// 启动程序.cpp : 定义控制台应用程序的入口点。
// #include "stdafx.h"
#include <Windows.h>
#include <TlHelp32.h>
#include <iostream>
#include <Psapi.h> #pragma comment(lib,"psapi.lib")
using namespace std;
BOOL IsX64PEFile(WCHAR* wzProcessFullPath);
BOOL GetProcessIDByProcessImageName(WCHAR* wzProcessImageName,DWORD* dwTargetProcessID);
BOOL EnableDebugPrivilege();
int _tmain(int argc, _TCHAR* argv[])
{ if (EnableDebugPrivilege()==FALSE) // 进行提权
{
return ;
} DWORD dwTargetProcessID = ;
HANDLE hTargetProcess = NULL; if(GetProcessIDByProcessImageName(L"EnumProcessByForce应用程序.exe",&dwTargetProcessID)==FALSE)
{
return ;
}
hTargetProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE,dwTargetProcessID);
if (hTargetProcess==NULL)
{
return ;
}
HMODULE hModule = NULL;
DWORD cbNeeded = ; WCHAR wzProcessFullPath[MAX_PATH] = {};
//进程文件的绝对路径
EnumProcessModules(hTargetProcess, &hModule, sizeof(hModule),&cbNeeded); cout<<GetLastError()<<endl;
//得到自身的完整名称 /* DWORD GetModuleFileNameEx(
HANDLE hProcess,
HMODULE hModule,
LPTSTR lpFilename,
DWORD nSize
); */
DWORD dwReturn = GetModuleFileNameEx(hTargetProcess, hModule,
wzProcessFullPath,
MAX_PATH); CloseHandle(hTargetProcess); WCHAR wzHookIATFullPath[MAX_PATH] = {}; GetCurrentDirectory(MAX_PATH,wzHookIATFullPath); WCHAR* v1 = wzHookIATFullPath+wcslen(wzHookIATFullPath); int i = ;
while (v1--)
{
if (*v1==L'\\')
{
i++;
if (i==) // 注意 调试和编译生成的文件位置不同 调试状态下 i == 2;
{
break;
} }
} *v1 = '\0'; //文件映射
if (IsX64PEFile(wzProcessFullPath)==TRUE)
{
//cout<<"X64 文件"<<endl; wcscat(wzHookIATFullPath,L"\\x64\\HookIAT(Ring3 x64).exe"); }
else
{ wcscat(wzHookIATFullPath,L"\\x86\\HookIAT(Ring3 x86).exe");
} STARTUPINFO si = {};
si.cb = sizeof(STARTUPINFO);
PROCESS_INFORMATION pi = {}; BOOL bOk = CreateProcess(wzHookIATFullPath,NULL,NULL,NULL,FALSE,,NULL,NULL,&si,&pi); WaitForSingleObject(pi.hProcess,INFINITE);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread); return ;
} BOOL IsX64PEFile(WCHAR* wzProcessFullPath)
{
HANDLE hFile = CreateFile(wzProcessFullPath,GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
PIMAGE_DOS_HEADER DosHeader = NULL;
PIMAGE_NT_HEADERS NtHeader = NULL;
cout<<GetLastError()<<endl;
if (hFile==INVALID_HANDLE_VALUE)
{
return FALSE;
} char szBuffer[0x1000] = {}; DWORD dwReturn = ;
if (ReadFile(hFile,szBuffer,0x1000,&dwReturn,NULL)==FALSE)
{
CloseHandle(hFile);
return FALSE;
} else
{
CloseHandle(hFile);
DosHeader=(PIMAGE_DOS_HEADER)szBuffer; NtHeader=(PIMAGE_NT_HEADERS)((ULONG64)szBuffer+DosHeader->e_lfanew); if(NtHeader->OptionalHeader.Magic!=0x20b)
{ return FALSE;
} return TRUE;
} } BOOL GetProcessIDByProcessImageName(WCHAR* wzProcessImageName,DWORD* dwTargetProcessID)
{
ULONG_PTR i = ;
BOOL bOk = FALSE;
HANDLE hProcessTool = NULL; PROCESSENTRY32 pe32 = {};
pe32.dwSize = sizeof(PROCESSENTRY32); hProcessTool = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,); if (hProcessTool==INVALID_HANDLE_VALUE)
{
return FALSE;
} bOk = Process32First(hProcessTool,&pe32);
do
{ if (bOk)
{
if(wcsicmp(pe32.szExeFile,wzProcessImageName)==)
{
*dwTargetProcessID = pe32.th32ProcessID;
return TRUE;
}
} else
{
break;
} bOk = Process32Next(hProcessTool,&pe32); } while (); return FALSE;
} BOOL EnableDebugPrivilege() //Debug
{ HANDLE hToken = NULL;
TOKEN_PRIVILEGES TokenPrivilege;
LUID uID; //打开权限令牌
if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
return FALSE;
} if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&uID))
{ CloseHandle(hToken);
hToken = NULL;
return FALSE;
} TokenPrivilege.PrivilegeCount = ;
TokenPrivilege.Privileges[].Attributes = SE_PRIVILEGE_ENABLED;
TokenPrivilege.Privileges[].Luid = uID; //在这里我们进行调整权限
if (!AdjustTokenPrivileges(hToken,false,&TokenPrivilege,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
{
CloseHandle(hToken);
hToken = NULL;
return FALSE;
} CloseHandle(hToken);
return TRUE; }
小小的代码