• 用到的结构

     1 typedef NTSTATUS (WINAPI *ZWQUERYINFORmMATIONTHREAD)(DWORD ThreadHandle,DWORD ThreadInformationClass,THREAD_BASIC_INFORMATION* SystemInformation,DWORD ThreadInformationLength,DWORD ReturnLength);
 2 typedef NTSTATUS (WINAPI *ZWQUERYSYSTEMINFORMATION)(DWORD, PVOID, DWORD, PDWORD);
 3 typedef NTSTATUS (WINAPI *ZWOPENPROCESS)(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID );
 4 typedef NTSTATUS (WINAPI *ZWDUPLICATEOBHECT)(DWORD SourceProcessHandle, DWORD SourceHandle,DWORD TargetProcessHandle, DWORD* TargetHandle,DWORD DesiredAccess,DWORD HandleAttributes,DWORD Optionss);
 5 typedef NTSTATUS (WINAPI *ZWQUERYINFORMATIONPROCESS)(DWORD SystemInformationClass,DWORD dd,PROCESS_BASIC_INFORMATION* SystemInformation,DWORD SystemInformationLength,DWORD ReturnLength);
 6 typedef NTSTATUS (WINAPI *ZWMAPVIEWOFSECTION)(HANDLE,HANDLE,LPVOID,ULONG_PTR,SIZE_T,PLARGE_INTEGER,LPVOID,DWORD,ULONG,ULONG);
 7 ZWMAPVIEWOFSECTION ZwMapViewOfSection;
 8 ZWQUERYINFORmMATIONTHREAD ZwQueryInformationThread;
 9 ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation;
10 ZWOPENPROCESS ZwOpenProcess;
11 ZWDUPLICATEOBHECT ZwDuplicateObject;
12 ZWQUERYINFORMATIONPROCESS ZwQueryInformationProcess;
13 NTQUERYINFORMATIONTHREAD NtQueryInformationThread;
14 
15 //初始化未导出函数
16 VOID Initialize()
17 {
18 
19     HMODULE hNtDll = LoadLibraryW(L"ntdll.dll");
20     ZwQueryInformationThread=(ZWQUERYINFORmMATIONTHREAD)GetProcAddress(hNtDll,"ZwQueryInformationThread");
21     ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll,"ZwQuerySystemInformation");
22     ZwOpenProcess = (ZWOPENPROCESS)GetProcAddress(hNtDll,"ZwOpenProcess"); 
23     ZwDuplicateObject=(ZWDUPLICATEOBHECT)GetProcAddress(hNtDll,"ZwDuplicateObject");
24     ZwQueryInformationProcess=(ZWQUERYINFORMATIONPROCESS)GetProcAddress(hNtDll,"ZwQueryInformationProcess");
25     NtQueryInformationThread = (NTQUERYINFORMATIONTHREAD)GetProcAddress(hNtDll, "NtQueryInformationThread");
26     ZwMapViewOfSection=(ZWMAPVIEWOFSECTION)GetProcAddress(hNtDll,"ZwMapViewOfSection");
27 
28 }
    typedef struct _UNICODE_STRING {
    USHORT  Length;
    USHORT  MaximumLength;
    PWSTR  Buffer;
} UNICODE_STRING ,*PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES { 
    ULONG Length; 
    HANDLE RootDirectory; 
    PUNICODE_STRING ObjectName; 
    ULONG Attributes; 
    PVOID SecurityDescriptor; 
    PVOID SecurityQualityOfService; 
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 
typedef struct _CLIENT_ID
{
    DWORD UniqueProcess;
    DWORD UniqueThread;
} CLIENT_ID, *PCLIENT_ID;
typedef struct _SYSTEM_HANDLE_INFORMATION 
{
    ULONG ProcessId;
    UCHAR ObjectTypeNumber;
    UCHAR Flags;
    USHORT HandleValue;
    PVOID Object;
    ACCESS_MASK GrantedAccess;
}SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef struct _SYSTEM_HANDLE_INFORMATION_EX 
{
    ULONG NumberOfHandles;
    SYSTEM_HANDLE_INFORMATION Information[1];
}SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;
typedef struct
{
    DWORD ExitStatus; // 接收进程终止状态
    DWORD PebBaseAddress; // 接收进程环境块地址
    DWORD AffinityMask; // 接收进程关联掩码
    DWORD BasePriority; // 接收进程的优先级类
    ULONG UniqueProcessId; // 接收进程ID
    ULONG InheritedFromUniqueProcessId; //接收父进程ID
} PROCESS_BASIC_INFORMATION;
typedef ULONG KPRIORITY;
typedef LONG NTSTATUS;
typedef struct _THREAD_BASIC_INFORMATION {
    NTSTATUS                ExitStatus;
    PVOID                   TebBaseAddress;
    CLIENT_ID               ClientId;
    KAFFINITY               AffinityMask;
    KPRIORITY               Priority;
    KPRIORITY               BasePriority;

} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
typedef LONG NTSTATUS;
typedef NTSTATUS(WINAPI *NTQUERYINFORMATIONTHREAD)(
    HANDLE ThreadHandle,
    ULONG ThreadInformationClass,
    PVOID ThreadInformation,
    ULONG ThreadInformationLength,
    PULONG ReturnLength);
typedef enum _THREADINFOCLASS
{
    ThreadBasicInformation,
    ThreadTimes,
    ThreadPriority,
    ThreadBasePriority,
    ThreadAffinityMask,
    ThreadImpersonationToken,
    ThreadDescriptorTableEntry,
    ThreadEnableAlignmentFaultFixup,
    ThreadEventPair_Reusable,
    ThreadQuerySetWin32StartAddress,
    ThreadZeroTlsCell,
    ThreadPerformanceCount,
    ThreadAmILastThread,
    ThreadIdealProcessor,
    ThreadPriorityBoost,
    ThreadSetTlsArrayAddress,   // Obsolete
    ThreadIsIoPending,
    ThreadHideFromDebugger,
    ThreadBreakOnTermination,
    ThreadSwitchLegacyState,
    ThreadIsTerminated,
    ThreadLastSystemCall,
    ThreadIoPriority,
    ThreadCycleTime,
    ThreadPagePriority,
    ThreadActualBasePriority,
    ThreadTebInformation,
    ThreadCSwitchMon,          // Obsolete
    ThreadCSwitchPmu,
    ThreadWow64Context,
    ThreadGroupInformation,
    ThreadUmsInformation,      // UMS
    ThreadCounterProfiling,
    ThreadIdealProcessorEx,
    MaxThreadInfoClass
} THREADINFOCLASS;
const unsigned int SE_SHUTDOWN_PRIVILEGE = 0x13;
#define SystemHandleInformation 0x10 //16
#define ZwGetCurrentProcess -1
#define STATUS_INFO_LENGTH_MISMATCH      ((NTSTATUS)0xC0000004L)

typedef struct HOOK
{
    DWORD HOOKAddress;//要HOOK的地址
    DWORD JMPAddress; //HOOK代码的地址
    BYTE  HOOKbyte[10];//保存被JMP覆盖的字节
    DWORD HOOKbyte_length;//被JMP修改的字节长度
}HOOK;
  • 相关阅读:
    MySql8安装使用中的一些注意
    如何在CentOS 8主机上安装Nginx Web服务器
    centos安装sqlserver
    VSCode快捷键
    C#中的委托
    Winform加载loading界面
    JayRock的一些用法:json and json rpc for .Net
    winform picturebox控件 定时让图片轮播
    sql server创建存储过程
    ftp上传单一文件示例
  • 原文地址:https://www.cnblogs.com/IMyLife/p/4826286.html
Copyright © 2020-2023  润新知