Common WinAPI function finishing
original play tear you posted on 2019-09-04 20:06:55 reading number 101 collection
launched
before the blog wrote a lot about Windows programming, a hacker in the Windows environment must be familiar with the underlying API programming. In order to give readers a more comprehensive understanding and facilitate future use API query method used by hackers for the Windows API, especially those commonly used API to organize in accordance with the following seven major classification, we want to help learning.
First, the process
to create a process:
CreateProcess ( "C: \\ Windows \\ notepad.exe", 0,0,0,0,0,0,0, & Si, & PI);
WinExec ( "notepad", SW_SHOW);
ShellExecute (0, "Open", "notepad", "c: \\ a.txt", "", SW_SHOW);
ShellExecuteEx (& SEI);
traversal process:
CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0);
Process32First (hSnap, & PE32);
Process32Next (hsnap, & pe32);
termination of the process:
ExitProcess (0);
the TerminateProcess (hProc, 0);
open process:
OpenProcess (PROCESS_ALL_ACCESS, 0, pid);
GetCurrentProcesssId ();
get the process executable path:
the GetModuleFileName (NULL, buf, len);
GetProcessImageFileName (hproc, buf, len);
traversal process module information:
CreateToolhelp32Snapshot (TH32CS_SNAPMODILE, pid);
Module32First (hSnap, & mdl32);
Module32Next ( hsnap, & mdl2);
Gets the handle module:
the GetModuleHandle ( "Kernel32.dll");
obtaining module functions address:
GetProcessAddr (hmdl, "the MessageBox");
dynamically loading DLL:
the LoadLibrary ( "User32.dll");
unload DLL:
FreeLibrary (hDll);
acquiring process command line parameters:
GetCommandLine ();
offset 4 bytes of a byte address for the address of any command-line process GetCommandLine function address.
Remote data reading and writing process:
ReadProcessMemory (hproc, BaseAddr, buf, len, & size);
WriteProcessMemory (hproc, BaseAddr, buf, len, & size);
application memory:
The VirtualAlloc (0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE,);
VirtualAllocEx (hproc, 0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE,);
modify memory attributes:
the VirtualProtect (addr, size, PAGE_EXECUTE_READWRITE,, & oldAddr);
VirtualProtectEx (hproc, addr, size, PAGE_EXECUTE_READWRITE,, & oldAddr );
the release of memory:
VirtualFree (addr, size, MEM_RELEASE);
VirtualFreeEx (hproc, addr, size, MEM_RELEASE);
acquisition system version (Win NT / 2K / XP <0x80000000):
getVersion ();
read and write process priority:
SetPriorityClass (hproc, Normal);
getPriority (hproc);
SetProcessPriorityBoost (hproc, to true);
GetProcessPriorityBoost (hproc, pBool);
Second, the thread
creates a thread (CreateThread thread function calls strtok, rand, etc. need to use _endthread () to release memory) :
the CreateThread (0,0, startAddr, & para, 0, & TID);
the _beginthread (startAddr, 0,0);
the _beginthreadex (0,0, startAddr, 0,0, & TID);
the CreateRemoteThread (hproc, 0,0, FUNC, & para, 0, & TID);
acquisition thread ID:
The GetCurrentThreadId ();
Close thread handle (reducing kernel objects using a number of times, prevent memory leaks):
the CloseHandle (hThread);
suspend the active threads (maintenance pauses):
SuspendThread (hThread);
ResumeThread (hThread);
obtaining a thread exit code:
GetExitCode (hThread, & code );
waiting thread exits (thread trusted state or a timeout):
WaitForSignleObject (htread, 1000);
the WaitForMultipleObjects (NUM, Handles, to true, of INFINITE);
traversing thread:
the CreateToolhelp32Snapshot (TH32CS_SNAPTHREAD, 0);
Thread32First (hSnap, & mdl32);
