Description: Start.exe 安装 Insert.dll 中的 WH_GETMESSAGE 钩子.在钩子回调函数中
判断当前进程ID是否先前 Start.exe 查找到的 Explorer进程ID, 是的话,则
再次LoadLibrary(Insert.dll),并定位到其中ThreadPro函数. 此时创建一个
新线程,线程函数就是ThreadPro,该新线程首先往Start.exe消息队列放置一个线
程退出消息 WM_QUIT,导致其消息循环结束. 此时插入线程完成..可以看到屏幕
左上角不断变化的数字..说明我们的代码正在执行.进程列表却没有Start.exe,
用进程管理观察,可发现Explorer进程,的确多了个线程,且来自Insert.dll ..
如果希望插入Explorer的线程结束,按 Alt+L 即可... :)-Start.exe Insert.dll installation of WH_GETMESSAGE hook. in the hook callback function to judge whether the current process ID prior to the search Start.exe Expl orer process ID, the answer is yes, then again LoadLibrary (Insert.dll) and the positioning of which ThreadPro function. At this time the creation of a new thread, Thread is ThreadPro function, The first new thread to Start.exe Message Queue placed a thread from the news WM_QUIT. lead to the end of the news cycle. At this point, insert threads completed .. can see the screen in the upper left corner evolving digital note .. Our code is being implemented. List of the process did not Start.exe with process management observation, Explorer process can be found, it is true, of a thread, and from Insert.dll .. If you want to insert the Platform: |
Size: 26257 |
Author:pangguigao |
Hits:
Description: 1. 发卡服务端:Server
项目文件:autojet.prj
2. 计费客户端:Client
项目文件:internet.prj
Explorer.prj
先启动Explorer.exe, 再启动internet.exe
3. 数据库脚本 INIT(原版).SQL 和 New init.sql(新版),数据库名 NetBar
4. 动态连接库: NETBAR.dll hookdll.dll
5. 大学生公寓城System ID为5046
其余程序说明全在程序内的文本文件中说明-1. round card service end: Server project document: Autojet.prj
2. costs the customer end: Client project document:
Internet.prj Explorer.prj
First starts Explorer.exe, then starts internet.exe
3. databases scripts INIT (first edition) SQL and New init.sql
(new edition), database NetBar
4. dynamic connections storehouses: NETBAR.dll hookdll.dll
5. university students lodgings city System ID is 5,046 other
procedures explained all explained in the procedure text documents
Platform: |
Size: 2728960 |
Author:陈万通 |
Hits:
Description: Start.exe 安装 Insert.dll 中的 WH_GETMESSAGE 钩子.在钩子回调函数中
判断当前进程ID是否先前 Start.exe 查找到的 Explorer进程ID, 是的话,则
再次LoadLibrary(Insert.dll),并定位到其中ThreadPro函数. 此时创建一个
新线程,线程函数就是ThreadPro,该新线程首先往Start.exe消息队列放置一个线
程退出消息 WM_QUIT,导致其消息循环结束. 此时插入线程完成..可以看到屏幕
左上角不断变化的数字..说明我们的代码正在执行.进程列表却没有Start.exe,
用进程管理观察,可发现Explorer进程,的确多了个线程,且来自Insert.dll ..
如果希望插入Explorer的线程结束,按 Alt+L 即可... :)-Start.exe Insert.dll installation of WH_GETMESSAGE hook. in the hook callback function to judge whether the current process ID prior to the search Start.exe Expl orer process ID, the answer is yes, then again LoadLibrary (Insert.dll) and the positioning of which ThreadPro function. At this time the creation of a new thread, Thread is ThreadPro function, The first new thread to Start.exe Message Queue placed a thread from the news WM_QUIT. lead to the end of the news cycle. At this point, insert threads completed .. can see the screen in the upper left corner evolving digital note .. Our code is being implemented. List of the process did not Start.exe with process management observation, Explorer process can be found, it is true, of a thread, and from Insert.dll .. If you want to insert the Platform: |
Size: 25600 |
Author:pangguigao |
Hits:
Description: Start.exe 安装 Insert.dll 中的 WH_GETMESSAGE 钩子. 当任何一个进程从
消息队列取消息时, Insert.dll 都将被装入其空间. Insert.dll在入口代码
中判断当前进入的进程模块名, 如果是 Explorer则建立一个线程, 并发消息
通知 Start.exe退出. 这个时候建立的新线程, 当然是属于Explorer进程的,
这就是关键之所在了. 另外, 该线程还建立了一个窗体, 可以设定IE首页. :~)-Start.exe installation of Insert.dll hook WH_GETMESSAGE. When any one process from the message queue check news, Insert.dll will be put into its space. Insert.dll at the entry code to enter the process to determine the current module name, if is the Explorer is the creation of a thread, and发消息Start.exe quit notice. this time the new thread, of course, is the Explorer process, and this is the key to a. In addition, the thread has also set up a form, can set the IE homepage.: ~) Platform: |
Size: 29696 |
Author:hss |
Hits:
Description: Purpose: - Implement remote code injection
- Usermode hook (Ntdll->NtQueryDirectoryFile)
Note: This is only POC that will hide file explorer.exe
Hidding file via usermode code injection to explorer.exe
You can restart explorer.exe to unhook-Purpose: - Implement remote code injection
- Usermode hook (Ntdll->NtQueryDirectoryFile)
Note: This is only POC that will hide file explorer.exe
Hidding file via usermode code injection to explorer.exe
You can restart explorer.exe to unhook Platform: |
Size: 7168 |
Author:nofear0720 |
Hits:
Description: IFileOperation COM HOOK代码实例
WIN7系统在explorer.exe中操作文件都是调用IFileOperation COM接口,因此通用方法HOOK Win32 API 如DeleteFile就失去了作用
该实例成功HOOK到了NewItem、RenameItem、RenameItems、MoveItem、MoveItems、CopyItem、CopyItems、DeleteItem、DeleteItems等接口
备注:
google您可以找到有关com hook代码实例,但存在两大问题:
1、只能hook一次,并且操作文件将失效
2、反注入后,explorer.exe直接奔溃
该版本未修复这两个问题
如果需要完整版本,请访问:http://www.csto.com/case/show/id:51-The IFileOperation COM HOOK code instance WIN7 system operating in the explorer.exe in file to call IFileOperation COM interface, therefore, universal method HOOK Win32 APIs such as DeleteFile will lose the role of the instance successfully HOOK to NewItem RenameItem, RenameItems MoveItem, MoveItems CopyItem Remarks CopyItems, DeleteItem, DeleteItems interface: google you can find com, hook code examples, but there are two major problems: 1 hook only once, and manipulating files will fail, anti-implantation, explorer.exe directly Ben collapse version did not fix these two problems if you need the full version, please visit: http://www.csto.com/case/show/id:5177 Platform: |
Size: 74752 |
Author:海盗医生 |
Hits:
Search - explorer.exe hook