Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1550405
  • 博文数量: 596
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 173
  • 用 户 组: 普通用户
  • 注册时间: 2016-07-06 15:50
个人简介

在线笔记

文章分类

全部博文(596)

文章存档

2016年(1)

2015年(104)

2014年(228)

2013年(226)

2012年(26)

2011年(11)

分类: Windows平台

2014-09-17 15:04:35



demo1

  1. #include "stdafx.h"
  2. #include <Windows.h>
  3. #include <dbghelp.h>
  4. #pragma comment( lib, "dbghelp.lib")

  5. ULONG ReplaceIATEntryInOneMod( PCSTR pszCalleeModName,
  6.                              PROC pfnCurent, PROC pfnNew, HMODULE hmodCaller)
  7. {
  8.     ULONG ulSize = 0;
  9.     PIMAGE_IMPORT_DESCRIPTOR pImportDesc = ( PIMAGE_IMPORT_DESCRIPTOR )
  10.         ImageDirectoryEntryToData( hmodCaller, TRUE,
  11.         IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize );

  12.     if ( NULL == pImportDesc )
  13.         return 0;

  14.     for ( ; pImportDesc->Name; pImportDesc++)
  15.     {
  16.         PSTR pszModName = (PSTR)
  17.             ((PBYTE) hmodCaller + pImportDesc->Name );
  18.         if ( 0 == lstrcmpiA( pszModName, pszCalleeModName) )
  19.             break;
  20.     }

  21.     if ( 0 == pImportDesc->Name )
  22.     {
  23.         return 0;
  24.     }

  25.     PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)
  26.         ((PBYTE) hmodCaller + pImportDesc->FirstThunk );
  27.     for (; pThunk->u1.Function; pThunk++ )
  28.     {
  29.         PROC *ppfn = ( PROC *)&pThunk->u1.Function;

  30.         BOOL bFound = (*ppfn == pfnCurent );
  31.         if ( bFound )
  32.         {
  33.             MEMORY_BASIC_INFORMATION mbi = { 0 };
  34.             VirtualQuery( pfnCurent, &mbi, sizeof(mbi) );
  35.             DWORD dwOldProtect = 0;
  36.             VirtualProtect( pfnCurent, sizeof(PROC), PAGE_READWRITE, &dwOldProtect );
  37.             ULONG upfAddress = 0;
  38.             ReadProcessMemory( GetCurrentProcess(),
  39.                 ppfn,
  40.                 &upfAddress,
  41.                 sizeof(PROC),
  42.                 NULL );
  43.             WriteProcessMemory( GetCurrentProcess(),
  44.                 ppfn,
  45.                 &pfnNew,
  46.                 sizeof(pfnNew),
  47.                 NULL );

  48.             VirtualProtect( ppfn, sizeof(PROC), dwOldProtect, 0 );
  49.             return upfAddress;
  50.         }
  51.     }


  52.     return 0;
  53. }

  54. typedef int(
  55.             WINAPI
  56.             *PMyMessageBoxW)(
  57.             __in_opt HWND hWnd,
  58.             __in_opt LPCWSTR lpText,
  59.             __in_opt LPCWSTR lpCaption,
  60.             __in UINT uType);

  61. PROC g_Proc = NULL;
  62. int
  63. WINAPI
  64. MyMessageBoxW(
  65.              __in_opt HWND hWnd,
  66.              __in_opt LPCWSTR lpText,
  67.              __in_opt LPCWSTR lpCaption,
  68.              __in UINT uType)
  69. {
  70.     wprintf(L"%s\n", lpText );
  71.     wprintf(L"%s\n", lpCaption );
  72.     return ((PMyMessageBoxW)g_Proc)(
  73.         hWnd,
  74.         lpText,
  75.         lpCaption,
  76.         uType);
  77. }
  78. extern "C" IMAGE_DOS_HEADER __ImageBase;





  79. int _tmain(int argc, _TCHAR* argv[])
  80. {

  81.     g_Proc = (PROC)ReplaceIATEntryInOneMod(
  82.         "user32.dll",
  83.         (PROC)MessageBoxW,
  84.         (PROC)MyMessageBoxW,
  85.         (HMODULE)&__ImageBase);

