技术宅的结界

 找回密码
 立即注册→加入我们

QQ登录

只需一步,快速开始

搜索
热搜: 下载 VB C 实现 编写
查看: 1359|回复: 0
收起左侧

输出所有进程NtCreateFile行为

[复制链接]

273

主题

451

帖子

4868

积分

用户组: 真·技术宅

UID
2
精华
61
威望
148 点
宅币
3685 个
贡献
131 次
宅之契约
0 份
在线时间
623 小时
注册时间
2014-1-25
发表于 2015-7-19 00:47:42 | 显示全部楼层 |阅读模式

欢迎访问技术宅的结界,请注册或者登录吧。

您需要 登录 才可以下载或查看,没有帐号?立即注册→加入我们

x
群里说共享进程空间使用Mutex会误写,然而我没有发现这一情况,下面的代码大部分是这位兄弟的
用于输出
[C++] 纯文本查看 复制代码
// showntcreatefile.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"
#include <windows.h>
#include<Tlhelp32.h>
#include <Shlwapi.h>
#pragma comment(lib,"shlwapi.lib")

struct LOG
{
	int dwCount;
	int NextFreeOffset;
	char Buffer[65536];
};

int _tmain(int argc, _TCHAR* argv[])
{
	HANDLE ghDataLock=CreateMutexA(0,FALSE,"hookntcreatefile");
	HMODULE hmod= LoadLibraryA("E:\\Projects\\testntcreatefile\\Debug\\testntcreatefile.dll");
	LOG* gpData=(LOG*)GetProcAddress(hmod,"gSharedData");
	
	HANDLE hProcessSnap;
	PROCESSENTRY32 pe32;
	hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (hProcessSnap != INVALID_HANDLE_VALUE)
	{
		pe32.dwSize = sizeof(pe32);
		if (Process32First(hProcessSnap, &pe32))
		{
			do
			{
//				if (StrStrI(pe32.szExeFile, _T("notepad")))
				{
					char str[] = "E:\\Projects\\testntcreatefile\\Debug\\testntcreatefile.dll";
					HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
					LPVOID dllname = VirtualAllocEx(hProcess, NULL, 256, MEM_COMMIT, PAGE_READWRITE);
					WriteProcessMemory(hProcess, dllname, str, sizeof(str), NULL);
					HANDLE hthread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, dllname, 0, NULL);
					WaitForSingleObject(hthread, INFINITE);
					CloseHandle(hthread);
					CloseHandle(hProcess);
				}
			} while (Process32Next(hProcessSnap, &pe32));
		}
		CloseHandle(hProcessSnap);
	}

	while(true)
	{
		char* pBuffer,*pSlot;
		DWORD dwWaitResult = WaitForSingleObject( ghDataLock, INFINITE ),dwSize;
		if( dwWaitResult == WAIT_OBJECT_0 ) 
		{
			pBuffer = gpData->Buffer;
			while( gpData->NextFreeOffset  ) 
			{
				printf("%s\n", pBuffer);
				pSlot = pBuffer;
				dwSize = strlen(pBuffer) + 2;
				pBuffer = (LPSTR) (pBuffer + dwSize);
				ZeroMemory( pSlot, dwSize);
				gpData->NextFreeOffset -= dwSize;
				gpData->dwCount--;
			}
		}
		ReleaseMutex( ghDataLock );
	}
	return 0;
}



注入dll:
[C++] 纯文本查看 复制代码
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"

#include <windows.h>
#include <stdio.h>
#include "detours.h"
#pragma comment(lib,"detours.lib")

struct LOG
{
	int dwCount;
	int NextFreeOffset;
	char Buffer[65536];
};

#pragma data_seg("Shared")
extern "C"
{
	__declspec(allocate("Shared"), dllexport) LOG gSharedData;
	__declspec(allocate("Shared"), dllexport) DWORD g_nCount;
};
#pragma data_seg()
#pragma comment(linker,"/SECTION:Shared,RWS")

typedef ULONG NTSTATUS;

typedef struct _UNICODE_STRING 
{
	USHORT Length;
	USHORT MaximumLength;
	PWSTR  Buffer;
} UNICODE_STRING,*PUNICODE_STRING;

typedef struct _OBJECT_ATTRIBUTES 
{
	ULONG Length;
	HANDLE RootDirectory;
	PUNICODE_STRING ObjName;
	ULONG Attributes;
	PVOID SecurityDescriptor;        // Points to type SECURITY_DESCRIPTOR
	PVOID SecurityQualityOfService;  // Points to type SECURITY_QUALITY_OF_SERVICE
} OBJECT_ATTRIBUTES,*POBJECT_ATTRIBUTES;

typedef struct _IO_STATUS_BLOCK 
{
	union 
	{
		NTSTATUS Status;
		PVOID Pointer;
	};
	ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

