105 lines
4.0 KiB
C
105 lines
4.0 KiB
C
|
|
|||
|
|
#include "MyFake.h"
|
|||
|
|
#include "ntos.h"
|
|||
|
|
|
|||
|
|
|
|||
|
|
typedef NTSTATUS(__stdcall *pfnNtQueryInformationProcess) (HANDLE ProcessHandle, ULONG ProcessInformationClass,
|
|||
|
|
PVOID ProcessInformation, UINT32 ProcessInformationLength, UINT32* ReturnLength);
|
|||
|
|
|
|||
|
|
typedef NTSTATUS(__stdcall *pfnNtReadVirtualMemory) (HANDLE ProcessHandle, PVOID BaseAddress,
|
|||
|
|
PVOID BufferData, UINT64 BufferLength, PUINT64 ReturnLength);
|
|||
|
|
|
|||
|
|
typedef NTSTATUS(__stdcall *pfnNtWriteVirtualMemory) (HANDLE ProcessHandle, PVOID BaseAddress,
|
|||
|
|
PVOID BufferData, UINT64 BufferLength, PUINT64 ReturnLength);
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
void ShowError(TCHAR *lpszText)
|
|||
|
|
{
|
|||
|
|
TCHAR szErr[MAX_PATH] = {0};
|
|||
|
|
wsprintf(szErr, L"%ls Error!\n Error Code Is:\n", lpszText, GetLastError());
|
|||
|
|
MessageBox(NULL, szErr, NULL, MB_OK);
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
BOOL FakeCurrentProcess(TCHAR *szPath, TCHAR *lpszCmd)
|
|||
|
|
{
|
|||
|
|
PPEB peb = NtCurrentPeb();
|
|||
|
|
|
|||
|
|
// <20><EFBFBD>
|
|||
|
|
RtlInitUnicodeString(&peb->ProcessParameters->CommandLine, lpszCmd);
|
|||
|
|
RtlInitUnicodeString(&peb->ProcessParameters->ImagePathName, szPath);
|
|||
|
|
TCHAR *lpszTemp = wcsrchr(szPath, L'\\');
|
|||
|
|
lpszTemp[0] = L'\0';
|
|||
|
|
lpszTemp[1] = L'\0';
|
|||
|
|
RtlInitUnicodeString(&peb->ProcessParameters->CurrentDirectory.DosPath, szPath);
|
|||
|
|
|
|||
|
|
return TRUE;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
BOOL FakeOtherProcess(DWORD dwPID, TCHAR *lpszPath, TCHAR *lpszCmd)
|
|||
|
|
{
|
|||
|
|
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
|
|||
|
|
if (NULL == hProcess)
|
|||
|
|
{
|
|||
|
|
ShowError(L"OpenProcess");
|
|||
|
|
return FALSE;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
pfnNtQueryInformationProcess NtQueryInformationProcess = (pfnNtQueryInformationProcess)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQueryInformationProcess");
|
|||
|
|
if (NULL == NtQueryInformationProcess)
|
|||
|
|
{
|
|||
|
|
ShowError(L"GetProcAddress");
|
|||
|
|
return FALSE;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
PROCESS_BASIC_INFORMATION pbi = {0};
|
|||
|
|
NTSTATUS status = NtQueryInformationProcess(hProcess, 0, &pbi, sizeof(pbi), NULL);
|
|||
|
|
if (!NT_SUCCESS(status))
|
|||
|
|
{
|
|||
|
|
ShowError(L"NtWow64QueryInformationProcess64");
|
|||
|
|
return FALSE;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
/*
|
|||
|
|
ע<EFBFBD><EFBFBD><EFBFBD>ڶ<EFBFBD>д<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̵<EFBFBD>ʱ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>ע<EFBFBD><EFBFBD>Ҫʹ<EFBFBD><EFBFBD>ReadProcessMemory/WriteProcessMemory<EFBFBD><EFBFBD><EFBFBD>в<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
ÿ<EFBFBD><EFBFBD>ָ<EFBFBD><EFBFBD>ָ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ݶ<EFBFBD><EFBFBD><EFBFBD>Ҫ<EFBFBD><EFBFBD>ȡ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϊָ<EFBFBD><EFBFBD>ֻ<EFBFBD><EFBFBD>ָ<EFBFBD><EFBFBD><EFBFBD>̵ĵ<EFBFBD>ַ<EFBFBD>ռ䣬<EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ҫ<EFBFBD><EFBFBD>ȡ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̿ռ䡣
|
|||
|
|
Ҫ<EFBFBD><EFBFBD>Ȼһֱ<EFBFBD><EFBFBD>ʾλ<EFBFBD>÷<EFBFBD><EFBFBD>ʴ<EFBFBD><EFBFBD><EFBFBD>!
