ProcessFake/FakeProcess/FakeProcessDll/MyFake.c

#include "MyFake.h"
#include "ntos.h"


typedef NTSTATUS(__stdcall *pfnNtQueryInformationProcess) (HANDLE ProcessHandle, ULONG ProcessInformationClass,
	PVOID ProcessInformation, UINT32 ProcessInformationLength, UINT32* ReturnLength);

typedef NTSTATUS(__stdcall *pfnNtReadVirtualMemory) (HANDLE ProcessHandle, PVOID BaseAddress,
PVOID BufferData, UINT64 BufferLength, PUINT64 ReturnLength);

typedef NTSTATUS(__stdcall *pfnNtWriteVirtualMemory) (HANDLE ProcessHandle, PVOID BaseAddress,
	PVOID BufferData, UINT64 BufferLength, PUINT64 ReturnLength);



void ShowError(TCHAR *lpszText)
{
	TCHAR szErr[MAX_PATH] = {0};
	wsprintf(szErr, L"%ls Error!\n Error Code Is:\n", lpszText, GetLastError());
	MessageBox(NULL, szErr, NULL, MB_OK);
}

BOOL FakeCurrentProcess(TCHAR *szPath, TCHAR *lpszCmd)
{
	PPEB peb = NtCurrentPeb();

	// 修改
	RtlInitUnicodeString(&peb->ProcessParameters->CommandLine, lpszCmd);
	RtlInitUnicodeString(&peb->ProcessParameters->ImagePathName, szPath);
	TCHAR *lpszTemp = wcsrchr(szPath, L'\\');
	lpszTemp[0] = L'\0';
	lpszTemp[1] = L'\0';
	RtlInitUnicodeString(&peb->ProcessParameters->CurrentDirectory.DosPath, szPath);

	return TRUE;
}

BOOL FakeOtherProcess(DWORD dwPID, TCHAR *lpszPath, TCHAR *lpszCmd)
{
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
	if (NULL == hProcess)
	{
		ShowError(L"OpenProcess");
		return FALSE;
	}
	
	pfnNtQueryInformationProcess NtQueryInformationProcess = (pfnNtQueryInformationProcess)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQueryInformationProcess");
	if (NULL == NtQueryInformationProcess)
	{
		ShowError(L"GetProcAddress");
		return FALSE;
	}

	PROCESS_BASIC_INFORMATION pbi = {0};
	NTSTATUS status = NtQueryInformationProcess(hProcess, 0, &pbi, sizeof(pbi), NULL);
	if (!NT_SUCCESS(status))
	{
		ShowError(L"NtWow64QueryInformationProcess64");
		return FALSE;
	}

	/*
	    注意在读写其他进程的时候，注意要使用ReadProcessMemory/WriteProcessMemory进行操作，
		每个指针指向的内容都需要获取，因为指针只能指向本进程的地址空间，必须要读取到本进程空间。
		要不然一直提示位置访问错误!
	*/
	// 获取其他进程地址空间指针指向的数据内容:PEB, RTL_USER_PROCESS_PARAMETERS
	PEB peb = {0};
	ReadProcessMemory(hProcess, pbi.PebBaseAddress, &peb, sizeof(peb), NULL);
	RTL_USER_PROCESS_PARAMETERS Param = {0};
	ReadProcessMemory(hProcess, peb.ProcessParameters, &Param, sizeof(Param), NULL);

	// 显示
//	TCHAR szCmd[MAX_PATH] = { 0 }, szName[MAX_PATH] = { 0 }, szDirec[MAX_PATH] = { 0 };
//	ReadProcessMemory(hProcess, Param.CommandLine.Buffer, szCmd, MAX_PATH, NULL);
//	ReadProcessMemory(hProcess, Param.ImagePathName.Buffer, szName, MAX_PATH, NULL);
//	ReadProcessMemory(hProcess, Param.CurrentDirectory.DosPath.Buffer, szDirec, MAX_PATH, NULL);
//	MessageBox(NULL,szCmd, L"CMD", MB_OK);
//	MessageBox(NULL, szName, L"FullName", MB_OK);
//	MessageBox(NULL, szDirec, L"Direc", MB_OK);
	
	// 修改
	WriteProcessMemory(hProcess, Param.CommandLine.Buffer, lpszCmd, (2 + 2 * wcslen(lpszCmd)), NULL);
	Param.CommandLine.Length = (2 + 2 * wcslen(lpszCmd));
	WriteProcessMemory(hProcess, Param.ImagePathName.Buffer, lpszPath, (2 + 2 * wcslen(lpszPath)), NULL);
	Param.ImagePathName.Length = (2 + 2 * wcslen(lpszPath));
	TCHAR szPath[MAX_PATH] = {0};
	wcscpy_s(szPath, _countof(szPath), lpszPath);
	wchar_t *lpszTemp = wcsrchr(szPath, L'\\');
	lpszTemp[0] = L'\0';
	lpszTemp[1] = L'\0';
	WriteProcessMemory(hProcess, Param.CurrentDirectory.DosPath.Buffer, szPath, (2 + 2 * wcslen(szPath)), NULL);
	Param.CurrentDirectory.DosPath.Length = (2 + 2 * wcslen(szPath));

	// 显示
//	ReadProcessMemory(hProcess, Param.CommandLine.Buffer, szCmd, MAX_PATH, NULL);
//	ReadProcessMemory(hProcess, Param.ImagePathName.Buffer, szName, MAX_PATH, NULL);
//	ReadProcessMemory(hProcess, Param.CurrentDirectory.DosPath.Buffer, szDirec, MAX_PATH, NULL);
//	MessageBox(NULL, szCmd, L"CMD", MB_OK);
//	MessageBox(NULL, szName, L"FullName", MB_OK);
//	MessageBox(NULL, szDirec, L"Direc", MB_OK);

	return TRUE;
}