windows创建进程的函数:
把这个函数劫持之后注射到 explore.exe进程中即可。
现在注射到印象笔记中测试:
#include<stdio.h>
#include<windows.h>
#include<string.h>
#include"detours.h"
#pragma comment (lib ,"detours.lib" )
BOOL(WINAPI * oldCreateProcessW)(
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
) = CreateProcessW;
BOOL WINAPI newCreateProcessW(
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes ,
LPSECURITY_ATTRIBUTES lpThreadAttributes ,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo ,
LPPROCESS_INFORMATION lpProcessInformation
) {
MessageBoxA(0, "系统进程已被劫持!" , "系统警告" , 0);
return 0;
}
void Hook()
{
DetourRestoreAfterWith(); //恢复原来状态,
DetourTransactionBegin(); //拦截开始
DetourUpdateThread(GetCurrentThread()); //刷新当前线程
DetourAttach(( void **)&oldCreateProcessW, newCreateProcessW); //实现函数拦截
DetourTransactionCommit(); //拦截生效
}
void UnHook()
{
DetourTransactionBegin(); //拦截开始
DetourUpdateThread(GetCurrentThread()); //刷新当前线程
DetourDetach(( void **)&oldCreateProcessW, newCreateProcessW); //撤销拦截函数
DetourTransactionCommit(); //拦截生效
}
_declspec(dllexport ) void go(){
MessageBoxA(0, "系统进程劫持成功!" , "系统信息" , 0);
int i = 0;
while (i++ < 60){
Hook();
Sleep(1000);
}
UnHook();
}
劫持成功:
打开帮助的入门指南的时候:
