参加360安全卫士程序员志愿者 的测试题目与答案不知对不对.

非常感谢您对360 安全卫士的关注和热爱,也非常感谢您对反恶意软件工作的支持!

由于报名志愿者很多,因此我们需要对报名者的开发水平有一定的考核,请您理解!

请您完成如下题目:

================================================================

编写一个程序,在此程序中运行 a.exe,并使得a.exe认为是由explorer.exe运行它的。

================================================================

给出程序的核心代码即可。



////////////////////////////////////////////////////////////////////////////////////////////////
//
// 目的:编写一个程序,在此程序中运行a.exe,并使得a.exe认为是由explorer.exe运行它的
// Code By:Gleon Email:WinAsk@Gmail.com
/////////////////////////////////////////////////////////////////////////////
	#include <stdio.h>
	#include <windows.h>
	#include <tlhelp32.h>
struct MPARA                                //定义的远程线程参数
{
	DWORD M_LoadLibrary;
	DWORD M_GetProcAddress;
	DWORD m_cr&#101;ateProcess;
	char path[20];
	STARTUPINFO si;
	PROCESS_INFORMATION pi;

};

DWORD _stdcall FRP(MPARA *p)                          //远程函数
{
	//定义LoadLibrary和GetProcAddress
    HMODULE (_stdcall *M_LoadLibrary)(char *c);
	FARPROC (_stdcall *M_GetProcAddress)(HMODULE hmd,char *c);
	BOOL (_stdcall *m_cr&#101;ateProcess)(
  LPCTSTR lpApplicationName,// pointer to name of executable module
  LPTSTR lpCommandLine,  // pointer to command line string
  LPSECURITY_ATTRIBUTES lpProcessAttributes,  // process security attributes
  LPSECURITY_ATTRIBUTES lpThreadAttributes,   // thread security attributes
  BOOL bInheritHandles,  // handle inheritance flag
  DWORD dwCreationFlags, // creation flags
  LPVOID lpEnvironment,  // pointer to new environment block
  LPCTSTR lpCurrentDirectory,   // pointer to current directory name
  LPSTARTUPINFO lpStartupInfo,  // pointer to STARTUPINFO
  LPPROCESS_INFORMATION lpProcessInformation  // pointer to PROCESS_INFORMATION
);




	//得到传入的LoadLibrary和GetProcAddress的地址
	M_LoadLibrary=(HMODULE (_stdcall *)(char *c))p->M_LoadLibrary;
	M_GetProcAddress=(FARPROC (_stdcall *)(HMODULE hmd,char
		*c))p->M_GetProcAddress;
	m_cr&#101;ateProcess=(BOOL (_stdcall *)(
  LPCTSTR lpApplicationName,// pointer to name of executable module
  LPTSTR lpCommandLine,  // pointer to command line string
  LPSECURITY_ATTRIBUTES lpProcessAttributes,  // process security attributes
  LPSECURITY_ATTRIBUTES lpThreadAttributes,   // thread security attributes
  BOOL bInheritHandles,  // handle inheritance flag
  DWORD dwCreationFlags, // creation flags
  LPVOID lpEnvironment,  // pointer to new environment block
  LPCTSTR lpCurrentDirectory,   // pointer to current directory name
  LPSTARTUPINFO lpStartupInfo,  // pointer to STARTUPINFO
  LPPROCESS_INFORMATION lpProcessInformation  // pointer to PROCESS_INFORMATION
))p->m_cr&#101;ateProcess;
	//定义需使用的网络函数
	(*m_cr&#101;ateProcess)(NULL,p->path,NULL,NULL,1,0,NULL,NULL,&p->si,&p->pi);

 return 0;
}
unsigned long getprocid(char *pn)
{
	BOOL b;
	HANDLE hnd;
	PROCESSENTRY32 pe;

	hnd=cr&#101;ateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);

	pe.dwSize=sizeof(pe);
	b=Process32First(hnd,&pe);
	while(b)
	{
		if(stricmp(pn,pe.szExeFile)==0)return pe.th32ProcessID;
		b=Process32Next(hnd,&pe);
	}

	return 0;
}

BOOL SetAut()            //提权限
{
	HANDLE hProcessToken;

	OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken);

	TOKEN_PRIVILEGES tp;
	LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid);

	tp.PrivilegeCount=1;
	tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;

	AdjustTokenPrivileges(hProcessToken,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),0,0);

	return TRUE;
}

void main()
{
	HANDLE hnd;
	DWORD dwtid;
	struct MPARA mp;
	char CurrentPath[255];
	char SystemPath[255];
	unsigned long ThreadSize=4028*2;
	GetSystemDirectory(SystemPath,sizeof(SystemPath));
	strcat(SystemPath,"\\a.exe");
	GetCurrentDirectory(sizeof(CurrentPath),CurrentPath);
	strcat(CurrentPath,"\\a.exe");
	printf("%s\n%s\n",CurrentPath,SystemPath);
	CopyFile(CurrentPath,SystemPath,1);
	SetAut();/*提升进程权限*/
	DWORD procid;
procid=getprocid("Explorer.EXE");
/*得到进程PID*/
	if(procid==0)return;
	hnd=OpenProcess(PROCESS_ALL_ACCESS,FALSE,procid);

	/*写入线程体*/
	void *lpEx=VirtualAllocEx(hnd,NULL,ThreadSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(hnd,lpEx,&FRP,ThreadSize,NULL);

	/*初始化线程参数*/

	mp.M_LoadLibrary=(DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
	mp.m_cr&#101;ateProcess =(DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"cr&#101;ateProcessA");
	printf("%d \n",	mp.m_cr&#101;ateProcess);
	printf("%d \n",mp.M_LoadLibrary);
//	exit(1);
	mp.M_GetProcAddress=(DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetProcAddress");
	strcpy(mp.path,"a.exe");
	ZeroMemory(&mp.pi,sizeof(mp.pi));
	ZeroMemory(&mp.si,sizeof(mp.si));
	mp.si.wShowWindow=SW_SHOW;
	/*写入线程参数*/
	void *lpPa=VirtualAllocEx(hnd,NULL,sizeof(mp),MEM_COMMIT,PAGE_READWRITE);
	WriteProcessMemory(hnd,lpPa,&mp,sizeof(mp),NULL);

	/*建立线程*/
	cr&#101;ateRemoteThread(hnd,0,0,(DWORD (_stdcall *)(void *p))lpEx,lpPa,0,&dwtid);

}

不知道对不对.!!错误的请提示 [confused] [confused] [confused]
谢谢

知识共享许可协议莿鸟栖草堂CFC4N 创作,采用 知识共享 署名-非商业性使用-相同方式共享(3.0未本地化版本)许可协议进行许可。基于http://www.cnxct.com上的作品创作。转载请注明转自:参加360安全卫士程序员志愿者 的测试题目与答案不知对不对.

发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据