FARPROC OLD_NtCreateFile=GetProcAddress(GetModuleHandleA("ntdll.dll"),"NtCreateFile");
HANDLE hDataLock=NULL;

LONG  WINAPI Chunk(PHANDLE ph, ULONG AccessMask, POBJECT_ATTRIBUTES obj, PIO_STATUS_BLOCK ioblk, PLARGE_INTEGER AllocSize, 
	ULONG FileAttr, ULONG ShareAccess, ULONG Disposition, ULONG Options, PVOID EaBuffer, ULONG EaLength)
{
#define MAX_BUF_LEN 512
#define FILE_DIRECTORY_FILE                     0x00000001
#define FILE_OPEN                       0x00000001
 	CHAR szBuffer[MAX_BUF_LEN];
 	CHAR szFile[MAX_PATH] = { 0 };
 	CHAR szExeName[MAX_PATH];
 	CHAR szTimeFormat[100];
 	SYSTEMTIME sysTime;
 	LONG status ;
 	LPSTR psz;
	int length = 0;
 	DWORD dwSize, dwWaitResult;

	GetLocalTime( &sysTime );
	sprintf( szTimeFormat, "%02d.%02d.%02d.%04d", sysTime.wHour, sysTime.wMinute, sysTime.wSecond, sysTime.wMilliseconds );
	status = ((LONG (WINAPI*)(PHANDLE,ULONG,POBJECT_ATTRIBUTES,PIO_STATUS_BLOCK,PLARGE_INTEGER,ULONG,ULONG,ULONG,ULONG,PVOID,ULONG))OLD_NtCreateFile)
		( ph, AccessMask, obj, ioblk, AllocSize,FileAttr, ShareAccess, Disposition, Options, EaBuffer, EaLength );
	InterlockedIncrement( &g_nCount );
	if( 0 == status  && obj && obj->ObjName && obj->ObjName->Buffer) 
	{
 		GetModuleFileNameA( NULL, szExeName, MAX_PATH);
 		OutputDebugStringW(obj->ObjName->Buffer);
 		psz = strrchr( szExeName, '\\' );
 		length = WideCharToMultiByte( CP_ACP, 0, obj->ObjName->Buffer, obj->ObjName->Length / sizeof(WCHAR),szFile, sizeof(szFile), NULL, NULL );
		sprintf( szBuffer, "%s %s %s %s : %s", szTimeFormat, psz+1, Disposition & FILE_OPEN ? "Open" : "Create",
			Options & FILE_DIRECTORY_FILE ? "Directory" : "File",szFile );

		dwWaitResult = WaitForSingleObject( hDataLock, INFINITE );
 		if( dwWaitResult == WAIT_OBJECT_0 ) 
 		{
			psz = gSharedData.Buffer;
			dwSize = gSharedData.NextFreeOffset;
			psz += dwSize;
			dwSize = strlen(szBuffer) + 2;
			memcpy( psz, szBuffer, dwSize - 1);
			gSharedData.NextFreeOffset += dwSize;
			gSharedData.dwCount++;
		}
		ReleaseMutex( hDataLock );	
	}
	return status;
}


BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		if(g_nCount)
		{
			DetourRestoreAfterWith();
			DetourTransactionBegin();
			DetourUpdateThread(GetCurrentThread());
			DetourAttach(&(PVOID&)OLD_NtCreateFile, Chunk);
			DetourTransactionCommit();	
		}
		hDataLock=OpenMutexA(SYNCHRONIZE|MUTEX_MODIFY_STATE,FALSE,"hookntcreatefile");
		InterlockedIncrement(&g_nCount);
		break;
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

回复

使用道具 举报

本版积分规则

QQ|申请友链||Archiver|手机版|小黑屋|技术宅的结界 ( 滇ICP备16008837号 )|网站地图  

GMT+8, 2020-7-5 21:26 , Processed in 0.091670 second(s), 29 queries , Gzip On.

Powered by Discuz! X3.4

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表