Windows 下 API hook 和 Windows hook 应用区别-ckelsel-ChinaUnix博客

// hooktest.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <Windows.h>
PROC install_api_hook(
HMODULE hHookModule,
const char * szDllName,
PROC uHookFunAddr,
PROC uNewFundAddr
);
BOOL TestFunctionInIAT( HMODULE hModule, ULONG FunctionAddress )
{
BOOL bReturn = FALSE;
unsigned char *pBaseAddr = reinterpret_cast<unsigned char *>(hModule);
// 获取DOS header 的位置
PIMAGE_DOS_HEADER pDosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(pBaseAddr);
// 获取NTImage header 的位置
PIMAGE_NT_HEADERS pNtHeader = reinterpret_cast<PIMAGE_NT_HEADERS>(
pBaseAddr + pDosHeader->e_lfanew );
// 获取 PE option header的位置
PIMAGE_OPTIONAL_HEADER pPEOptionHeader = &pNtHeader->OptionalHeader;
// 获取导入表的目录结构
PIMAGE_DATA_DIRECTORY pIATDataDirectory = &(pPEOptionHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]);
// 获取导入表 descriptor
PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor = reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(
pBaseAddr + pIATDataDirectory->VirtualAddress );
// 从pImportDescriptor 开始是一堆导入表，一张接着一张，直到
// 导入表的名字为空为止，其实就是对应Windows 的一个dll，有几张表，就表示
// 该模块依赖几个dll 的导出函数, Name 字段是dll的名称的相对虚拟地址
while ( pImportDescriptor->Name != 0 )
{
// thunk data 就是表示导入dll 中函数描述
PIMAGE_THUNK_DATA pThunkData = reinterpret_cast<PIMAGE_THUNK_DATA>(
pBaseAddr + pImportDescriptor->FirstThunk);
while( pThunkData->u1.Function != 0 )
{
ULONG *ppfn = ( ULONG *)&pThunkData->u1.Function;
if ( *ppfn == FunctionAddress )
{
bReturn = TRUE;
break;
}
++pThunkData;
}
++pImportDescriptor;
}
return bReturn;
}
PROC g_CreateFunc = NULL;
typedef BOOL (WINAPI *PCreateProcessW)(
__in_opt LPCWSTR lpApplicationName,
__inout_opt LPWSTR lpCommandLine,
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags,
__in_opt LPVOID lpEnvironment,
__in_opt LPCWSTR lpCurrentDirectory,
__in LPSTARTUPINFOW lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation);
BOOL WINAPI MyCreateProcessW(
__in_opt LPCWSTR lpApplicationName,
__inout_opt LPWSTR lpCommandLine,
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags,
__in_opt LPVOID lpEnvironment,
__in_opt LPCWSTR lpCurrentDirectory,
__in LPSTARTUPINFOW lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation)
{
MessageBoxW(NULL, lpCommandLine, L"CreateProcessW", MB_OK);
return ((PCreateProcessW)g_CreateFunc)(
lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation);
}
int _tmain(int argc, _TCHAR* argv[])
{
HMODULE hModule = NULL;
GetModuleHandleEx(
GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS,
(LPCTSTR)TestFunctionInIAT,
&hModule);
BOOL bReturn = TestFunctionInIAT( hModule , (ULONG_PTR)CreateProcessW );
if ( bReturn )
{
printf("Found address CreateProcessW!\n");
}
else
{
printf("found failed!\n");
}
g_CreateFunc = install_api_hook(hModule, "kernel32.dll", (PROC)CreateProcessW, (PROC)MyCreateProcessW);
wchar_t szProcessName[] = L"notepad.exe";
STARTUPINFO si = {sizeof(si)};
PROCESS_INFORMATION pi;
CreateProcessW(NULL,
szProcessName,
NULL,
NULL,
FALSE,
0,
NULL,
NULL,
&si,
&pi);
return 0;
}
PROC install_api_hook(
HMODULE hHookModule,
const char * szDllName,
PROC pfnHookFunAddr,
PROC pfnNewFundAddr
)
{
PROC pOrigFunc = NULL;
unsigned char *pBaseAddr =
reinterpret_cast<unsigned char *>(hHookModule);
PIMAGE_DOS_HEADER pDosHeader =
reinterpret_cast<PIMAGE_DOS_HEADER>(pBaseAddr);
PIMAGE_NT_HEADERS pNtHeader =
reinterpret_cast<PIMAGE_NT_HEADERS>(
pBaseAddr + pDosHeader->e_lfanew );
PIMAGE_OPTIONAL_HEADER pPEOptionHeader =
&pNtHeader->OptionalHeader;
PIMAGE_DATA_DIRECTORY pIATDataDirectory =
&(pPEOptionHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]);
PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor =
reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(
pBaseAddr + pIATDataDirectory->VirtualAddress );
for ( ; pImportDescriptor->Name; pImportDescriptor++ )
{
const char* pszModName =
reinterpret_cast<const char*>(
pBaseAddr + pImportDescriptor->Name);
if ( 0 == lstrcmpiA( pszModName, szDllName ) )
{
break;
}
}
if ( 0 == pImportDescriptor->Name )
{
return pOrigFunc;
}
PIMAGE_THUNK_DATA pThunkData =
reinterpret_cast<PIMAGE_THUNK_DATA>(
pBaseAddr + pImportDescriptor->FirstThunk);
while( pThunkData->u1.Function != 0 )
{
PROC *ppFunc = reinterpret_cast<PROC*>(
&pThunkData->u1.Function);
if ( *ppFunc == pfnHookFunAddr )
{
DWORD dwOldProtect = 0;
VirtualProtect( ppFunc, sizeof(PROC), PAGE_READWRITE, &dwOldProtect );
pOrigFunc = *ppFunc;
CopyMemory(ppFunc, &pfnNewFundAddr, sizeof(PROC));
// SIZE_T stMemorySize = 0;
// WriteProcessMemory(
// GetCurrentProcess(),
// ppFunc,
// &uNewFundAddr,
// sizeof(*ppFunc),
// &stMemorySize);
VirtualProtect( ppFunc, sizeof(PROC), dwOldProtect, 0 );
break;
}
}
return pOrigFunc;
}

