APC注入DLL(win7下有问题)
2014-03-04 01:00
711 查看
void APCKernelRoutine(PKAPC pKAPC, PKNORMAL_ROUTINE pUserAPC, PVOID pContext, PVOID pSysArg1, PVOID pSysArg2) { DbgPrint("APCKernelRoutine Entered\n"); ExFreePool(pKAPC); } NTSTATUS InjectDllByAPC(ULONG TargetPid, ULONG TargetTid, PUNICODE_STRING usDllPath, ULONG LdrMethodAddress) { ULONG size; PKTHREAD TargetThread; PEPROCESS TargetProcess; KAPC_STATE ApcState; ULONG arg1 = 0; ULONG arg2 = 0; ULONG arg3 = 0; DbgPrint("Inside InjectDllByAPC...\n"); size = (unsigned char*)APCMdlCodeEnd - (unsigned char*)APCMdlCode; DbgPrint("Allocating MDL (1)...\n"); pMDLApcCode = IoAllocateMdl(APCMdlCode, size, FALSE, FALSE, NULL); if (!pMDLApcCode) { return(STATUS_UNSUCCESSFUL); } MmProbeAndLockPages(pMDLApcCode, KernelMode, IoWriteAccess); RtlZeroMemory(pAPCData, sizeof( pAPCData)); memcpy( (char*) pAPCData, usDllPath->Buffer, usDllPath->Length); unicodeLengthInfo = *(ULONG*) usDllPath; pMDLApcData = IoAllocateMdl (pAPCData, sizeof(pAPCData), FALSE,FALSE,NULL); if (!pMDLApcData) { return STATUS_UNSUCCESSFUL; } MmProbeAndLockPages(pMDLApcData, KernelMode, IoWriteAccess); PsLookupProcessByProcessId((HANDLE)TargetPid, &TargetProcess); DbgPrint("Pid: %d, PEPROCESS: 0X%X\n", TargetPid, TargetProcess); PsLookupThreadByThreadId ((PVOID) TargetTid, &TargetThread); DbgPrint("Tid: %d, PKTHREAD: 0X%X\n", TargetTid, TargetThread); KeStackAttachProcess((PKPROCESS) TargetProcess, &ApcState); pMappedCode = (PVOID*) MmMapLockedPagesSpecifyCache(pMDLApcCode, UserMode, MmCached, NULL, FALSE, NormalPagePriority); pMappedData = (PVOID*) MmMapLockedPagesSpecifyCache(pMDLApcData, UserMode, MmCached, NULL, FALSE, NormalPagePriority); KeUnstackDetachProcess (&ApcState); arg1 = (ULONG) LdrMethodAddress; arg2 = (ULONG) pMappedData; arg3 = (ULONG) unicodeLengthInfo; pKAPC = (PKAPC) ExAllocatePool( NonPagedPool, sizeof(KAPC) ); RtlZeroMemory(pKAPC, sizeof(KAPC)); KeInitializeApc(pKAPC, TargetThread, OriginalApcEnvironment, (PKKERNEL_ROUTINE)APCKernelRoutine, NULL, (PKNORMAL_ROUTINE) pMappedCode, UserMode, (PVOID)arg1); KeInsertQueueApc(pKAPC, (PVOID)arg2, (PVOID)arg3, 0); //KETHREAD.ApcState.UserApcPending = 1 //*((unsigned char *)TargetThread + 0x4a) = 1; //XP, 2K3 RTM //*((unsigned char *)TargetThread + 0x3e) = 1; //2K3 SP1, SP2 //*((unsigned char *)TargetThread + 0x4e) = 1; //Vista *((unsigned char *)TargetThread + 0x56) = 1; //Win 7 if (pMDLApcCode) { MmUnlockPages(pMDLApcCode); IoFreeMdl(pMDLApcCode); } if (pMDLApcData) { MmUnlockPages(pMDLApcData); IoFreeMdl(pMDLApcData); } ObDereferenceObject(TargetProcess); ObDereferenceObject(TargetThread); return STATUS_SUCCESS; } void APCMdlCode(PVOID lpLdrLoadDll, PVOID pwsDllPath, PVOID pwsDllPathLength) { UNICODE_STRING usDllName; ULONG DllCharacteristics = 0; PVOID DllHandle = 0; usDllName.Length = (USHORT) pwsDllPathLength; usDllName.MaximumLength = usDllName.Length + 2; usDllName.Buffer = (WCHAR*) pwsDllPath; __asm { pushad lea eax, DllHandle push eax lea eax, usDllName push eax lea eax, DllCharacteristics push eax push 0 call [lpLdrLoadDll] nop nop popad } } void APCMdlCodeEnd() { }
相关文章推荐
- Win7下实现 lpk.dll劫持游戏注入
- DLL注入技术之APC注入
- DLL注入技术之APC注入
- 火绒内核注入dll方式win7-win10通用x64下不触发PG
- win7 64 DLL的远程注入技术 及注入dll函数调用
- 注入win7 64要将dll和exe都编译成64位,我就说咋我的总是失败呢!!!
- APC注入APCInject(DLL)
- 通过异步过程调用(APC)注入DLL
- 进程注入DLL实现(APC和远程线程创建)
- 通过异步过程调用(APC)注入DLL
- Win7下实现 lpk.dll劫持游戏注入
- 通过异步过程调用(APC)注入DLL
- 内核中通过给线程插apc注入dll
- Dll注入技术之APC注入
- 通过异步过程调用(APC)注入DLL
- 内核中通过给线程插apc注入dll
- Dll注入技术之APC注入
- DLL 远程注入 (WIN7下32位)
- 代码注入 API HOOK(非DLL)[转]
- N种内核注入DLL的思路及实现