Visual c++ C++;通过拼接截取函数
我想通过拼接来截取函数。这就是我写的Visual c++ C++;通过拼接截取函数,visual-c++,Visual C++,我想通过拼接来截取函数。这就是我写的 #include <windows.h> LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM); WCHAR wch[60]; int i; typedef LONG NTSTATUS; typedef LONG KPRIORITY; #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) #define
#include <windows.h>
LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);
WCHAR wch[60];
int i;
typedef LONG NTSTATUS;
typedef LONG KPRIORITY;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define SystemProcessesAndThreadsInformation 5
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
typedef struct _SYSTEM_PROCESSES {
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
// VM_COUNTERS VmCounters;
// SYSTEM_THREADS Threads[1];
} SYSTEM_PROCESSES, * PSYSTEM_PROCESSES;
UCHAR bufZwQSI[5];
typedef NTSTATUS (WINAPI *pWinApiF) (UINT SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
pWinApiF lpZwQSI;
NTSTATUS WINAPI xZwQSI(UINT SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
bool SetSplicingHook(pWinApiF pfnDst, pWinApiF pfnHook, UCHAR buffer[5])
{
if(IsBadWritePtr(buffer, 5) || IsBadReadPtr(pfnDst, 5)) return false;
memcpy(buffer, pfnDst, 5);
DWORD old = 0;
if(!VirtualProtect(pfnDst, 5, PAGE_EXECUTE_READWRITE, &old)) return false;
DWORD offset = (DWORD) pfnHook - (DWORD) pfnDst - 5;
*(BYTE*)pfnDst = 0xE9;
*(DWORD*)((DWORD)pfnDst+1) = offset;
if(!VirtualProtect(pfnDst, 5, old, &old)) return false;
return true;
}
void UnsetSplicingHook(pWinApiF pfnDst, UCHAR buffer[5])
{
DWORD old = 0;
if(!VirtualProtect(pfnDst, 5, PAGE_EXECUTE_READWRITE, &old)) return;
memcpy(pfnDst, buffer, 5);
if(!VirtualProtect(pfnDst, 5, old, &old)) return;
}
NTSTATUS WINAPI xZwQSI(UINT SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength)
{
wsprintf(wch,L"%d",++i);
UnsetSplicingHook(lpZwQSI, bufZwQSI);
NTSTATUS ret = lpZwQSI(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength);
if(!SetSplicingHook(lpZwQSI, xZwQSI, bufZwQSI))
{
MessageBox(NULL, L"Cannot set hook to ZwQuerySystemInformation", L"Error", MB_OK);
ExitProcess(0);
}
if(ret != STATUS_SUCCESS)
return ret;
if(SystemInformationClass == SystemProcessesAndThreadsInformation)
{
PSYSTEM_PROCESSES pProcesses = (PSYSTEM_PROCESSES)SystemInformation;
memset(pProcesses, 0, sizeof(SYSTEM_PROCESSES));
pProcesses->NextEntryDelta = 0;
pProcesses->ProcessId = 1;
pProcesses->ProcessName.Buffer = L"CepbIu 0wn3d u";
pProcesses->ProcessName.Length = 100;
}
return ret;
}
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
wsprintf(wch,L"none");
i=0;
