Windows Cmd Hook无法正常工作

时间:2016-08-21 11:28:25

标签: cmd hook easyhook

我正在尝试挂钩cmd.exe下的CreateProcess。 我设法将dll注入cmd进程但是在注入之后,dll进程分离消息接收并且我无法挂钩createprocess函数调用。 我正在使用easyhook。 我的代码:

#include <windows.h>
#include <Shlwapi.h>
#include <tchar.h>
#include <stdio.h>
#include <strsafe.h>
#include <easyhook.h>

BOOL WINAPI myCreateProcess(
_In_opt_    LPCTSTR               lpApplicationName,
_Inout_opt_ LPTSTR                lpCommandLine,
_In_opt_    LPSECURITY_ATTRIBUTES lpProcessAttributes,
_In_opt_    LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_        BOOL                  bInheritHandles,
_In_        DWORD                 dwCreationFlags,
_In_opt_    LPVOID                lpEnvironment,
_In_opt_    LPCTSTR               lpCurrentDirectory,
_In_        LPSTARTUPINFO         lpStartupInfo,
_Out_       LPPROCESS_INFORMATION lpProcessInformation
){
OutputDebugString(L"\n !!!!!! In CreateProcess HOOK\n !!!!!!!!");
return CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCommandLine, lpStartupInfo, lpProcessInformation);
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD  ul_reason_for_call,
LPVOID lpReserved
)
{
BOOL bErrorFlag = FALSE;
DWORD dwBytesToWrite = (DWORD)strlen(DataBuffer);
DWORD dwBytesWritten = 0;
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{


    HOOK_TRACE_INFO hHook = { NULL }; // keep track of our hook

    // Install the hook

    NTSTATUS result = LhInstallHook(
        GetProcAddress(GetModuleHandle(TEXT("kernel32")), "CreateProcessW"),
        myCreateProcess,
        NULL,
        &hHook);
    if (FAILED(result))
    {
        OutputDebugString(L"!!!!!!!!!!!FAIL!!!!!!!!");
        return 1;
    }

    ULONG ACLEntries[1] = { 0 };
    LhSetInclusiveACL(ACLEntries, 1, &hHook);
    OutputDebugString(L"!!!!!!!!!!!!Injection Succeed!!!!!!!!!!!!");
    break;
}
case DLL_THREAD_ATTACH:{
    OutputDebugString(L"!!!!!!!!!!!!dll thread attach!!!!!!!!!!!!");
    break;
}
case DLL_THREAD_DETACH:
{
        OutputDebugString(L"!!!!!!!!!!!!dll thread Detach!!!!!!!!!!!!");
    break;
}

case DLL_PROCESS_DETACH:
{
            OutputDebugString(L"!!!!!!!!!!!!dll process Detach!!!!!!!!!!!!");
    break;
}
}
}

我收到了#34;注射成功&#34;消息和&#34; dll进程后分离&#34;信息 。 任何想法?

1 个答案:

答案 0 :(得分:1)

尝试改变:

    LhSetInclusiveACL(ACLEntries, 1, &hHook);

到:

    LhSetExclusiveACL(ACLEntries, 1, &hHook);
相关问题
最新问题