注册 登录  
 加关注
查看详情
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

从C开始

 
 
 

日志

 
 

Detours Hook CreateProcess  

2010-10-27 20:05:15|  分类: SDK编程 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

#include <windows.h>

#include "detours.h"


#pragma comment(lib, "detours.lib")

#pragma comment(lib, "detoured.lib")

// must have at lease one export function

_declspec(dllexport) void exportfunc()

{

}

//实现ring3下对进程的创建访问拦截  ANSI

BOOL (WINAPI * Real_CreateProcessA)( LPCTSTR lpApplicationName,

LPTSTR lpCommandLine,

LPSECURITY_ATTRIBUTES lpProcessAttributes,

LPSECURITY_ATTRIBUTES lpThreadAttributes,

BOOL bInheritHandles,

DWORD dwCreationFlags,

LPVOID lpEnvironment,

LPCTSTR lpCurrentDirectory,

LPSTARTUPINFO lpStartupInfo,

LPPROCESS_INFORMATION lpProcessInformation) 

= CreateProcessA;


//实现ring3下对进程的创建访问拦截  Unicode

BOOL (WINAPI * Real_CreateProcessW)( LPCWSTR lpApplicationName, 

LPWSTR lpCommandLine,

LPSECURITY_ATTRIBUTES lpProcessAttributes,

LPSECURITY_ATTRIBUTES lpThreadAttributes,

BOOL bInheritHandles,

DWORD dwCreationFlags,

LPVOID lpEnvironment,

LPCWSTR lpCurrentDirectory,

LPSTARTUPINFOW lpStartupInfo,

LPPROCESS_INFORMATION lpProcessInformation)

= CreateProcessW;



BOOL WINAPI Mine_CreateProcessA( LPCSTR lpApplicationName, 

LPSTR lpCommandLine, 

LPSECURITY_ATTRIBUTES lpProcessAttributes,

LPSECURITY_ATTRIBUTES lpThreadAttributes, 

BOOL bInheritHandles, 

DWORD dwCreationFlags,

LPVOID lpEnvironment, 

LPCSTR lpCurrentDirectory,

LPSTARTUPINFOA lpStartupInfo,

LPPROCESS_INFORMATION lpProcessInformation)

{

if(IDYES == MessageBox( NULL, "有新进程要启动?", "拦截!", MB_YESNO ))

return Real_CreateProcessA( lpApplicationName, 

lpCommandLine, 

lpProcessAttributes,

lpThreadAttributes, 

bInheritHandles, 

dwCreationFlags,

lpEnvironment, 

lpCurrentDirectory,

lpStartupInfo,

lpProcessInformation);

else

return FALSE;

}


BOOL WINAPI Mine_CreateProcessW( LPCWSTR lpApplicationName, 

LPWSTR lpCommandLine,

LPSECURITY_ATTRIBUTES lpProcessAttributes,

LPSECURITY_ATTRIBUTES lpThreadAttributes,

BOOL bInheritHandles,

DWORD dwCreationFlags,

LPVOID lpEnvironment,

LPCWSTR lpCurrentDirectory,

LPSTARTUPINFOW lpStartupInfo,

LPPROCESS_INFORMATION lpProcessInformation)       

if(IDYES == MessageBoxW( NULL, L"有新进程要启动?", L"拦截!", MB_YESNO ))

return Real_CreateProcessW( lpApplicationName, 

lpCommandLine,

lpProcessAttributes,

lpThreadAttributes,

bInheritHandles,

dwCreationFlags,

lpEnvironment,

lpCurrentDirectory,

lpStartupInfo,

lpProcessInformation);

else

return FALSE;

}


//DllMain函数

BOOL WINAPI DllMain(HINSTANCE hInstDll, DWORD fdwReason, LPVOID lpvReserved)

{

if (DLL_PROCESS_ATTACH == fdwReason)

{

DetourTransactionBegin();

DetourUpdateThread(GetCurrentThread());

DetourAttach(&(PVOID&)Real_CreateProcessA, Mine_CreateProcessA);

DetourAttach(&(PVOID&)Real_CreateProcessW, Mine_CreateProcessW);

DetourTransactionCommit();

}

else if (DLL_PROCESS_DETACH == fdwReason)

{

DetourTransactionBegin();

DetourUpdateThread(GetCurrentThread());

DetourDetach(&(PVOID&)Real_CreateProcessA, Mine_CreateProcessA);

DetourDetach(&(PVOID&)Real_CreateProcessW, Mine_CreateProcessW);

DetourTransactionCommit();

}

return TRUE;

}


  评论这张
 
阅读(1634)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2018