APC注入DLL(win7下有问题)
2014-03-04 01:00
711 查看
void APCKernelRoutine(PKAPC pKAPC,
PKNORMAL_ROUTINE pUserAPC,
PVOID pContext,
PVOID pSysArg1,
PVOID pSysArg2)
{
DbgPrint("APCKernelRoutine Entered\n");
ExFreePool(pKAPC);
}
NTSTATUS InjectDllByAPC(ULONG TargetPid, ULONG TargetTid, PUNICODE_STRING usDllPath, ULONG LdrMethodAddress)
{
ULONG size;
PKTHREAD TargetThread;
PEPROCESS TargetProcess;
KAPC_STATE ApcState; ULONG arg1 = 0;
ULONG arg2 = 0;
ULONG arg3 = 0;
DbgPrint("Inside InjectDllByAPC...\n"); size = (unsigned char*)APCMdlCodeEnd - (unsigned char*)APCMdlCode;
DbgPrint("Allocating MDL (1)...\n"); pMDLApcCode = IoAllocateMdl(APCMdlCode, size, FALSE, FALSE, NULL);
if (!pMDLApcCode)
{
return(STATUS_UNSUCCESSFUL);
}
MmProbeAndLockPages(pMDLApcCode, KernelMode, IoWriteAccess);
RtlZeroMemory(pAPCData, sizeof( pAPCData));
memcpy( (char*) pAPCData, usDllPath->Buffer, usDllPath->Length);
unicodeLengthInfo = *(ULONG*) usDllPath;
pMDLApcData = IoAllocateMdl (pAPCData, sizeof(pAPCData), FALSE,FALSE,NULL);
if (!pMDLApcData)
{
return STATUS_UNSUCCESSFUL;
}
MmProbeAndLockPages(pMDLApcData, KernelMode, IoWriteAccess); PsLookupProcessByProcessId((HANDLE)TargetPid, &TargetProcess);
DbgPrint("Pid: %d, PEPROCESS: 0X%X\n", TargetPid, TargetProcess);
PsLookupThreadByThreadId ((PVOID) TargetTid, &TargetThread);
DbgPrint("Tid: %d, PKTHREAD: 0X%X\n", TargetTid, TargetThread); KeStackAttachProcess((PKPROCESS) TargetProcess, &ApcState);
pMappedCode = (PVOID*) MmMapLockedPagesSpecifyCache(pMDLApcCode, UserMode, MmCached, NULL, FALSE, NormalPagePriority);
pMappedData = (PVOID*) MmMapLockedPagesSpecifyCache(pMDLApcData, UserMode, MmCached, NULL, FALSE, NormalPagePriority); KeUnstackDetachProcess (&ApcState);
arg1 = (ULONG) LdrMethodAddress;
arg2 = (ULONG) pMappedData;
arg3 = (ULONG) unicodeLengthInfo;
pKAPC = (PKAPC) ExAllocatePool( NonPagedPool, sizeof(KAPC) );
RtlZeroMemory(pKAPC, sizeof(KAPC));
KeInitializeApc(pKAPC, TargetThread, OriginalApcEnvironment,
(PKKERNEL_ROUTINE)APCKernelRoutine, NULL,
(PKNORMAL_ROUTINE) pMappedCode,
UserMode, (PVOID)arg1); KeInsertQueueApc(pKAPC, (PVOID)arg2, (PVOID)arg3, 0);
//KETHREAD.ApcState.UserApcPending = 1
//*((unsigned char *)TargetThread + 0x4a) = 1; //XP, 2K3 RTM
//*((unsigned char *)TargetThread + 0x3e) = 1; //2K3 SP1, SP2
//*((unsigned char *)TargetThread + 0x4e) = 1; //Vista
*((unsigned char *)TargetThread + 0x56) = 1; //Win 7
if (pMDLApcCode)
{
MmUnlockPages(pMDLApcCode);
IoFreeMdl(pMDLApcCode);
} if (pMDLApcData)
{
MmUnlockPages(pMDLApcData);
IoFreeMdl(pMDLApcData);
}
ObDereferenceObject(TargetProcess);
ObDereferenceObject(TargetThread); return STATUS_SUCCESS;
}
void APCMdlCode(PVOID lpLdrLoadDll, PVOID pwsDllPath, PVOID pwsDllPathLength)
{
UNICODE_STRING usDllName;
ULONG DllCharacteristics = 0;
PVOID DllHandle = 0;
usDllName.Length = (USHORT) pwsDllPathLength;
usDllName.MaximumLength = usDllName.Length + 2;
usDllName.Buffer = (WCHAR*) pwsDllPath;
__asm
{
pushad lea eax, DllHandle
push eax
lea eax, usDllName
push eax
lea eax, DllCharacteristics
push eax
push 0
call [lpLdrLoadDll] nop
nop
popad }
}
void APCMdlCodeEnd()
{
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Win7下实现 lpk.dll劫持游戏注入
- DLL注入技术之APC注入
- DLL注入技术之APC注入
- 火绒内核注入dll方式win7-win10通用x64下不触发PG
- win7 64 DLL的远程注入技术 及注入dll函数调用
- 注入win7 64要将dll和exe都编译成64位,我就说咋我的总是失败呢!!!
- APC注入APCInject(DLL)
- 通过异步过程调用(APC)注入DLL
- 进程注入DLL实现(APC和远程线程创建)
- 通过异步过程调用(APC)注入DLL
- Win7下实现 lpk.dll劫持游戏注入
- 通过异步过程调用(APC)注入DLL
- 内核中通过给线程插apc注入dll
- Dll注入技术之APC注入
- 通过异步过程调用(APC)注入DLL
- 内核中通过给线程插apc注入dll
- Dll注入技术之APC注入
- DLL 远程注入 (WIN7下32位)
- 代码注入 API HOOK(非DLL)[转]
- N种内核注入DLL的思路及实现