当前位置：首页 > news >正文

windows hook之进程防杀（任务管理器）

news 来源：原创 2024/9/20 7:59:24

任务管理器防杀指定进程

minihook使用指南

1、原理

注入dll到任务管理，hook OpenProcessAPI实现进程信息获取操作，达到进程防杀

2、dll实现

#include "pch.h"
#include <Windows.h>
#include "../include/minihook/MinHook.h"
#include <TlHelp32.h>
#include <set>#ifdef _WIN64#pragma comment(lib,"../include/minihook/libMinHook.x64.lib")
#else#pragma comment(lib,"../include/minihook/libMinHook.x86.lib")
#endif // _WIN64std::set<DWORD> g_setPid = {1024};
typedef HANDLE(WINAPI* OldOpenProcess)(DWORD, BOOL, DWORD);
OldOpenProcess fpOldOpenProcess = NULL;HANDLE WINAPI MyOpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId)
{if (!g_setPid.empty()) {auto setPid = g_setPid;if (setPid.find(dwProcessId) != setPid.end()) {// set error codeSetLastError(ERROR_ACCESS_DENIED);return INVALID_HANDLE_VALUE;}}return fpOldOpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
}void HookOpenProcess() {if (MH_Initialize() == MB_OK){MH_CreateHook(&OpenProcess, &MyOpenProcess, reinterpret_cast<void**>(&fpOldOpenProcess));MH_EnableHook(&OpenProcess);}else {MessageBoxA(NULL, "Hooked opeprocess failed", "Tip", MB_OK);}
}void UnhookOpenProcess() {if (MH_DisableHook(MH_ALL_HOOKS) == MB_OK){MH_Uninitialize();}
}BOOL APIENTRY DllMain(HMODULE hModule,DWORD  ul_reason_for_call,LPVOID lpReserved
)
{switch (ul_reason_for_call){case DLL_PROCESS_ATTACH: {HookOpenProcess();break;}case DLL_THREAD_ATTACH: {break;}case DLL_THREAD_DETACH: {break;}case DLL_PROCESS_DETACH:UnhookOpenProcess();break;}return TRUE;
}

3、任务管理器dll注入/卸载

#include <iostream>
#include <Windows.h>
#include <tlhelp32.h>DWORD nPid = 0;
DWORD GetTaskMgrPid()
{DWORD nPid = 0;std::wstring wstrProcessName(L"TaskMgr.exe");PROCESSENTRY32 pe32;HANDLE hSnapshot = NULL;pe32.dwSize = sizeof(PROCESSENTRY32);hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (hSnapshot == INVALID_HANDLE_VALUE) return -1;if (Process32First(hSnapshot, &pe32)) {do {// wcsicmp: ignore case; wcscmp: case sensitiveif (_wcsicmp(pe32.szExeFile, wstrProcessName.c_str()) == 0) {nPid = pe32.th32ProcessID;break;}} while (Process32Next(hSnapshot, &pe32));}if (hSnapshot != INVALID_HANDLE_VALUE)CloseHandle(hSnapshot);return nPid;
}void ejectDll() {wchar_t szDll[] = L"HookOpenProcess.dll";BOOL bMore = FALSE, bFound = FALSE;HANDLE hSnapshot, hProcess, hThread;HMODULE hModule = NULL;MODULEENTRY32 me = { sizeof(me) };LPTHREAD_START_ROUTINE pThreadProc;hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, nPid);if (INVALID_HANDLE_VALUE == hSnapshot) {std::cout << "Create snapshot failed: " << GetLastError() << ", pid: " << nPid << "\n";return;}bMore = Module32First(hSnapshot, &me);for (; bMore; bMore = Module32Next(hSnapshot, &me)){if (!_wcsicmp((LPCTSTR)me.szModule, szDll) ||!_wcsicmp((LPCTSTR)me.szExePath, szDll)){bFound = TRUE;break;}}if (!bFound){std::cout << "Not found\n";CloseHandle(hSnapshot);return ;}if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, nPid))){//_tprintf(L"OpenProcess(%d) failed!!! [%d]\n", dwPID, GetLastError());return ;}hModule = GetModuleHandle(L"kernel32.dll");// free library with manualpThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hModule, "FreeLibrary");hThread = CreateRemoteThread(hProcess, NULL, 0,pThreadProc, me.modBaseAddr,0, NULL);WaitForSingleObject(hThread, INFINITE);CloseHandle(hThread);CloseHandle(hProcess);CloseHandle(hSnapshot);std::cout << "Eject completed.\n";
}void injectDll()
{char szDll[] = "D:/Demo/include/HookOpenProcess.dll";HANDLE hTaskMgr = OpenProcess(PROCESS_ALL_ACCESS, FALSE, nPid);if (NULL == hTaskMgr) {std::cout << "Open process failed: " << GetLastError() << "\n";return;}SIZE_T pathSize = strlen(szDll) + 1;LPVOID pDllAddr = VirtualAllocEx(hTaskMgr, NULL, pathSize, MEM_COMMIT, PAGE_READWRITE);BOOL bSucc = WriteProcessMemory(hTaskMgr, pDllAddr, szDll, pathSize, NULL);LPTHREAD_START_ROUTINE fun = (LPTHREAD_START_ROUTINE)LoadLibraryA;auto hThread = CreateRemoteThread(hTaskMgr, NULL, 0, fun, pDllAddr, 0, NULL);WaitForSingleObject(hThread, INFINITE);// do cleanCloseHandle(hThread);VirtualFreeEx(hTaskMgr, pDllAddr, 0, MEM_RELEASE);CloseHandle(hTaskMgr);std::cout << "Inject completed.\n";
}int main()
{nPid = GetTaskMgrPid();if (nPid <= 0) {std::cout << "TaskMgr.exe not running, try it later\n";return 0;}
#if 1injectDll();
#elseejectDll();
#endifgetchar();return 0;
}

注意事项

1、dll编译和待注入程序位数保持一致(待注入程序是64位，dll必须是64位)
2、注入程序必须和待注入程序位数保持一致(待注入程序是64位，注入必须是64位)
3、pid信息可通过共享内存(FileMapping)传递，如果dll内部有用到event并等待，一定要先退出等待，dll才能卸载，不然会导致任务管理器异常