Timothy's Space » Process http://www.xiaozhou.net 君看一叶舟,出没风波里 Tue, 07 Feb 2012 04:28:04 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 一份进程注入的代码 http://www.xiaozhou.net/vcdevelopment/a-code-injection-process-2004-10-22.htm http://www.xiaozhou.net/vcdevelopment/a-code-injection-process-2004-10-22.htm#comments Fri, 22 Oct 2004 05:29:18 +0000 Timothy http://localhost/wordpress/?p=34 dwMessageBox ;//得到函数入口地址 myMessageBoxA(NULL,lpPara->pMessageBox ,lpPara->pMessageBox,0);//call return 0; } void EnableDebugPriv();//提升应用级调试权限 int _tmain(int [...]]]> // Injection.cpp : 定义控制台应用程序的入口点。
//

#include “stdafx.h”
#include “Injection.h”
#ifdef _DEBUG
#define new DEBUG_NEW
#endif

// 唯一的应用程序对象

CWinApp theApp;

using namespace std;

typedef struct _RemotePara{//参数结构
char pMessageBox[12];
DWORD dwMessageBox;
}RemotePara;
//远程线程
DWORD __stdcall ThreadProc (RemotePara *lpPara){
typedef int (__stdcall *MMessageBoxA)(HWND,LPCTSTR,LPCTSTR,DWORD);//定义MessageBox函数
MMessageBoxA myMessageBoxA;
myMessageBoxA =(MMessageBoxA) lpPara->dwMessageBox ;//得到函数入口地址
myMessageBoxA(NULL,lpPara->pMessageBox ,lpPara->pMessageBox,0);//call
return 0;
}
void EnableDebugPriv();//提升应用级调试权限

int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
const DWORD THREADSIZE=1024*4;
DWORD byte_write;
EnableDebugPriv();//提升权限
HANDLE hWnd = ::OpenProcess (PROCESS_ALL_ACCESS,FALSE,760);
if(!hWnd)return 0;
void *pRemoteThread =::VirtualAllocEx(hWnd,0,THREADSIZE,MEM_COMMIT| MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if(!pRemoteThread)return 0;
if(!::WriteProcessMemory(hWnd,pRemoteThread,&ThreadProc,THREADSIZE,0))
return 0;

//再付值
RemotePara myRemotePara;
::ZeroMemory(&myRemotePara,sizeof(RemotePara));
HINSTANCE hUser32 = ::LoadLibrary (“user32.dll”);
myRemotePara.dwMessageBox =(DWORD) ::GetProcAddress (hUser32 , “MessageBoxA”);
strcat(myRemotePara.pMessageBox,”hello\0″);
//写进目标进程
RemotePara *pRemotePara =(RemotePara *) ::VirtualAllocEx (hWnd ,0,sizeof(RemotePara),MEM_COMMIT,PAGE_READWRITE);//注意申请空间时的页面属性
if(!pRemotePara)return 0;
if(!::WriteProcessMemory (hWnd ,pRemotePara,&myRemotePara,sizeof myRemotePara,0))return 0;

//启动线程
HANDLE hThread = ::CreateRemoteThread (hWnd ,0,0,(DWORD (__stdcall *)(void *))pRemoteThread ,pRemotePara,0,&byte_write);
if(!hThread){
return 0;
}
return 0;
}

void EnableDebugPriv( void )
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;

if ( ! OpenProcessToken( GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
return;
if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) ){
CloseHandle( hToken );
return;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
CloseHandle( hToken );
}

声明: 此Blog中的文章和随笔仅代表作者在某一特定时间内的观点和结论,对其完全的正确不做任何担保或假设
本站文章均采用 知识共享署名-相同方式共享3.0 协议进行授权,除非注明,本站文章均为原创,转载请注明转自 Timothy's Space 并应以链接形式标明本文地址!

]]> http://www.xiaozhou.net/vcdevelopment/a-code-injection-process-2004-10-22.htm/feed 0 调整当前进程权限并关机 http://www.xiaozhou.net/vcdevelopment/to-adjust-the-current-process-permissions-and-shutdown-2004-10-21.htm http://www.xiaozhou.net/vcdevelopment/to-adjust-the-current-process-permissions-and-shutdown-2004-10-21.htm#comments Thu, 21 Oct 2004 14:11:51 +0000 Timothy http://localhost/wordpress/?p=33 核心代码片断:

if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
MessageBox(“OpenProcessToken failed!”);
}

LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME,&tkp.Privileges[0].Luid); //获得本地机唯一的标识
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,(PTOKEN_PRIVILEGES) NULL, 0); //调整获得的权限

if (GetLastError() != ERROR_SUCCESS)
{
MessageBox(“切换系统级权限失败!”);
}

fResult =InitiateSystemShutdown(
NULL, // 要关的计算机用户名
“关机时间已到,WINDOWS将在上面的时间内关机,请做好保存工作!”, // 显示的消息
10, // 关机所需的时间
TRUE, // ask user to close apps
FALSE); //设为TRUE为重起,设为FALSE为关机
if(!fResult)
{
MessageBox(“初始化系统关机失败!”);
}

tkp.Privileges[0].Attributes = 0;
AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,(PTOKEN_PRIVILEGES) NULL, 0);

if (GetLastError() != ERROR_SUCCESS)
{
MessageBox(“AdjustTokenPrivileges disable failed.”);
}