Thread32Next ( hsnap, & mdl2);
acquisition thread entry function:
ZwQueryInfomationThread (hThread, ThreadQuerySetWin32StartAddress, & buf,. 4, NULL);
Open Thread:
to OpenThread (THREAD_ALL_ACCESS, to false, & TID);
obtaining thread function address belongs to the module:
GetMappedFileName (hproc, addr, buf, 256);
read thread priority:
the SetThreadPriority (hThread, Normal);
GetThreadPriority (hThread);
SetThreadPriorityBoost ( hproc, to true);
GetThreadPriorityBoost (hproc, pBool);
terminate the thread:
the ExitThread (. 5);
the TerminateThread (hThread,. 5);
thread synchronization critical section object:
InitializeCriticalSection (& CS);
the EnterCriticalSection (& CS);
LeaveCriticalSection (& CS);
DeleteCriticalSection ( & cs);
thread synchronization event kernel object:
OpenEvent (EVENT_ALL_ACCESS, false, name);
CreateEvent (NULL, false, to true, NULL);
WaitForSingleObject (hevnt, INFINITE);
SetEvent (hevnt);
ResetEvent (hevnt);
Thread synchronization mutex kernel object:
CreateMutex (NULL, false, NULL);
WaitForSingleObject (hMutex, INFINITE);
ReleaseMutex (hMutex);
OpenMutex (MUTEX_ALL_ACCESS, false, name);
Third, the registry
Create keys:
RegCreateKeyEx (HKEY_CURRENT_USER, "TestNewKey ", 0,0, REG_OPTION_VOLATILE, KEY_ALL_ACCESS, 0, & subkey, & state);
open key:
the RegCreateKeyEx (the HKEY_CURRENT_USER," Control Panel ", 0, KEY_ALL_ACCESS, & subkey);
Close key:
the RegCloseKey (HKEY);
traversal keys:
the RegEnumKeyEx (hsubkey , index, KeyName, & nameSize, 0,0,0, & Time);
FileTimeToSystemTime (& Time, & systime);
RegQueryInfo (hsubkey, 0,0,0, & COUNT, 0,0,0,0,0,0,0);
delete key:
RegDeleteKeyEx (hmainkey, subkeyName);
create value:
RegSetValueEx (hsubkey, "the Test", 0, REG_WORD, (BYTE *) & value,4);
Traversal value:
RegEnumValue (hsubkey, index, name, & nameSize, 0, & of the type, valuebuf, valueLen);
RegQueryValueEx (hsubkey, name, 0, of the type, buf, & size);
delete the value:
RegDeleteValue (hsubkey, ValueName);
Fourth, file
create / open file:
CreateFile ( "a.txt", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
set the file pointer:
SetFilePointer (hFile, 0, NULL, FILE_END);
read and write files:
ReadFile (hFile , buf, len, & size, 0);
the WriteFile (hFile, buf, len, & size, 0);
force files written to disk, clear the file cache buffer:
FlushFileuffers (hFile);
[solution] lock file area:
the lockFile (hFile , 0,0,100,0);
UnlockFile (hFile, 0,0,100,0);
copy the file:
the CopyFile (src, des, to true);
CopyFileEx (src, des, FUNC, & para, false, the COPY_FILE_FAIL_IF_EXISTS);
Move files:
MoveFile (src, des);
the MoveFileEx (src, des, false);
MoveFileWithProgress (src, des, Fun, & para, MOVEFILE_COPY_ALLOWED);
delete file:
DeleteFile (filename);
acquisition file type (FILE_TYPE_PIPE):
GetFileType (hFile );
Get file size:
the GetFileSize (hFile, & High);
get the file attributes (e.g. FILE_ATTRIBUTE_DIRECTORY for & calculation):
the GetFileAttributes (hFile);
traverse the file:
the FindFirstFile (nameMode, & WFD);
the FindNextFile (hFile, & WFD);
Create pipeline:
CreatePipe (& hRead, & hWrite, & sa, 0);
create a memory-mapped file:
CreateFile ( "d: \\ a.txt", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, "myMap");
to load memory-mapped files:
MapViewOfFile (hmap, FILE_MAP_ALL_ACCESS, 0,0,0);
open the memory mapped file:
OpenFileMapping (FILE_AMP_ALL_ACCESS, false, "myMap ");
unload memory-mapped files:
the UnmapViewOfFile (BaseAddr);
mandatory write memory-mapped files to disk:
FlushViewOfFile (BaseAddr, len);
create a folder (you can only create one):
