劫持进程创建注入原理是利用Windows系统中CreateProcess()这个API创建一个进程，并将第6个参数设为CREATE_SUSPENDED，进而创建一个挂起状态的进程，利用这个进程状态进行远程线程注入DLL，然后用ResumeThread()函数恢复进程。下面成功代码：

BYTE ShellCode[128]=
{
	0x60,
	0x9c,
	0x68,0x00,0x00,0x00,0x00,//push [xxxx]
	0xff,0x15,0x00,0x00,0x00,0x00,//call [xxxx]
	0x9d,
	0x61,
	0xff,0x25,0x00,0x00,0x00,0x00,// jmp [xxxxx]
};
/*
{
00973689 >    60                PUSHAD
0097368A      9C                PUSHFD
0097368B      68 50369700       PUSH notepad.00973650
00973690      FF15 70369700     CALL DWORD PTR DS:[973670]
00973696      9D                POPFD
00973697      61                POPAD
00973698    - FF25 30369700     JMP DWORD PTR DS:[973630]
}
*/
BOOL StartHook(HANDLE hProcess,HANDLE hThread,LPCSTR pDllName)
{
	CONTEXT ctx;
	ctx.ContextFlags=CONTEXT_ALL;
	if (!GetThreadContext(hThread,&ctx))
	{
		printf("GetThreadContext Error\n");
		return FALSE;
	}
	LPVOID LpAddr=VirtualAllocEx(hProcess,NULL,sizeof(ShellCode),MEM_COMMIT,PAGE_EXECUTE_READWRITE);
	if (LpAddr==NULL)
	{
		printf("VirtualAlloc Error\n");
		return FALSE;
	}
	DWORD LoadDllAAddr=(DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
	if (LoadDllAAddr==NULL)
	{
		printf("LoadDllAddr error\n");
		return FALSE;
	}
	/////////////
	//_asm mov esp,esp //这里不知道有啥用？
	memcpy((ShellCode+29),pDllName,_tcslen(pDllName));
	*(DWORD*)(ShellCode+3)=(DWORD)LpAddr+29;
	////////////////
	*(DWORD*)(ShellCode+21)=LoadDllAAddr;
	*(DWORD*)(ShellCode+9)=(DWORD)LpAddr+21;
	//////////////////////////////////
	*(DWORD*)(ShellCode+25)=ctx.Eip;
	*(DWORD*)(ShellCode+17)=(DWORD)LpAddr+25;
	////////////////////////////////////
	if (!WriteProcessMemory(hProcess,LpAddr,ShellCode,64,NULL))
	{
		printf("write Process Error\n");
		return FALSE;
	}
	ctx.Eip=(DWORD)LpAddr;
	if (!SetThreadContext(hThread,&ctx))
	{
		printf("set thread context error\n");
		return FALSE;
	}
	return TRUE;
};

BOOL EnableDebugPriv() 
{
	HANDLE   hToken; 
	LUID   sedebugnameValue; 
	TOKEN_PRIVILEGES   tkp;
	if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)) 
	{ 
		return   FALSE; 
	} 
	if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&sedebugnameValue)) 
	{ 
		CloseHandle(hToken); 
		return   FALSE; 
	} 
	tkp.PrivilegeCount   =   1; 
	tkp.Privileges[0].Luid   =   sedebugnameValue; 
	tkp.Privileges[0].Attributes   =   SE_PRIVILEGE_ENABLED; 
	if(!AdjustTokenPrivileges(hToken,FALSE,&tkp,sizeof(tkp),NULL,NULL)) 
	{ 
		return   FALSE; 
	}   
	CloseHandle(hToken); 
	return TRUE;
} 

下面是调用方法：

EnableDebugPriv();
	STARTUPINFO sti;
	PROCESS_INFORMATION proci;
	memset(&sti,0,sizeof(STARTUPINFO));
	memset(&proci,0,sizeof(PROCESS_INFORMATION));
	sti.cb=sizeof(STARTUPINFO);
	TCHAR ExeName[]="C:\\Program Files (x86)\\TTPlayer\\TTPlayer.exe";
	TCHAR DllName[]="E:\\mk.dll";
	DWORD valc=CreateProcess(ExeName,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL\
		,&sti,&proci);
	if (valc==NULL)
	{
		printf("Creaet Process Failed ERROR=%d\n",GetLastError());
		getchar();
	}
	if (!StartHook(proci.hProcess,proci.hThread,DllName))
	{
		TerminateProcess(proci.hProcess,0);
		printf("失败\n");
		getchar();
	}
	ResumeThread(proci.hThread);
	CloseHandle(proci.hProcess);
	CloseHandle(proci.hThread);

 

本文链接:https://www.it72.com/11229.htm