  86.     MessageBoxW(NULL, L"TEST", L"HOOK", MB_OK );

  87.     return 0;
  88. }
demo2

  1. // hooktest.cpp : Defines the entry point for the console application.
  2. //

  3. #include "stdafx.h"
  4. #include <Windows.h>

  5. PROC install_api_hook(
  6.                      HMODULE hHookModule,
  7.                      const char * szDllName,
  8.                      PROC uHookFunAddr,
  9.                      PROC uNewFundAddr
  10.                      );

  11. BOOL TestFunctionInIAT( HMODULE hModule, ULONG FunctionAddress )
  12. {
  13.     BOOL bReturn = FALSE;
  14.     unsigned char *pBaseAddr = reinterpret_cast<unsigned char *>(hModule);

  15.     // 获取DOS header 的位置
  16.     PIMAGE_DOS_HEADER pDosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(pBaseAddr);

  17.     // 获取NTImage header 的位置
  18.     PIMAGE_NT_HEADERS pNtHeader = reinterpret_cast<PIMAGE_NT_HEADERS>(
  19.         pBaseAddr + pDosHeader->e_lfanew );

  20.     // 获取 PE option header的位置
  21.     PIMAGE_OPTIONAL_HEADER pPEOptionHeader = &pNtHeader->OptionalHeader;

  22.     // 获取导入表的目录结构
  23.     PIMAGE_DATA_DIRECTORY pIATDataDirectory = &(pPEOptionHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]);

  24.     // 获取导入表 descriptor
  25.     PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor = reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(
  26.         pBaseAddr + pIATDataDirectory->VirtualAddress );

  27.     // 从pImportDescriptor 开始是一堆导入表,一张接着一张,直到
  28.     // 导入表的名字为空为止,其实就是对应Windows 的一个dll,有几张表,就表示
  29.     // 该模块依赖几个dll 的导出函数, Name 字段是dll的名称的相对虚拟地址
  30.     while ( pImportDescriptor->Name != 0 )
  31.     {
  32.         // thunk data 就是表示导入dll 中函数描述
  33.         PIMAGE_THUNK_DATA pThunkData = reinterpret_cast<PIMAGE_THUNK_DATA>(
  34.             pBaseAddr + pImportDescriptor->FirstThunk);
  35.         while( pThunkData->u1.Function != 0 )
  36.         {
  37.              ULONG *ppfn = ( ULONG *)&pThunkData->u1.Function;
  38.              if ( *ppfn == FunctionAddress )
  39.              {
  40.             
  41.                  bReturn = TRUE;
  42.                  break;
  43.              }
  44.              ++pThunkData;
  45.         }
  46.         ++pImportDescriptor;
  47.     }

  48.     return bReturn;
  49. }

  50. PROC g_CreateFunc = NULL;

  51. typedef BOOL (WINAPI *PCreateProcessW)(
  52.                                      __in_opt LPCWSTR lpApplicationName,
  53.                                      __inout_opt LPWSTR lpCommandLine,
  54.                                      __in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
  55.                                      __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
  56.                                      __in BOOL bInheritHandles,
  57.                                      __in DWORD dwCreationFlags,
  58.                                      __in_opt LPVOID lpEnvironment,
  59.                                      __in_opt LPCWSTR lpCurrentDirectory,
  60.                                      __in LPSTARTUPINFOW lpStartupInfo,
  61.                                      __out LPPROCESS_INFORMATION lpProcessInformation);

  62. BOOL WINAPI MyCreateProcessW(
  63.                              __in_opt LPCWSTR lpApplicationName,
  64.                              __inout_opt LPWSTR lpCommandLine,
  65.                              __in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
  66.                              __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
  67.                              __in BOOL bInheritHandles,
  68.                              __in DWORD dwCreationFlags,
  69.                              __in_opt LPVOID lpEnvironment,
  70.                              __in_opt LPCWSTR lpCurrentDirectory,
  71.                              __in LPSTARTUPINFOW lpStartupInfo,
  72.                              __out LPPROCESS_INFORMATION lpProcessInformation)
  73. {

