劫持系统进程禁止打开任何进程（5）

windows建立进程的函数：

把这个函数劫持以后注射到 explore.exe进程中便可。

如今注射到印象笔记中测试：

#include <stdio.h>

#include <windows.h>

#include <string.h>

#include "detours.h"

#pragma comment ( lib , "detours.lib" )

BOOL ( WINAPI * oldCreateProcessW)(

        LPCWSTR lpApplicationName,

        LPWSTR lpCommandLine,

        LPSECURITY_ATTRIBUTES lpProcessAttributes,

        LPSECURITY_ATTRIBUTES lpThreadAttributes,

        BOOL bInheritHandles,

        DWORD dwCreationFlags,

        LPVOID lpEnvironment,

        LPCWSTR lpCurrentDirectory,

        LPSTARTUPINFOW lpStartupInfo,

        LPPROCESS_INFORMATION lpProcessInformation

       ) = CreateProcessW;

BOOL WINAPI newCreateProcessW(

        LPCWSTR lpApplicationName ,

        LPWSTR lpCommandLine ,

        LPSECURITY_ATTRIBUTES lpProcessAttributes ,

        LPSECURITY_ATTRIBUTES lpThreadAttributes ,

        BOOL bInheritHandles ,

        DWORD dwCreationFlags ,

        LPVOID lpEnvironment ,

        LPCWSTR lpCurrentDirectory ,

        LPSTARTUPINFOW lpStartupInfo ,

        LPPROCESS_INFORMATION lpProcessInformation

       ) {

       MessageBoxA(0, "系统进程已被劫持！" , "系统警告" , 0);

        return 0;

}

void Hook()

{

       DetourRestoreAfterWith(); //恢复原来状态,

       DetourTransactionBegin(); //拦截开始

       DetourUpdateThread(GetCurrentThread()); //刷新当前线程

       DetourAttach(( void **)&oldCreateProcessW, newCreateProcessW); //实现函数拦截

       DetourTransactionCommit(); //拦截生效

}

void UnHook()

{

       DetourTransactionBegin(); //拦截开始

       DetourUpdateThread(GetCurrentThread()); //刷新当前线程

       DetourDetach(( void **)&oldCreateProcessW, newCreateProcessW); //撤销拦截函数

       DetourTransactionCommit(); //拦截生效

}

_declspec ( dllexport ) void go(){

       MessageBoxA(0, "系统进程劫持成功！" , "系统信息" , 0);

        int i = 0;

        while (i++ < 60){

              Hook();

              Sleep(1000);

       }

       UnHook();

}

劫持成功：

   

打开帮助的入门指南的时候：

来自为知笔记(Wiz)