//demo3

// JmpHook.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <windows.h>
unsigned char g_StubCode[6] = {0x0};
PROC g_CreateFunc = 0;
void restore_hook(PROC pfnOrigAddr);
void set_hook(PROC pfnOrigAddr, PROC pfnNewAddr );
typedef BOOL (WINAPI *PCreateProcessW)(
__in_opt LPCWSTR lpApplicationName,
__inout_opt LPWSTR lpCommandLine,
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags,
__in_opt LPVOID lpEnvironment,
__in_opt LPCWSTR lpCurrentDirectory,
__in LPSTARTUPINFOW lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation);
BOOL WINAPI MyCreateProcessW1(
__in_opt LPCWSTR lpApplicationName,
__inout_opt LPWSTR lpCommandLine,
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags,
__in_opt LPVOID lpEnvironment,
__in_opt LPCWSTR lpCurrentDirectory,
__in LPSTARTUPINFOW lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation)
{
restore_hook(g_CreateFunc);
MessageBoxW(NULL, lpCommandLine, L"CreateProcessW", MB_OK);
BOOL bRetCode = ((PCreateProcessW)g_CreateFunc)(
lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation);
set_hook(g_CreateFunc, (PROC)MyCreateProcessW1);
return bRetCode;
}
void set_hook(PROC pfnOrigAddr, PROC pfnNewAddr )
{
unsigned char *pSrcAddr =
reinterpret_cast<unsigned char *>( pfnOrigAddr );
unsigned char *pDestAddr =
reinterpret_cast<unsigned char *>( pfnNewAddr );
ULONG uOperand = static_cast<ULONG>
( pDestAddr - (pSrcAddr + 5) );
CopyMemory(g_StubCode, pSrcAddr, 5);
DWORD dwOldProtect = 0;
VirtualProtect( pSrcAddr, 5, PAGE_READWRITE, &dwOldProtect );
unsigned char szJMPCode[5] = {0xE9};
CopyMemory(&szJMPCode[1], &uOperand, 4);
CopyMemory(pSrcAddr, szJMPCode, 5 );
VirtualProtect( pSrcAddr, 5, dwOldProtect, NULL );
}
void restore_hook(PROC pfnOrigAddr)
{
unsigned char *pSrcAddr =
reinterpret_cast<unsigned char *>( pfnOrigAddr );
DWORD dwOldProtect = 0;
VirtualProtect( pSrcAddr, 5, PAGE_READWRITE, &dwOldProtect );
CopyMemory(pSrcAddr, g_StubCode, 5);
VirtualProtect( pSrcAddr, 5, dwOldProtect, NULL );
}
int _tmain(int argc, _TCHAR* argv[])
{
g_CreateFunc = GetProcAddress(GetModuleHandle(L"kernel32.dll"),"CreateProcessW");
set_hook(g_CreateFunc, (PROC)MyCreateProcessW1);
wchar_t szProcessName[] = L"notepad.exe";
STARTUPINFO si = {sizeof(si)};
PROCESS_INFORMATION pi;
CreateProcessW(NULL,
szProcessName,
NULL,
NULL,
FALSE,
0,
NULL,
NULL,
&si,
&pi);
return 0;
}

阅读(911) | 评论(0) | 转发(0) |

上一篇： Run-Time Check Failure #2 - Stack around the variable

下一篇：Detours vs. Mhook

给主人留下些什么吧！~~

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6