#include "MyFake.h" #include "ntos.h" typedef NTSTATUS(__stdcall *pfnNtQueryInformationProcess) (HANDLE ProcessHandle, ULONG ProcessInformationClass, PVOID ProcessInformation, UINT32 ProcessInformationLength, UINT32* ReturnLength); typedef NTSTATUS(__stdcall *pfnNtReadVirtualMemory) (HANDLE ProcessHandle, PVOID BaseAddress, PVOID BufferData, UINT64 BufferLength, PUINT64 ReturnLength); typedef NTSTATUS(__stdcall *pfnNtWriteVirtualMemory) (HANDLE ProcessHandle, PVOID BaseAddress, PVOID BufferData, UINT64 BufferLength, PUINT64 ReturnLength); void ShowError(TCHAR *lpszText) { TCHAR szErr[MAX_PATH] = {0}; wsprintf(szErr, L"%ls Error!\n Error Code Is:\n", lpszText, GetLastError()); MessageBox(NULL, szErr, NULL, MB_OK); } BOOL FakeCurrentProcess(TCHAR *szPath, TCHAR *lpszCmd) { PPEB peb = NtCurrentPeb(); // 修改 RtlInitUnicodeString(&peb->ProcessParameters->CommandLine, lpszCmd); RtlInitUnicodeString(&peb->ProcessParameters->ImagePathName, szPath); TCHAR *lpszTemp = wcsrchr(szPath, L'\\'); lpszTemp[0] = L'\0'; lpszTemp[1] = L'\0'; RtlInitUnicodeString(&peb->ProcessParameters->CurrentDirectory.DosPath, szPath); return TRUE; } BOOL FakeOtherProcess(DWORD dwPID, TCHAR *lpszPath, TCHAR *lpszCmd) { HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID); if (NULL == hProcess) { ShowError(L"OpenProcess"); return FALSE; } pfnNtQueryInformationProcess NtQueryInformationProcess = (pfnNtQueryInformationProcess)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQueryInformationProcess"); if (NULL == NtQueryInformationProcess) { ShowError(L"GetProcAddress"); return FALSE; } PROCESS_BASIC_INFORMATION pbi = {0}; NTSTATUS status = NtQueryInformationProcess(hProcess, 0, &pbi, sizeof(pbi), NULL); if (!NT_SUCCESS(status)) { ShowError(L"NtWow64QueryInformationProcess64"); return FALSE; } /* 注意在读写其他进程的时候,注意要使用ReadProcessMemory/WriteProcessMemory进行操作, 每个指针指向的内容都需要获取,因为指针只能指向本进程的地址空间,必须要读取到本进程空间。 要不然一直提示位置访问错误! */ // 获取其他进程地址空间指针指向的数据内容:PEB, RTL_USER_PROCESS_PARAMETERS PEB peb = {0}; ReadProcessMemory(hProcess, pbi.PebBaseAddress, &peb, sizeof(peb), NULL); RTL_USER_PROCESS_PARAMETERS Param = {0}; ReadProcessMemory(hProcess, peb.ProcessParameters, &Param, sizeof(Param), NULL); // 显示 // TCHAR szCmd[MAX_PATH] = { 0 }, szName[MAX_PATH] = { 0 }, szDirec[MAX_PATH] = { 0 }; // ReadProcessMemory(hProcess, Param.CommandLine.Buffer, szCmd, MAX_PATH, NULL); // ReadProcessMemory(hProcess, Param.ImagePathName.Buffer, szName, MAX_PATH, NULL); // ReadProcessMemory(hProcess, Param.CurrentDirectory.DosPath.Buffer, szDirec, MAX_PATH, NULL); // MessageBox(NULL,szCmd, L"CMD", MB_OK); // MessageBox(NULL, szName, L"FullName", MB_OK); // MessageBox(NULL, szDirec, L"Direc", MB_OK); // 修改 WriteProcessMemory(hProcess, Param.CommandLine.Buffer, lpszCmd, (2 + 2 * wcslen(lpszCmd)), NULL); Param.CommandLine.Length = (2 + 2 * wcslen(lpszCmd)); WriteProcessMemory(hProcess, Param.ImagePathName.Buffer, lpszPath, (2 + 2 * wcslen(lpszPath)), NULL); Param.ImagePathName.Length = (2 + 2 * wcslen(lpszPath)); TCHAR szPath[MAX_PATH] = {0}; wcscpy_s(szPath, _countof(szPath), lpszPath); wchar_t *lpszTemp = wcsrchr(szPath, L'\\'); lpszTemp[0] = L'\0'; lpszTemp[1] = L'\0'; WriteProcessMemory(hProcess, Param.CurrentDirectory.DosPath.Buffer, szPath, (2 + 2 * wcslen(szPath)), NULL); Param.CurrentDirectory.DosPath.Length = (2 + 2 * wcslen(szPath)); // 显示 // ReadProcessMemory(hProcess, Param.CommandLine.Buffer, szCmd, MAX_PATH, NULL); // ReadProcessMemory(hProcess, Param.ImagePathName.Buffer, szName, MAX_PATH, NULL); // ReadProcessMemory(hProcess, Param.CurrentDirectory.DosPath.Buffer, szDirec, MAX_PATH, NULL); // MessageBox(NULL, szCmd, L"CMD", MB_OK); // MessageBox(NULL, szName, L"FullName", MB_OK); // MessageBox(NULL, szDirec, L"Direc", MB_OK); return TRUE; }