本文共计1025个字,预计阅读时长3.8分钟。
LPVOID AddressOfCreateProcess=NULL; BYTE OriCode[3]={0x0,0x0,0x0}; BYTE NewCode[3]={0x90,0xc3,0x90}; void HookCreateProcess(HANDLE hProc) { SIZE_T dwRet=0,i=0; AddressOfCreateProcess=(LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"NtCreateUserProcess"); printf("AddressOfCreateProcess: 0x%x\n",(LONGLONG)AddressOfCreateProcess); ReadProcessMemory(hProc,AddressOfCreateProcess,OriCode,3,&dwRet); WriteProcessMemory(hProc,AddressOfCreateProcess,NewCode,3,&dwRet); return; } void UnHookCreateProcess(HANDLE hProc) { SIZE_T dwRet=0; WriteProcessMemory(hProc,AddressOfCreateProcess,OriCode,3,&dwRet); return; } void HookAllProcess() { HANDLE hp=0; int pids[200],procsnum=0; GetAllProcessA(pids,&procsnum); for(int i=0;i<procsnum;i++) { printf("%d\n",pids); hp=OpenProcess(PROCESS_ALL_ACCESS,0,pids); HookCreateProcess(hp); CloseHandle(hp); } getchar(); for(int i=0;i<procsnum;i++) { printf("%d\n",pids); hp=OpenProcess(PROCESS_ALL_ACCESS,0,pids); UnHookCreateProcess(hp); CloseHandle(hp); } return; }
void HookCreateProcess(HANDLE hProc) { SIZE_T dwRet=0,i=0; AddressOfCreateProcess=(LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"NtCreateUserProcess"); printf("AddressOfCreateProcess: 0x%x\n",(LONGLONG)AddressOfCreateProcess); ReadProcessMemory(hProc,AddressOfCreateProcess,OriCode,3,&dwRet); WriteProcessMemory(hProc,AddressOfCreateProcess,NewCode,3,&dwRet); return; }
void UnHookCreateProcess(HANDLE hProc) { SIZE_T dwRet=0; WriteProcessMemory(hProc,AddressOfCreateProcess,OriCode,3,&dwRet); return; }
void HookAllProcess() { HANDLE hp=0; int pids[200],procsnum=0; GetAllProcessA(pids,&procsnum); for(int i=0;i<procsnum;i++) { printf("%d\n",pids); hp=OpenProcess(PROCESS_ALL_ACCESS,0,pids); HookCreateProcess(hp); CloseHandle(hp); } getchar(); for(int i=0;i<procsnum;i++) { printf("%d\n",pids); hp=OpenProcess(PROCESS_ALL_ACCESS,0,pids); UnHookCreateProcess(hp); CloseHandle(hp); } return; }
暂无评论
您需要登录后才可以回帖
立即登录 立即注册
Ring3全局禁止进程创建(x64)
请登录您的账号,开始你的旅途
没有帐号?用户注册