ExitWindowsEx(EWX_SHUTDOWN,0);

声明: 此Blog中的文章和随笔仅代表作者在某一特定时间内的观点和结论,对其完全的正确不做任何担保或假设
本站文章均采用 知识共享署名-相同方式共享3.0 协议进行授权,除非注明,本站文章均为原创,转载请注明转自 Timothy's Space 并应以链接形式标明本文地址!

]]> http://www.xiaozhou.net/vcdevelopment/to-adjust-the-current-process-permissions-and-shutdown-2004-10-21.htm/feed 0 调整本进程权限核心代码 http://www.xiaozhou.net/vcdevelopment/adjust-the-process-the-core-code-access-2004-10-10.htm http://www.xiaozhou.net/vcdevelopment/adjust-the-process-the-core-code-access-2004-10-10.htm#comments Sun, 10 Oct 2004 14:42:49 +0000 Timothy http://localhost/wordpress/?p=28 void EnablePrivilege()
{
HANDLE hProcess;
HANDLE hCurrentProcess;
HANDLE hProcessToken;
TOKEN_PRIVILEGES tp;
LUID luid;
hCurrentProcess=GetCurrentProcess();
OpenProcessToken(hCurrentProcess,TOKEN_ALL_ACCESS,&hProcessToken);
LookupPrivilegeValue(NULL,”SeDebugPrivilege”,&luid);
tp.PrivilegeCount=1;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(
hProcessToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL);
}

声明: 此Blog中的文章和随笔仅代表作者在某一特定时间内的观点和结论,对其完全的正确不做任何担保或假设
本站文章均采用 知识共享署名-相同方式共享3.0 协议进行授权,除非注明,本站文章均为原创,转载请注明转自 Timothy's Space 并应以链接形式标明本文地址!

]]> http://www.xiaozhou.net/vcdevelopment/adjust-the-process-the-core-code-access-2004-10-10.htm/feed 0 枚举系统进程核心代码 http://www.xiaozhou.net/vcdevelopment/enumerate-the-system-processes-the-core-code-2004-10-10.htm http://www.xiaozhou.net/vcdevelopment/enumerate-the-system-processes-the-core-code-2004-10-10.htm#comments Sun, 10 Oct 2004 14:41:05 +0000 Timothy http://localhost/wordpress/?p=27 包含头文件:
#include “tlhelp32.h”
示例:

void CTerminateProcessDlg::OnGetProcess()
{
m_ListBox.ResetContent();
CString m_output;
HANDLE hProcessSnap=NULL;
PROCESSENTRY32 pe32={0};
hProcessSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hProcessSnap==(HANDLE)-1)
{
::MessageBox(NULL,”查询进程失败!:(“,”错误提示”,MB_OK);

}
pe32.dwSize=sizeof(PROCESSENTRY32);
if(Process32First(hProcessSnap,&pe32))
{
do
{
m_output.Format(“%-20s ID:%-5d”,pe32.szExeFile,pe32.th32ProcessID);
m_ListBox.AddString(m_output);
}
while(Process32Next(hProcessSnap,&pe32));
}
else
{
::MessageBox(NULL,”出现意外错误!”,”错误提示”,MB_OK);
}
CloseHandle(hProcessSnap);

}

声明: 此Blog中的文章和随笔仅代表作者在某一特定时间内的观点和结论,对其完全的正确不做任何担保或假设
本站文章均采用 知识共享署名-相同方式共享3.0 协议进行授权,除非注明,本站文章均为原创,转载请注明转自 Timothy's Space 并应以链接形式标明本文地址!

]]> http://www.xiaozhou.net/vcdevelopment/enumerate-the-system-processes-the-core-code-2004-10-10.htm/feed 0 进程杀手v1.0 http://www.xiaozhou.net/myworks/process-killer-v1-0-2004-09-07.htm http://www.xiaozhou.net/myworks/process-killer-v1-0-2004-09-07.htm#comments Tue, 07 Sep 2004 07:34:34 +0000 Timothy http://localhost/wordpress/?p=19 这是一个能枚举当前系统进程,并且终止进程的小程序。
程序界面如下:

程序源代码下载:

点击下载此文件

声明: 此Blog中的文章和随笔仅代表作者在某一特定时间内的观点和结论,对其完全的正确不做任何担保或假设
本站文章均采用 知识共享署名-相同方式共享3.0 协议进行授权,除非注明,本站文章均为原创,转载请注明转自 Timothy's Space 并应以链接形式标明本文地址!

]]> http://www.xiaozhou.net/myworks/process-killer-v1-0-2004-09-07.htm/feed 0