1 // 启动程序.cpp : 定义控制台应用程序的入口点。 2 // 3 4 #include "stdafx.h" 5 #include <Windows.h> 6 #include <TlHelp32.h> 7 #include <iostream> 8 #include <Psapi.h> 9 10 #pragma comment(lib,"psapi.lib") 11 using namespace std; 12 BOOL IsX64PEFile(WCHAR* wzProcessFullPath); 13 BOOL GetProcessIDByProcessImageName(WCHAR* wzProcessImageName,DWORD* dwTargetProcessID); 14 BOOL EnableDebugPrivilege(); 15 int _tmain(int argc, _TCHAR* argv[]) 16 { 17 18 19 if (EnableDebugPrivilege()==FALSE) // 进行提权 20 { 21 return 0; 22 } 23 24 DWORD dwTargetProcessID = 0; 25 HANDLE hTargetProcess = NULL; 26 27 28 29 if(GetProcessIDByProcessImageName(L"EnumProcessByForce应用程序.exe",&dwTargetProcessID)==FALSE) 30 { 31 return 0; 32 } 33 hTargetProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE,dwTargetProcessID); 34 if (hTargetProcess==NULL) 35 { 36 return 0; 37 } 38 HMODULE hModule = NULL; 39 DWORD cbNeeded = 0; 40 41 WCHAR wzProcessFullPath[MAX_PATH] = {0}; 42 //进程文件的绝对路径 43 EnumProcessModules(hTargetProcess, &hModule, sizeof(hModule),&cbNeeded); 44 45 cout<<GetLastError()<<endl; 46 //得到自身的完整名称 47 48 /* 49 50 DWORD GetModuleFileNameEx( 51 HANDLE hProcess, 52 HMODULE hModule, 53 LPTSTR lpFilename, 54 DWORD nSize 55 ); 56 57 */ 58 DWORD dwReturn = GetModuleFileNameEx(hTargetProcess, hModule, 59 wzProcessFullPath, 60 MAX_PATH); 61 62 63 CloseHandle(hTargetProcess); 64 65 66 67 68 WCHAR wzHookIATFullPath[MAX_PATH] = {0}; 69 70 GetCurrentDirectory(MAX_PATH,wzHookIATFullPath); 71 72 WCHAR* v1 = wzHookIATFullPath+wcslen(wzHookIATFullPath); 73 74 75 int i = 0; 76 while (v1--) 77 { 78 if (*v1==L'\') 79 { 80 i++; 81 if (i==3) // 注意 调试和编译生成的文件位置不同 调试状态下 i == 2; 82 { 83 break; 84 } 85 86 } 87 } 88 89 *v1 = '�'; 90 91 //文件映射 92 if (IsX64PEFile(wzProcessFullPath)==TRUE) 93 { 94 //cout<<"X64 文件"<<endl; 95 96 97 98 wcscat(wzHookIATFullPath,L"\x64\HookIAT(Ring3 x64).exe"); 99 100 101 102 103 } 104 else 105 { 106 107 wcscat(wzHookIATFullPath,L"\x86\HookIAT(Ring3 x86).exe"); 108 } 109 110 STARTUPINFO si = {0}; 111 si.cb = sizeof(STARTUPINFO); 112 PROCESS_INFORMATION pi = {0}; 113 114 BOOL bOk = CreateProcess(wzHookIATFullPath,NULL,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi); 115 116 WaitForSingleObject(pi.hProcess,INFINITE); 117 CloseHandle(pi.hProcess); 118 CloseHandle(pi.hThread); 119 120 return 0; 121 } 122 123 124 BOOL IsX64PEFile(WCHAR* wzProcessFullPath) 125 { 126 HANDLE hFile = CreateFile(wzProcessFullPath,GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); 127 PIMAGE_DOS_HEADER DosHeader = NULL; 128 PIMAGE_NT_HEADERS NtHeader = NULL; 129 cout<<GetLastError()<<endl; 130 if (hFile==INVALID_HANDLE_VALUE) 131 { 132 return FALSE; 133 } 134 135 char szBuffer[0x1000] = {0}; 136 137 DWORD dwReturn = 0; 138 if (ReadFile(hFile,szBuffer,0x1000,&dwReturn,NULL)==FALSE) 139 { 140 CloseHandle(hFile); 141 return FALSE; 142 } 143 144 else 145 { 146 CloseHandle(hFile); 147 DosHeader=(PIMAGE_DOS_HEADER)szBuffer; 148 149 NtHeader=(PIMAGE_NT_HEADERS)((ULONG64)szBuffer+DosHeader->e_lfanew); 150 151 152 if(NtHeader->OptionalHeader.Magic!=0x20b) 153 { 154 155 return FALSE; 156 } 157 158 return TRUE; 159 } 160 161 } 162 163 164 165 BOOL GetProcessIDByProcessImageName(WCHAR* wzProcessImageName,DWORD* dwTargetProcessID) 166 { 167 ULONG_PTR i = 0; 168 BOOL bOk = FALSE; 169 HANDLE hProcessTool = NULL; 170 171 PROCESSENTRY32 pe32 = {0}; 172 pe32.dwSize = sizeof(PROCESSENTRY32); 173 174 175 hProcessTool = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); 176 177 178 if (hProcessTool==INVALID_HANDLE_VALUE) 179 { 180 return FALSE; 181 } 182 183 184 bOk = Process32First(hProcessTool,&pe32); 185 do 186 { 187 188 if (bOk) 189 { 190 if(wcsicmp(pe32.szExeFile,wzProcessImageName)==0) 191 { 192 *dwTargetProcessID = pe32.th32ProcessID; 193 return TRUE; 194 } 195 } 196 197 else 198 { 199 break; 200 } 201 202 203 bOk = Process32Next(hProcessTool,&pe32); 204 205 206 } while (1); 207 208 209 return FALSE; 210 } 211 212 213 BOOL EnableDebugPrivilege() //Debug 214 { 215 216 HANDLE hToken = NULL; 217 TOKEN_PRIVILEGES TokenPrivilege; 218 LUID uID; 219 220 221 //打开权限令牌 222 if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)) 223 { 224 return FALSE; 225 } 226 227 if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&uID)) 228 { 229 230 CloseHandle(hToken); 231 hToken = NULL; 232 return FALSE; 233 } 234 235 236 TokenPrivilege.PrivilegeCount = 1; 237 TokenPrivilege.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 238 TokenPrivilege.Privileges[0].Luid = uID; 239 240 241 //在这里我们进行调整权限 242 if (!AdjustTokenPrivileges(hToken,false,&TokenPrivilege,sizeof(TOKEN_PRIVILEGES),NULL,NULL)) 243 { 244 CloseHandle(hToken); 245 hToken = NULL; 246 return FALSE; 247 } 248 249 CloseHandle(hToken); 250 return TRUE; 251 252 }