HookIAT的启动程序

// 启动程序.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"
#include <Windows.h>
#include <TlHelp32.h>
#include <iostream>
#include <Psapi.h>

#pragma comment(lib,"psapi.lib")
using namespace std;
BOOL  IsX64PEFile(WCHAR* wzProcessFullPath);
BOOL GetProcessIDByProcessImageName(WCHAR* wzProcessImageName,DWORD* dwTargetProcessID);
BOOL EnableDebugPrivilege();
int _tmain(int argc, _TCHAR* argv[])
{

    
    if (EnableDebugPrivilege()==FALSE) // 进行提权
    {
        return 0;
    }

    DWORD  dwTargetProcessID = 0;
    HANDLE hTargetProcess    = NULL;



    if(GetProcessIDByProcessImageName(L"EnumProcessByForce应用程序.exe",&dwTargetProcessID)==FALSE)
    {
        return 0;
    }
    hTargetProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE,dwTargetProcessID);
    if (hTargetProcess==NULL)
    {
        return 0;
    }
    HMODULE hModule = NULL;
    DWORD   cbNeeded = 0;

    WCHAR wzProcessFullPath[MAX_PATH] = {0};
    //进程文件的绝对路径
    EnumProcessModules(hTargetProcess, &hModule, sizeof(hModule),&cbNeeded);

    cout<<GetLastError()<<endl;
    //得到自身的完整名称

    /*

    DWORD GetModuleFileNameEx(
      HANDLE hProcess,
      HMODULE hModule,
      LPTSTR lpFilename,
      DWORD nSize
    );

    */
    DWORD dwReturn = GetModuleFileNameEx(hTargetProcess, hModule, 
        wzProcessFullPath, 
        MAX_PATH);


    CloseHandle(hTargetProcess);
    
    
    

    WCHAR  wzHookIATFullPath[MAX_PATH] = {0};

    GetCurrentDirectory(MAX_PATH,wzHookIATFullPath);

    WCHAR* v1 = wzHookIATFullPath+wcslen(wzHookIATFullPath);


    int i = 0;
    while (v1--)
    {
        if (*v1==L'\')
        {
            i++;
            if (i==3)  // 注意  调试和编译生成的文件位置不同    调试状态下 i == 2；
            {
                break;
            }

        }
    }

    *v1 = '';
    
    //文件映射   
    if (IsX64PEFile(wzProcessFullPath)==TRUE)
    {
        //cout<<"X64 文件"<<endl;

    

        wcscat(wzHookIATFullPath,L"\x64\HookIAT(Ring3 x64).exe");


        
        
    }
    else
    {

        wcscat(wzHookIATFullPath,L"\x86\HookIAT(Ring3 x86).exe");
    }
    
    STARTUPINFO si = {0};
    si.cb = sizeof(STARTUPINFO);
    PROCESS_INFORMATION pi = {0};

    BOOL bOk = CreateProcess(wzHookIATFullPath,NULL,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi);

    WaitForSingleObject(pi.hProcess,INFINITE);
    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);

    return 0;
}


BOOL  IsX64PEFile(WCHAR* wzProcessFullPath)
{
    HANDLE hFile = CreateFile(wzProcessFullPath,GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
    PIMAGE_DOS_HEADER DosHeader = NULL;
    PIMAGE_NT_HEADERS NtHeader  = NULL;
    cout<<GetLastError()<<endl;
    if (hFile==INVALID_HANDLE_VALUE)
    {
        return FALSE;
    }

    char szBuffer[0x1000] = {0};

    DWORD dwReturn = 0;
    if (ReadFile(hFile,szBuffer,0x1000,&dwReturn,NULL)==FALSE)
    {
        CloseHandle(hFile);
        return FALSE;
    }

    else
    {
        CloseHandle(hFile);
        DosHeader=(PIMAGE_DOS_HEADER)szBuffer;

        NtHeader=(PIMAGE_NT_HEADERS)((ULONG64)szBuffer+DosHeader->e_lfanew);


        if(NtHeader->OptionalHeader.Magic!=0x20b)
        {
            
            return FALSE;
        }

        return TRUE;
    }
    
}



BOOL GetProcessIDByProcessImageName(WCHAR* wzProcessImageName,DWORD* dwTargetProcessID)
{
    ULONG_PTR i = 0;
    BOOL   bOk = FALSE;  
    HANDLE hProcessTool = NULL;

    PROCESSENTRY32 pe32 = {0};
    pe32.dwSize = sizeof(PROCESSENTRY32);


    hProcessTool = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);  


    if (hProcessTool==INVALID_HANDLE_VALUE)
    {
        return FALSE;
    }


    bOk = Process32First(hProcessTool,&pe32);
    do 
    {

        if (bOk)
        {        
            if(wcsicmp(pe32.szExeFile,wzProcessImageName)==0)
            {
                *dwTargetProcessID = pe32.th32ProcessID;
                return TRUE;
            }
        }

        else
        {
            break;
        }


        bOk = Process32Next(hProcessTool,&pe32);


    } while (1);


    return FALSE;
}


BOOL EnableDebugPrivilege()   //Debug 
{

    HANDLE hToken = NULL;   
    TOKEN_PRIVILEGES TokenPrivilege;
    LUID uID;


    //打开权限令牌
    if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
    {
        return FALSE;
    }

    if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&uID))
    {

        CloseHandle(hToken);
        hToken = NULL;
        return FALSE;
    }


    TokenPrivilege.PrivilegeCount = 1;
    TokenPrivilege.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    TokenPrivilege.Privileges[0].Luid = uID;


    //在这里我们进行调整权限
    if (!AdjustTokenPrivileges(hToken,false,&TokenPrivilege,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
    {
        CloseHandle(hToken);
        hToken = NULL;
        return  FALSE;
    }

    CloseHandle(hToken);
    return TRUE;

}