  74.     MessageBoxW(NULL, lpCommandLine, L"CreateProcessW", MB_OK);

  75.     return ((PCreateProcessW)g_CreateFunc)(
  76.         lpApplicationName,
  77.         lpCommandLine,
  78.         lpProcessAttributes,
  79.         lpThreadAttributes,
  80.         bInheritHandles,
  81.         dwCreationFlags,
  82.         lpEnvironment,
  83.         lpCurrentDirectory,
  84.         lpStartupInfo,
  85.         lpProcessInformation);
  86. }

  87. int _tmain(int argc, _TCHAR* argv[])
  88. {
  89.     HMODULE hModule = NULL;
  90.     GetModuleHandleEx(
  91.         GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS,
  92.         (LPCTSTR)TestFunctionInIAT,
  93.         &hModule);
  94.     BOOL bReturn = TestFunctionInIAT( hModule , (ULONG_PTR)CreateProcessW );
  95.     if ( bReturn )
  96.     {
  97.         printf("Found address CreateProcessW!\n");
  98.     }
  99.     else
  100.     {
  101.         printf("found failed!\n");
  102.     }

  103.     g_CreateFunc = install_api_hook(hModule, "kernel32.dll", (PROC)CreateProcessW, (PROC)MyCreateProcessW);
  104.     
  105.     wchar_t szProcessName[] = L"notepad.exe";
  106.     STARTUPINFO si = {sizeof(si)};
  107.     PROCESS_INFORMATION pi;
  108.     CreateProcessW(NULL,
  109.         szProcessName,
  110.         NULL,
  111.         NULL,
  112.         FALSE,
  113.         0,
  114.         NULL,
  115.         NULL,
  116.         &si,
  117.         &pi);

  118.     return 0;
  119. }

  120. PROC install_api_hook(
  121.                      HMODULE hHookModule,
  122.                      const char * szDllName,
  123.                      PROC pfnHookFunAddr,
  124.                      PROC pfnNewFundAddr
  125.                      )
  126. {
  127.     PROC pOrigFunc = NULL;

  128.     unsigned char *pBaseAddr =
  129.         reinterpret_cast<unsigned char *>(hHookModule);

  130.     PIMAGE_DOS_HEADER pDosHeader =
  131.         reinterpret_cast<PIMAGE_DOS_HEADER>(pBaseAddr);

  132.     PIMAGE_NT_HEADERS pNtHeader =
  133.         reinterpret_cast<PIMAGE_NT_HEADERS>(
  134.         pBaseAddr + pDosHeader->e_lfanew );

  135.     PIMAGE_OPTIONAL_HEADER pPEOptionHeader =
  136.         &pNtHeader->OptionalHeader;

  137.     PIMAGE_DATA_DIRECTORY pIATDataDirectory =
  138.         &(pPEOptionHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]);

  139.     PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor =
  140.         reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(
  141.         pBaseAddr + pIATDataDirectory->VirtualAddress );

  142.     for ( ; pImportDescriptor->Name; pImportDescriptor++ )
  143.     {
  144.         const char* pszModName =
  145.             reinterpret_cast<const char*>(
  146.             pBaseAddr + pImportDescriptor->Name);
  147.         if ( 0 == lstrcmpiA( pszModName, szDllName ) )
  148.         {
  149.             break;
  150.         }
  151.     }

  152.     if ( 0 == pImportDescriptor->Name )
  153.     {
  154.         return pOrigFunc;
  155.     }