*(FARPROC*)&lpZwQSI = GetProcAddress(LoadLibrary(L"ntdll.dll"), "ZwQuerySystemInformation");
if(!SetSplicingHook(lpZwQSI, xZwQSI, bufZwQSI))
{
MessageBox(NULL, L"Cannot set hook to ZwQuerySystemInformation", L"Error", MB_OK);
ExitProcess(0);
}
HWND hMainWnd;
WCHAR szClassName[] = L"Hide";
MSG msg;
WNDCLASSEX wc;
wc.cbSize = sizeof(wc);
wc.style = CS_HREDRAW | CS_VREDRAW;
wc.lpfnWndProc = WndProc;
wc.cbClsExtra = 0;
wc.cbWndExtra = 0;
wc.hInstance = hInstance;
wc.hIcon = LoadIcon(NULL, IDI_APPLICATION);
wc.hCursor = LoadCursor(NULL, IDC_ARROW);
wc.hbrBackground = (HBRUSH)GetStockObject(WHITE_BRUSH);
wc.lpszMenuName = NULL;
wc.lpszClassName = szClassName;
wc.hIconSm = LoadIcon(NULL, IDI_APPLICATION);
if (!RegisterClassEx(&wc)) {
MessageBox(NULL, L"Cannot register class", L"Error", MB_OK);
return 0;
}
hMainWnd = CreateWindowEx(
NULL,szClassName, L"Hide",
WS_CAPTION | WS_SYSMENU,
1000, 400, 150, 150,
(HWND)NULL, (HMENU)NULL,
(HINSTANCE)hInstance, NULL
);
if (!hMainWnd) {
MessageBox(NULL, L"Cannot create main window", L"Error", MB_OK);
return 0;
}
ShowWindow(hMainWnd, nCmdShow);
while (GetMessage(&msg, NULL, 0, 0)) {
TranslateMessage(&msg);
DispatchMessage(&msg);
}
return msg.wParam;
}
LRESULT CALLBACK WndProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam)
{
HDC hDC;
PAINTSTRUCT ps;
RECT rect;
switch (msg)
{
case WM_CREATE:
SetTimer(hWnd,NULL,500,NULL);
return 0;
case WM_TIMER:
InvalidateRect(hWnd,NULL,TRUE);
return 0;
case WM_PAINT:
hDC = BeginPaint(hWnd, &ps);
GetClientRect(hWnd,&rect);
DrawText(hDC, wch, -1, &rect,
DT_SINGLELINE | DT_CENTER | DT_VCENTER );
EndPaint(hWnd, &ps);
return 0;
case WM_CLOSE:
DestroyWindow(hWnd);
return 0;
case WM_DESTROY:
PostQuitMessage(0);
return 0;
default:
return DefWindowProc(hWnd, msg, wParam, lParam);
}
return 0;
}
#包括
LRESULT回调WndProc(HWND、UINT、WPARAM、LPARAM);
WCHAR-wch[60];
int i;
typedef长NTSTATUS;
typedef长KPRIORITY;
#定义NT_成功(状态)((NTSTATUS)(状态)>=0)
#定义状态\u成功((NTSTATUS)0x00000000L)
#定义状态信息长度不匹配((NTSTATUS)0xC0000004L)
#定义系统进程和线程信息5
typedef结构_UNICODE_字符串{
USHORT长度;
USHORT最大长度;
PWSTR缓冲区;
}UNICODE_字符串;
typedef结构_系统_进程{
ULONG NextEntryDelta;
乌龙线数;
乌龙储备1[6];
大整数创建时间;
大整数用户时间;
大整数核时间;
UNICODE_字符串进程名;
KPRIORITY-BasePriority;
乌隆突;
ULONG继承自ProcessId;
乌龙山头;
乌龙储备2[2];
//VM_计数器VmCounters;
//系统_线程[1];
}系统进程,*PSYSTEM进程;
UCHAR bufZwQSI[5];
typedef NTSTATUS(WINAPI*pWinApiF)(UINT-SystemInformationClass、PVOID-SystemInformation、ULONG-SystemInformationLength、PULONG-ReturnLength);
pWinApiF-lpZwQSI;
NTSTATUS WINAPI xZwQSI(UINT系统信息类、PVOID系统信息、ULONG系统信息长度、PULONG返回长度);
bool SetSplicingHook(pWinApiF pfnDst、pWinApiF pfnHook、UCHAR缓冲区[5])
{
if(IsBadWritePtr(buffer,5)| | IsBadReadPtr(pfnDst,5))返回false;
