APC注入DLL(win7下有问题)

zoukankan html css js c++ java

APC注入DLL(win7下有问题)
1. void APCKernelRoutine(PKAPC pKAPC,
2. PKNORMAL_ROUTINE pUserAPC,
3. PVOID pContext,
4. PVOID pSysArg1,
5. PVOID pSysArg2)
6. {
7. DbgPrint("APCKernelRoutine Entered ");
8. ExFreePool(pKAPC);
9. }
10. NTSTATUS InjectDllByAPC(ULONG TargetPid, ULONG TargetTid, PUNICODE_STRING usDllPath, ULONG LdrMethodAddress)
11. {
12. ULONG size;
13. PKTHREAD TargetThread;
14. PEPROCESS TargetProcess;
15. KAPC_STATE ApcState; ULONG arg1 = 0;
16. ULONG arg2 = 0;
17. ULONG arg3 = 0;
18. DbgPrint("Inside InjectDllByAPC... "); size = (unsigned char*)APCMdlCodeEnd - (unsigned char*)APCMdlCode;
19. DbgPrint("Allocating MDL (1)... "); pMDLApcCode = IoAllocateMdl(APCMdlCode, size, FALSE, FALSE, NULL);
20. if (!pMDLApcCode)
21. {
22. return(STATUS_UNSUCCESSFUL);
23. }
24. MmProbeAndLockPages(pMDLApcCode, KernelMode, IoWriteAccess);
25. RtlZeroMemory(pAPCData, sizeof( pAPCData));
26. memcpy( (char*) pAPCData, usDllPath->Buffer, usDllPath->Length);
27. unicodeLengthInfo = *(ULONG*) usDllPath;
28. pMDLApcData = IoAllocateMdl (pAPCData, sizeof(pAPCData), FALSE,FALSE,NULL);
29. if (!pMDLApcData)
30. {
31. return STATUS_UNSUCCESSFUL;
32. }
33. MmProbeAndLockPages(pMDLApcData, KernelMode, IoWriteAccess); PsLookupProcessByProcessId((HANDLE)TargetPid, &TargetProcess);
34. DbgPrint("Pid: %d, PEPROCESS: 0X%X ", TargetPid, TargetProcess);
35. PsLookupThreadByThreadId ((PVOID) TargetTid, &TargetThread);
36. DbgPrint("Tid: %d, PKTHREAD: 0X%X ", TargetTid, TargetThread); KeStackAttachProcess((PKPROCESS) TargetProcess, &ApcState);
37. pMappedCode = (PVOID*) MmMapLockedPagesSpecifyCache(pMDLApcCode, UserMode, MmCached, NULL, FALSE, NormalPagePriority);
38. pMappedData = (PVOID*) MmMapLockedPagesSpecifyCache(pMDLApcData, UserMode, MmCached, NULL, FALSE, NormalPagePriority); KeUnstackDetachProcess (&ApcState);
39. arg1 = (ULONG) LdrMethodAddress;
40. arg2 = (ULONG) pMappedData;
41. arg3 = (ULONG) unicodeLengthInfo;
42. pKAPC = (PKAPC) ExAllocatePool( NonPagedPool, sizeof(KAPC) );
43. RtlZeroMemory(pKAPC, sizeof(KAPC));
44. KeInitializeApc(pKAPC, TargetThread, OriginalApcEnvironment,
45. (PKKERNEL_ROUTINE)APCKernelRoutine, NULL,
46. (PKNORMAL_ROUTINE) pMappedCode,
47. UserMode, (PVOID)arg1); KeInsertQueueApc(pKAPC, (PVOID)arg2, (PVOID)arg3, 0);
49. //KETHREAD.ApcState.UserApcPending = 1
50. //*((unsigned char *)TargetThread + 0x4a) = 1; //XP, 2K3 RTM
51. //*((unsigned char *)TargetThread + 0x3e) = 1; //2K3 SP1, SP2
52. //*((unsigned char *)TargetThread + 0x4e) = 1; //Vista
53. *((unsigned char *)TargetThread + 0x56) = 1; //Win 7
54. if (pMDLApcCode)
55. {
56. MmUnlockPages(pMDLApcCode);
57. IoFreeMdl(pMDLApcCode);
58. } if (pMDLApcData)
59. {
60. MmUnlockPages(pMDLApcData);
61. IoFreeMdl(pMDLApcData);
62. }
63. ObDereferenceObject(TargetProcess);
64. ObDereferenceObject(TargetThread); return STATUS_SUCCESS;
65. }
66. void APCMdlCode(PVOID lpLdrLoadDll, PVOID pwsDllPath, PVOID pwsDllPathLength)
67. {
68. UNICODE_STRING usDllName;
69. ULONG DllCharacteristics = 0;
70. PVOID DllHandle = 0;
72. usDllName.Length = (USHORT) pwsDllPathLength;
73. usDllName.MaximumLength = usDllName.Length + 2;
74. usDllName.Buffer = (WCHAR*) pwsDllPath;
75. __asm
76. {
77. pushad lea eax, DllHandle
78. push eax
79. lea eax, usDllName
80. push eax
81. lea eax, DllCharacteristics
82. push eax
83. push 0
84. call [lpLdrLoadDll] nop
85. nop
86. popad }
87. }
88. void APCMdlCodeEnd()
89. {
90. }
查看全文

相关阅读:
mysql TO_DAYS()函数
 MySQL year函数
 protobuff java 包编译（Windows）
苹果笔记本只有电源键能用的解决办法
 linux普通用户获取管理员权限
 linux用户管理
 基于ASIHTTPRequest封装的HttpClient
Object-C 多线程中锁的使用-NSLock
appstore 上传需要的icon
iPhone之IOS5内存管理(ARC技术概述)

原文地址：https://www.cnblogs.com/vcerror/p/4289065.html