
void (* Pold) (parameter) = System; void Pnew (parameter) { ... } void Hook () { ... }
(2) The function of a system () to CreateProcess
Step 1: Create a function pointer
BOOL(WINAPI *poldcreateprocess)( LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ) = CreateProcessW;//在中国使用宽字符更精准
Step 2: Create a new function
BOOL NEWCreateProcessW( LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ) { MessageBoxA(0, "劫持系统", "点有用吗???", 0); return 0;//执行失败 }
The third step: to achieve hijacking
void Hook () { DetourRestoreAfterWith (); // restore state DetourTransactionBegin (); // start DetourUpdateThread (GetCurrentThread ()); // refresh the current thread DetourAttach (( void **) & poldcreateprocess, NEWCreateProcessW); DetourTransactionCommit (); / / effect immediately }
Step Four: Writing dll function
_declspec(dllexport)void go() { hook(); }
Step five: change Debug mode -> Rease Mode -> Build Solution
Complete source code
#include <stdio.h> #include <stdlib.h> #include <Windows.h> #include "detours.h" #pragma comment(lib,"detours.lib") BOOL(WINAPI *poldcreateprocess)( LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ) = CreateProcessW;// create a process of wide characters BOOL NEWCreateProcessW ( LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ) { MessageBoxA ( 0 , " hijack " , " point helpful ??? " , 0 ); return 0 ; //Execution failed } void Hook () { DetourRestoreAfterWith (); // restore state DetourTransactionBegin (); // start DetourUpdateThread (GetCurrentThread ()); // refresh the current thread DetourAttach (( void **) & poldcreateprocess, NEWCreateProcessW); DetourTransactionCommit ( ); // effect immediately } _declspec (dllexport) void Go () { Hook (); }
4. dll injection
After opening the dll injection tool, landing qq qq refresh dll injection tool selection
Find dll written, written input function go () Click injected, open space on the qq qq
If you have a choice explore.exe inject explorer.exe process after any failure to open