memcpy(缓冲区,pfnDst,5);
德沃德·奥尔德=0;
如果(!VirtualProtect(pfnDst,5,PAGE\u EXECUTE\u READWRITE,&old))返回false;
双字偏移量=(双字)pfnHook-(双字)pfnDst-5;
*(字节*)pfnDst=0xE9;
*(DWORD*)((DWORD)pfnDst+1)=偏移量;
如果(!VirtualProtect(pfnDst,5,old和old))返回false;
返回true;
}
void UnsetSplicingHook(pWinApiF pfnDst,UCHAR缓冲区[5])
{
德沃德·奥尔德=0;
如果(!VirtualProtect(pfnDst,5,PAGE\u EXECUTE\u READWRITE,&old))返回;
memcpy(pfnDst,缓冲区,5);
如果(!VirtualProtect(pfnDst、5、旧和旧))返回;
}
NTSTATUS WINAPI xZwQSI(UINT系统信息类、PVOID系统信息、ULONG系统信息长度、PULONG返回长度)
{
wsprintf(wch,L“%d”++i);
未设置吊钩(lpZwQSI、bufZwQSI);
NTSTATUS ret=lpZwQSI(系统信息类、系统信息、系统信息长度、返回长度);
如果(!SetSplicingHook(lpZwQSI,xZwQSI,bufZwQSI))
{
MessageBox(NULL,L“无法将钩子设置为ZwQuerySystemInformation”,L“错误”,MB_OK);
退出过程(0);
}
如果(ret!=状态\u成功)
返回ret;
if(SystemInformationClass==SystemProcessesAndThreadsInformation)
{
PSYSTEM_进程pProcesses=(PSYSTEM_进程)系统信息;
memset(p进程,0,sizeof(系统进程));
PProcess->NextEntryDelta=0;
p进程->进程ID=1;
PProcess->ProcessName.Buffer=L“CepbIu 0wn3d u”;
p进程->进程名.Length=100;
}
返回ret;
}
int WINAPI WinMain(HINSTANCE HINSTANCE、HINSTANCE HPPreInstance、LPSTR lpCmdLine、int nCmdShow)
{
wsprintf(wch,L“无”);
i=0;
*(FARPROC*)&lpZwQSI=GetProcAddress(LoadLibrary(L“ntdll.dll”),“zwquerysystem”);
如果(!SetSplicingHook(lpZwQSI,xZwQSI,bufZwQSI))
{
MessageBox(NULL,L“无法将钩子设置为ZwQuerySystemInformation”,L“错误”,MB_OK);
退出过程(0);
}
HWND hMainWnd;
WCHAR szClassName[]=L“隐藏”;
味精;
WNDCLASSEX wc;
wc.cbSize=sizeof(wc);
wc.style=CS_HREDRAW | CS_VREDRAW;
wc.lpfnWndProc=WndProc;
wc.cbClsExtra=0;
wc.cbWndExtra=0;
wc.hInstance=hInstance;
wc.hIcon=LoadIcon(空,IDI_应用程序);
wc.hCursor=LoadCursor(空,IDC_箭头);
wc.hbrBackground=(HBRUSH)GetStockObject(白色画笔);
wc.lpszMenuName=NULL;
wc.lpszClassName=szClassName;
wc.hIconSm=LoadIcon(空,IDI_应用程序);
如果(!RegisterClass(&wc)){
MessageBox(空,L“无法注册类”,L“错误”,MB_OK);
返回0;
}
hMainWnd=CreateWindowEx(
NULL,szClassName,L“隐藏”,
WS_字幕| WS_系统菜单,
1000, 400, 150, 150,
(HWND)空,(HMENU)空,
(HINSTANCE)HINSTANCE,NULL
);
如果(!hMainWnd){
MessageBox(空,L“无法创建主窗口”,L“错误”,MB_OK);
返回0;
}
ShowWindow(hMainWnd、nCmdShow);
而(GetMessage(&msg,NULL,0,0)){
翻译信息(&msg);
发送消息(&msg);
}
返回msg.wParam;
}
LRESULT回调WndProc(HWND HWND,UINT msg,WPARAM WPARAM,LPARAM LPARAM)
{
HDC-HDC;
PAINTSTRUCT-ps;
RECT-RECT;
开关(msg)
{
案例WM_创建:
设置计时器(hWnd,NULL,500,NULL);
返回0;
案例WM_计时器:
无效(hWnd,NULL,TRUE);
返回0;
案例WM_油漆:
hDC=开始喷漆(hWnd和ps);
GetClientRect(hWnd和rect);
DrawText(hDC、wch、-1和rect、,
DT|U单线| DT|U中心| DT|U VCENTER);
端漆(hWnd和ps);
返回0;
案例WM_结束:
窗口(hWnd);
返回0;
案例WM_销毁:
PostQuitMessage(0);
返回0;
违约:
返回DefWindowProc(hWnd、msg、wParam、lParam);
}
返回0;
}
但它不起作用,我想知道我哪里做错了?在Windows 7和XP上测试。
VirtualProtect