用到的结构

1 typedef NTSTATUS (WINAPI *ZWQUERYINFORmMATIONTHREAD)(DWORD ThreadHandle,DWORD ThreadInformationClass,THREAD_BASIC_INFORMATION* SystemInformation,DWORD ThreadInformationLength,DWORD ReturnLength); 2 typedef NTSTATUS (WINAPI *ZWQUERYSYSTEMINFORMATION)(DWORD, PVOID, DWORD, PDWORD); 3 typedef NTSTATUS (WINAPI *ZWOPENPROCESS)(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ); 4 typedef NTSTATUS (WINAPI *ZWDUPLICATEOBHECT)(DWORD SourceProcessHandle, DWORD SourceHandle,DWORD TargetProcessHandle, DWORD* TargetHandle,DWORD DesiredAccess,DWORD HandleAttributes,DWORD Optionss); 5 typedef NTSTATUS (WINAPI *ZWQUERYINFORMATIONPROCESS)(DWORD SystemInformationClass,DWORD dd,PROCESS_BASIC_INFORMATION* SystemInformation,DWORD SystemInformationLength,DWORD ReturnLength); 6 typedef NTSTATUS (WINAPI *ZWMAPVIEWOFSECTION)(HANDLE,HANDLE,LPVOID,ULONG_PTR,SIZE_T,PLARGE_INTEGER,LPVOID,DWORD,ULONG,ULONG); 7 ZWMAPVIEWOFSECTION ZwMapViewOfSection; 8 ZWQUERYINFORmMATIONTHREAD ZwQueryInformationThread; 9 ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation; 10 ZWOPENPROCESS ZwOpenProcess; 11 ZWDUPLICATEOBHECT ZwDuplicateObject; 12 ZWQUERYINFORMATIONPROCESS ZwQueryInformationProcess; 13 NTQUERYINFORMATIONTHREAD NtQueryInformationThread; 14 15 //初始化未导出函数 16 VOID Initialize() 17 { 18 19 HMODULE hNtDll = LoadLibraryW(L"ntdll.dll"); 20 ZwQueryInformationThread=(ZWQUERYINFORmMATIONTHREAD)GetProcAddress(hNtDll,"ZwQueryInformationThread"); 21 ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll,"ZwQuerySystemInformation"); 22 ZwOpenProcess = (ZWOPENPROCESS)GetProcAddress(hNtDll,"ZwOpenProcess"); 23 ZwDuplicateObject=(ZWDUPLICATEOBHECT)GetProcAddress(hNtDll,"ZwDuplicateObject"); 24 ZwQueryInformationProcess=(ZWQUERYINFORMATIONPROCESS)GetProcAddress(hNtDll,"ZwQueryInformationProcess"); 25 NtQueryInformationThread = (NTQUERYINFORMATIONTHREAD)GetProcAddress(hNtDll, "NtQueryInformationThread"); 26 ZwMapViewOfSection=(ZWMAPVIEWOFSECTION)GetProcAddress(hNtDll,"ZwMapViewOfSection"); 27 28 }

 

typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING ,*PUNICODE_STRING; typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef struct _CLIENT_ID { DWORD UniqueProcess; DWORD UniqueThread; } CLIENT_ID, *PCLIENT_ID; typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG ProcessId; UCHAR ObjectTypeNumber; UCHAR Flags; USHORT HandleValue; PVOID Object; ACCESS_MASK GrantedAccess; }SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; typedef struct _SYSTEM_HANDLE_INFORMATION_EX { ULONG NumberOfHandles; SYSTEM_HANDLE_INFORMATION Information[1]; }SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX; typedef struct { DWORD ExitStatus; // 接收进程终止状态 DWORD PebBaseAddress; // 接收进程环境块地址 DWORD AffinityMask; // 接收进程关联掩码 DWORD BasePriority; // 接收进程的优先级类 ULONG UniqueProcessId; // 接收进程ID ULONG InheritedFromUniqueProcessId; //接收父进程ID } PROCESS_BASIC_INFORMATION; typedef ULONG KPRIORITY; typedef LONG NTSTATUS; typedef struct _THREAD_BASIC_INFORMATION { NTSTATUS ExitStatus; PVOID TebBaseAddress; CLIENT_ID ClientId; KAFFINITY AffinityMask; KPRIORITY Priority; KPRIORITY BasePriority; } THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; typedef LONG NTSTATUS; typedef NTSTATUS(WINAPI *NTQUERYINFORMATIONTHREAD)( HANDLE ThreadHandle, ULONG ThreadInformationClass, PVOID ThreadInformation, ULONG ThreadInformationLength, PULONG ReturnLength); typedef enum _THREADINFOCLASS { ThreadBasicInformation, ThreadTimes, ThreadPriority, ThreadBasePriority, ThreadAffinityMask, ThreadImpersonationToken, ThreadDescriptorTableEntry, ThreadEnableAlignmentFaultFixup, ThreadEventPair_Reusable, ThreadQuerySetWin32StartAddress, ThreadZeroTlsCell, ThreadPerformanceCount, ThreadAmILastThread, ThreadIdealProcessor, ThreadPriorityBoost, ThreadSetTlsArrayAddress, // Obsolete ThreadIsIoPending, ThreadHideFromDebugger, ThreadBreakOnTermination, ThreadSwitchLegacyState, ThreadIsTerminated, ThreadLastSystemCall, ThreadIoPriority, ThreadCycleTime, ThreadPagePriority, ThreadActualBasePriority, ThreadTebInformation, ThreadCSwitchMon, // Obsolete ThreadCSwitchPmu, ThreadWow64Context, ThreadGroupInformation, ThreadUmsInformation, // UMS ThreadCounterProfiling, ThreadIdealProcessorEx, MaxThreadInfoClass } THREADINFOCLASS; const unsigned int SE_SHUTDOWN_PRIVILEGE = 0x13; #define SystemHandleInformation 0x10 //16 #define ZwGetCurrentProcess -1 #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) typedef struct HOOK { DWORD HOOKAddress;//要HOOK的地址 DWORD JMPAddress; //HOOK代码的地址 BYTE HOOKbyte[10];//保存被JMP覆盖的字节 DWORD HOOKbyte_length;//被JMP修改的字节长度 }HOOK;

 

转载于:https://www.cnblogs.com/IMyLife/p/4826286.html