输出所有进程NtCreateFile行为

元始天尊 · 发表于 2015-7-19 00:47:42

欢迎访问技术宅的结界，请注册或者登录吧。

您需要登录才可以下载或查看，没有账号？立即注册→加入我们

×

群里说共享进程空间使用Mutex会误写，然而我没有发现这一情况，下面的代码大部分是这位兄弟的
用于输出

// showntcreatefile.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <windows.h>
#include<Tlhelp32.h>
#include <Shlwapi.h>
#pragma comment(lib,"shlwapi.lib")
struct LOG
{
int dwCount;
int NextFreeOffset;
char Buffer[65536];
};
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE ghDataLock=CreateMutexA(0,FALSE,"hookntcreatefile");
HMODULE hmod= LoadLibraryA("E:\\Projects\\testntcreatefile\\Debug\\testntcreatefile.dll");
LOG* gpData=(LOG*)GetProcAddress(hmod,"gSharedData");
HANDLE hProcessSnap;
PROCESSENTRY32 pe32;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap != INVALID_HANDLE_VALUE)
{
pe32.dwSize = sizeof(pe32);
if (Process32First(hProcessSnap, &pe32))
{
do
{
// if (StrStrI(pe32.szExeFile, _T("notepad")))
{
char str[] = "E:\\Projects\\testntcreatefile\\Debug\\testntcreatefile.dll";
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
LPVOID dllname = VirtualAllocEx(hProcess, NULL, 256, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, dllname, str, sizeof(str), NULL);
HANDLE hthread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, dllname, 0, NULL);
WaitForSingleObject(hthread, INFINITE);
CloseHandle(hthread);
CloseHandle(hProcess);
}
} while (Process32Next(hProcessSnap, &pe32));
}
CloseHandle(hProcessSnap);
}
while(true)
{
char* pBuffer,*pSlot;
DWORD dwWaitResult = WaitForSingleObject( ghDataLock, INFINITE ),dwSize;
if( dwWaitResult == WAIT_OBJECT_0 )
{
pBuffer = gpData->Buffer;
while( gpData->NextFreeOffset )
{
printf("%s\n", pBuffer);
pSlot = pBuffer;
dwSize = strlen(pBuffer) + 2;
pBuffer = (LPSTR) (pBuffer + dwSize);
ZeroMemory( pSlot, dwSize);
gpData->NextFreeOffset -= dwSize;
gpData->dwCount--;
}
}
ReleaseMutex( ghDataLock );
}
return 0;
}

复制代码

注入dll：

// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include "detours.h"
#pragma comment(lib,"detours.lib")
struct LOG
{
int dwCount;
int NextFreeOffset;
char Buffer[65536];
};
#pragma data_seg("Shared")
extern "C"
{
__declspec(allocate("Shared"), dllexport) LOG gSharedData;
__declspec(allocate("Shared"), dllexport) DWORD g_nCount;
};
#pragma data_seg()
#pragma comment(linker,"/SECTION:Shared,RWS")
typedef ULONG NTSTATUS;
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING,*PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjName;
ULONG Attributes;
PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR
PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE
} OBJECT_ATTRIBUTES,*POBJECT_ATTRIBUTES;
typedef struct _IO_STATUS_BLOCK
{
union
{
NTSTATUS Status;
PVOID Pointer;
};
ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
FARPROC OLD_NtCreateFile=GetProcAddress(GetModuleHandleA("ntdll.dll"),"NtCreateFile");
HANDLE hDataLock=NULL;
LONG WINAPI Chunk(PHANDLE ph, ULONG AccessMask, POBJECT_ATTRIBUTES obj, PIO_STATUS_BLOCK ioblk, PLARGE_INTEGER AllocSize,
ULONG FileAttr, ULONG ShareAccess, ULONG Disposition, ULONG Options, PVOID EaBuffer, ULONG EaLength)
{
#define MAX_BUF_LEN 512
#define FILE_DIRECTORY_FILE 0x00000001
#define FILE_OPEN 0x00000001
CHAR szBuffer[MAX_BUF_LEN];
CHAR szFile[MAX_PATH] = { 0 };
CHAR szExeName[MAX_PATH];
CHAR szTimeFormat[100];
SYSTEMTIME sysTime;
LONG status ;
LPSTR psz;
int length = 0;
DWORD dwSize, dwWaitResult;
GetLocalTime( &sysTime );
sprintf( szTimeFormat, "%02d.%02d.%02d.%04d", sysTime.wHour, sysTime.wMinute, sysTime.wSecond, sysTime.wMilliseconds );
status = ((LONG (WINAPI*)(PHANDLE,ULONG,POBJECT_ATTRIBUTES,PIO_STATUS_BLOCK,PLARGE_INTEGER,ULONG,ULONG,ULONG,ULONG,PVOID,ULONG))OLD_NtCreateFile)
( ph, AccessMask, obj, ioblk, AllocSize,FileAttr, ShareAccess, Disposition, Options, EaBuffer, EaLength );
InterlockedIncrement( &g_nCount );
if( 0 == status && obj && obj->ObjName && obj->ObjName->Buffer)
{
GetModuleFileNameA( NULL, szExeName, MAX_PATH);
OutputDebugStringW(obj->ObjName->Buffer);
psz = strrchr( szExeName, '\\' );
length = WideCharToMultiByte( CP_ACP, 0, obj->ObjName->Buffer, obj->ObjName->Length / sizeof(WCHAR),szFile, sizeof(szFile), NULL, NULL );
sprintf( szBuffer, "%s %s %s %s : %s", szTimeFormat, psz+1, Disposition & FILE_OPEN ? "Open" : "Create",
Options & FILE_DIRECTORY_FILE ? "Directory" : "File",szFile );
dwWaitResult = WaitForSingleObject( hDataLock, INFINITE );
if( dwWaitResult == WAIT_OBJECT_0 )
{
psz = gSharedData.Buffer;
dwSize = gSharedData.NextFreeOffset;
psz += dwSize;
dwSize = strlen(szBuffer) + 2;
memcpy( psz, szBuffer, dwSize - 1);
gSharedData.NextFreeOffset += dwSize;
gSharedData.dwCount++;
}
ReleaseMutex( hDataLock );
}
return status;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
if(g_nCount)
{
DetourRestoreAfterWith();
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)OLD_NtCreateFile, Chunk);
DetourTransactionCommit();
}
hDataLock=OpenMutexA(SYNCHRONIZE|MUTEX_MODIFY_STATE,FALSE,"hookntcreatefile");
InterlockedIncrement(&g_nCount);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

复制代码

账号		自动登录	找回密码
密码			立即注册→加入我们