本文详细介绍利用窗口子类化隐藏系统图标
#include <Windows.h>
#include <tlhelp32.h>
#include <stdio.h>
#include <conio.h>
BOOL EnablePrivilege(char *PrviName)
{
HANDLE hToken;
TOKEN_PRIVILEGES Newtp;
BOOL bRet=FALSE;
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken);
if(LookupPrivilegeValue(NULL,PrviName,&Newtp.Privileges[0].Luid))
{
Newtp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
Newtp.PrivilegeCount=1;
if(AdjustTokenPrivileges(hToken,FALSE,&Newtp,sizeof(Newtp),NULL,NULL))
bRet=TRUE;
}
CloseHandle(hToken);
return bRet;
}
DWORD Process2PID(LPCTSTR lpszProcess)
{
HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 pe;
DWORD dwRet=0;
pe.dwSize=sizeof(PROCESSENTRY32);
if(hSnap)
{
Process32First(hSnap,&pe);
do {
if(!lstrcmpi(lpszProcess,pe.szExeFile))
{
dwRet=pe.th32ProcessID;
break;
}
} while(Process32Next(hSnap,&pe));
CloseHandle(hSnap);
}
return dwRet;
}
BOOL InjectDLL(DWORD dwPid,LPCTSTR lpszDll)
{
if(!EnablePrivilege(SE_DEBUG_NAME))
return FALSE;
BOOL bRet=FALSE;
HANDLE hProcess=
OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwPid);
LPVOID pAddr=VirtualAllocEx(hProcess,NULL,MAX_PATH,MEM_COMMIT,PAGE_READWRITE);
WriteProcessMemory(hProcess,pAddr,lpszDll,lstrlen(lpszDll)+1,NULL);
LPTHREAD_START_ROUTINE pfnLoadLibrary=
(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
bRet=(BOOL)CreateRemoteThread(hProcess,NULL,1024,pfnLoadLibrary,pAddr,0,NULL);
CloseHandle(hProcess);
return bRet;
}
int main(int argc,char **argv)
{
printf("Inject DLL to explorer.exe %s\n",
InjectDLL(Process2PID(argv[1]),argv[2])?"successful":"failed");
getch();
return 0;
}将两个分别编译好后用下面的命令行:
injectDLL explorer.exe d:\wjj\explorer\debug\explorer.dlld:\wjj\explorer\debug\explorer.dll一定要用绝对路径,那是我用的工作目录,你可以把explorer.dll放在其它任意地方
我更喜欢用中规中矩的"窗口子类化"来称乎这种技术,当然也可以叫它"窗口劫持",来北京没有多长时间,发现这里的人都喜欢用很多很大气的词,平台,架构,理念......,听起来的确有点烦.
作者:Kruglinski 责编:豆豆技术应用
正在加载评论...