CreateDirectory ( "D: \\ A", NULL);
CreateDirectory ( "C: \\ A", "D: \\ b", NULL);
delete folders (can only delete empty folders):
RemoveDirectory ( "C: \ \ a ");
detector logical drive:
GetLogicalDrives ();
GetLogicalDriveStrings (len, buf);
for drive type (DRIVE_CDROM):
the GetDriveType (" D: \\ ");
5, the network
open network resource enumeration process (winnetwk.h , Mpr.lib):
WNetOpenEnum (RESOURCE_GLOBAL, RESOURCETYPE_ANY, 0, NULL, hNET);
enumerate network resources:
WNetEnumResource (hNET, & COUNT, pNetRsc, & size);
closed network resource enumeration process:
WNetCloseEnum (hNET);
open close WinSocket library:
WSAStartup (Version, & WSA);
WSACleanup ();
create socket:
socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
Bind IP sockets and ports:
the bind (our sock, & addr, len);
listening TCP connection:
the listen (our sock , 10);
receiving a TCP connection request:
Accept (our sock, & addr, & len);
client connection:
connect (our sock, & addr, len);
sends TCP:
send (our sock, buf, len, 0);
received TCP data:
recv (sock, buf, len, 0);
sending UDP data:
the sendto (our sock, buf, len, 0, & addr, len);
receive UDP:
recvfrom (our sock, buf, len, 0, & addr, & len);
six service
open service control Manager SCM:
OpenSCManager (NULL, NULL, SC_MANAGER_ALL_ACCESS);
create a service:
CreateService (mgr, "MyService", "MyService", SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_AUTO_START, SERVICE_ERROR_IGNORE, path, NULL, NULL, NULL, NULL, NULL);
open service targets:
the OpenService (MGR, "MyService", SERVICE_START);
start service :
the StartService (Serv, 0, NULL);
query service status:
QueryServiceStatus (Serv, & state);
Close service handle:
CloseServiceHandle (HDL);
connected to the SCM:
the StartServiceCtrlDispatcher (DispatchTable);
registration service control function:
RegisterServiceCtrlHandler ( "MyServicer", ServiceCtrl);
set the service status:
SetServiceStatus (the HSS, & ServiceStatus);
control services:
ControlService (Serv, a SERVICE_CONTROL_STOP, & state);
remove the service:
DeleteService (Serv);
traversal service:
EnumServicesStatus (hscm, SERVICE_WIN32 | SERVICE_DRIVER, SERVICE_STATE_ALL, & srvSts, len, & size, & count, NULL);
Query service configuration:
QueryServiceConfig (hserv, & srvcfg, size, & size);
VII message
to send a message:
SendMessage (HWND_BROADCAST, the WM_LBUTTONDOWN, 0, 0);
receiving a message:
the GetMessage (& MSG, NULL, 0,0);
delivery message:
the PostMessage (HWND_BROADCAST, the WM_LBUTTONDOWN, 0,0);
Get message:
PeekMessage (& MSG, NULL, 0,0);
conversion message:
TranslateMessage ( & msg);
distribution message:
the DispatchMessage (& msg);
wait message:
WaitMessage ();
sending an exit message:
the PostQuitMessage (0);
installation message hook:
the SetWindowsHookEx (the WH_KEYBOARD, KeyboardProc, 0, TID);
uninstall message hook:
the UnhookWindowsHookEx (HHK) ;
These are the most commonly used API functions of a number of related technologies currently on contact, this is certainly not the most complete, but bloggers are exhumed from a copies of the information, but also hope that readers will add a lot of mutual progress!
----------------
Disclaimer: This article is CSDN blogger "tear you play 'original article, follow the CC 4.0 BY-SA copyright agreement, reproduced, please attach the original source and link this statement.
Original link: https: //blog.csdn.net/H888001/article/details/100546290
Common WinAPI function finishing ------------ reprint
Guess you like
Origin www.cnblogs.com/bedfly/p/12154064.html
Recommended
Ranking