我正在尝试在 cmd.exe 下挂钩 CreateProcess。我设法将 dll 注入 cmd 进程,但注入后 dll 进程分离消息接收,我无法挂钩 createprocess 函数调用。我正在使用easyhook。我的代码:
#include <windows.h>
#include <Shlwapi.h>
#include <tchar.h>
#include <stdio.h>
#include <strsafe.h>
#include <easyhook.h>
BOOL WINAPI myCreateProcess(
_In_opt_ LPCTSTR lpApplicationName,
_Inout_opt_ LPTSTR lpCommandLine,
_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ BOOL bInheritHandles,
_In_ DWORD dwCreationFlags,
_In_opt_ LPVOID lpEnvironment,
_In_opt_ LPCTSTR lpCurrentDirectory,
_In_ LPSTARTUPINFO lpStartupInfo,
_Out_ LPPROCESS_INFORMATION lpProcessInformation
){
OutputDebugString(L"\n !!!!!! In CreateProcess HOOK\n !!!!!!!!");
return CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCommandLine, lpStartupInfo, lpProcessInformation);
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
BOOL bErrorFlag = FALSE;
DWORD dwBytesToWrite = (DWORD)strlen(DataBuffer);
DWORD dwBytesWritten = 0;
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
HOOK_TRACE_INFO hHook = { NULL }; // keep track of our hook
// Install the hook
NTSTATUS result = LhInstallHook(
GetProcAddress(GetModuleHandle(TEXT("kernel32")), "CreateProcessW"),
myCreateProcess,
NULL,
&hHook);
if (FAILED(result))
{
OutputDebugString(L"!!!!!!!!!!!FAIL!!!!!!!!");
return 1;
}
ULONG ACLEntries[1] = { 0 };
LhSetInclusiveACL(ACLEntries, 1, &hHook);
OutputDebugString(L"!!!!!!!!!!!!Injection Succeed!!!!!!!!!!!!");
break;
}
case DLL_THREAD_ATTACH:{
OutputDebugString(L"!!!!!!!!!!!!dll thread attach!!!!!!!!!!!!");
break;
}
case DLL_THREAD_DETACH:
{
OutputDebugString(L"!!!!!!!!!!!!dll thread Detach!!!!!!!!!!!!");
break;
}
case DLL_PROCESS_DETACH:
{
OutputDebugString(L"!!!!!!!!!!!!dll process Detach!!!!!!!!!!!!");
break;
}
}
}
我在“dll 进程分离”消息之后收到“注入成功”消息。有任何想法吗?