|
|||
|
|
*/
|
|||
|
|
// <20><>ȡ<EFBFBD><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̵<EFBFBD>ַ<EFBFBD>ռ<EFBFBD>ָ<EFBFBD><D6B8>ָ<EFBFBD><D6B8><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:PEB, RTL_USER_PROCESS_PARAMETERS
|
|||
|
|
PEB peb = {0};
|
|||
|
|
ReadProcessMemory(hProcess, pbi.PebBaseAddress, &peb, sizeof(peb), NULL);
|
|||
|
|
RTL_USER_PROCESS_PARAMETERS Param = {0};
|
|||
|
|
ReadProcessMemory(hProcess, peb.ProcessParameters, &Param, sizeof(Param), NULL);
|
|||
|
|
|
|||
|
|
// <20><>ʾ
|
|||
|
|
// TCHAR szCmd[MAX_PATH] = { 0 }, szName[MAX_PATH] = { 0 }, szDirec[MAX_PATH] = { 0 };
|
|||
|
|
// ReadProcessMemory(hProcess, Param.CommandLine.Buffer, szCmd, MAX_PATH, NULL);
|
|||
|
|
// ReadProcessMemory(hProcess, Param.ImagePathName.Buffer, szName, MAX_PATH, NULL);
|
|||
|
|
// ReadProcessMemory(hProcess, Param.CurrentDirectory.DosPath.Buffer, szDirec, MAX_PATH, NULL);
|
|||
|
|
// MessageBox(NULL,szCmd, L"CMD", MB_OK);
|
|||
|
|
// MessageBox(NULL, szName, L"FullName", MB_OK);
|
|||
|
|
// MessageBox(NULL, szDirec, L"Direc", MB_OK);
|
|||
|
|
|
|||
|
|
// <20><EFBFBD>
|
|||
|
|
WriteProcessMemory(hProcess, Param.CommandLine.Buffer, lpszCmd, (2 + 2 * wcslen(lpszCmd)), NULL);
|
|||
|
|
Param.CommandLine.Length = (2 + 2 * wcslen(lpszCmd));
|
|||
|
|
WriteProcessMemory(hProcess, Param.ImagePathName.Buffer, lpszPath, (2 + 2 * wcslen(lpszPath)), NULL);
|
|||
|
|
Param.ImagePathName.Length = (2 + 2 * wcslen(lpszPath));
|
|||
|
|
TCHAR szPath[MAX_PATH] = {0};
|
|||
|
|
wcscpy_s(szPath, _countof(szPath), lpszPath);
|
|||
|
|
wchar_t *lpszTemp = wcsrchr(szPath, L'\\');
|
|||
|
|
lpszTemp[0] = L'\0';
|
|||
|
|
lpszTemp[1] = L'\0';
|
|||
|
|
WriteProcessMemory(hProcess, Param.CurrentDirectory.DosPath.Buffer, szPath, (2 + 2 * wcslen(szPath)), NULL);
|
|||
|
|
Param.CurrentDirectory.DosPath.Length = (2 + 2 * wcslen(szPath));
|
|||
|
|
|
|||
|
|
// <20><>ʾ
|
|||
|
|
// ReadProcessMemory(hProcess, Param.CommandLine.Buffer, szCmd, MAX_PATH, NULL);
|
|||
|
|
// ReadProcessMemory(hProcess, Param.ImagePathName.Buffer, szName, MAX_PATH, NULL);
|
|||
|
|
// ReadProcessMemory(hProcess, Param.CurrentDirectory.DosPath.Buffer, szDirec, MAX_PATH, NULL);
|
|||
|
|
// MessageBox(NULL, szCmd, L"CMD", MB_OK);
|
|||
|
|
// MessageBox(NULL, szName, L"FullName", MB_OK);
|
|||
|
|
// MessageBox(NULL, szDirec, L"Direc", MB_OK);
|
|||
|
|
|
|||
|
|
return TRUE;
|
|||
|
|
}
|