  156.     PIMAGE_THUNK_DATA pThunkData =
  157.         reinterpret_cast<PIMAGE_THUNK_DATA>(
  158.         pBaseAddr + pImportDescriptor->FirstThunk);
  159.     while( pThunkData->u1.Function != 0 )
  160.     {
  161.         PROC *ppFunc = reinterpret_cast<PROC*>(
  162.             &pThunkData->u1.Function);
  163.         if ( *ppFunc == pfnHookFunAddr )
  164.         {
  165.             DWORD dwOldProtect = 0;
  166.             VirtualProtect( ppFunc, sizeof(PROC), PAGE_READWRITE, &dwOldProtect );
  167.             
  168.             pOrigFunc = *ppFunc;
  169.             CopyMemory(ppFunc, &pfnNewFundAddr, sizeof(PROC));
  170. //            SIZE_T stMemorySize = 0;
  171. //             WriteProcessMemory(
  172. //                 GetCurrentProcess(),
  173. //                 ppFunc,
  174. //                 &uNewFundAddr,
  175. //                 sizeof(*ppFunc),
  176. //                 &stMemorySize);
  177.             VirtualProtect( ppFunc, sizeof(PROC), dwOldProtect, 0 );
  178.             break;
  179.         }
  180.     }

  181.     return pOrigFunc;    
  182. }
//demo3

  1. // JmpHook.cpp : Defines the entry point for the console application.
  2. //

  3. #include "stdafx.h"
  4. #include <windows.h>

  5. unsigned char g_StubCode[6] = {0x0};
  6. PROC g_CreateFunc = 0;
  7. void restore_hook(PROC pfnOrigAddr);
  8. void set_hook(PROC pfnOrigAddr, PROC pfnNewAddr );

  9. typedef BOOL (WINAPI *PCreateProcessW)(
  10.                                      __in_opt LPCWSTR lpApplicationName,
  11.                                      __inout_opt LPWSTR lpCommandLine,
  12.                                      __in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
  13.                                      __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
  14.                                      __in BOOL bInheritHandles,
  15.                                      __in DWORD dwCreationFlags,
  16.                                      __in_opt LPVOID lpEnvironment,
  17.                                      __in_opt LPCWSTR lpCurrentDirectory,
  18.                                      __in LPSTARTUPINFOW lpStartupInfo,
  19.                                      __out LPPROCESS_INFORMATION lpProcessInformation);

  20. BOOL WINAPI MyCreateProcessW1(
  21.                              __in_opt LPCWSTR lpApplicationName,
  22.                              __inout_opt LPWSTR lpCommandLine,
  23.                              __in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
  24.                              __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
  25.                              __in BOOL bInheritHandles,
  26.                              __in DWORD dwCreationFlags,
  27.                              __in_opt LPVOID lpEnvironment,
  28.                              __in_opt LPCWSTR lpCurrentDirectory,
  29.                              __in LPSTARTUPINFOW lpStartupInfo,
  30.                              __out LPPROCESS_INFORMATION lpProcessInformation)
  31. {

  32.     restore_hook(g_CreateFunc);

  33.     MessageBoxW(NULL, lpCommandLine, L"CreateProcessW", MB_OK);

  34.     BOOL bRetCode = ((PCreateProcessW)g_CreateFunc)(
  35.         lpApplicationName,
  36.         lpCommandLine,
  37.         lpProcessAttributes,
  38.         lpThreadAttributes,
  39.         bInheritHandles,
  40.         dwCreationFlags,
  41.         lpEnvironment,
  42.         lpCurrentDirectory,
  43.         lpStartupInfo,
  44.         lpProcessInformation);

  45.     set_hook(g_CreateFunc, (PROC)MyCreateProcessW1);

  46.     return bRetCode;
  47. }


  48. void set_hook(PROC pfnOrigAddr, PROC pfnNewAddr )
  49. {
  50.     unsigned char *pSrcAddr =
  51.         reinterpret_cast<unsigned char *>( pfnOrigAddr );

  52.     unsigned char *pDestAddr =
  53.         reinterpret_cast<unsigned char *>( pfnNewAddr );

  54.     ULONG uOperand = static_cast<ULONG>
  55.         ( pDestAddr - (pSrcAddr + 5) );

  56.     CopyMemory(g_StubCode, pSrcAddr, 5);

  57.     DWORD dwOldProtect = 0;
  58.     VirtualProtect( pSrcAddr, 5, PAGE_READWRITE, &dwOldProtect );

  59.     unsigned char szJMPCode[5] = {0xE9};
  60.     CopyMemory(&szJMPCode[1], &uOperand, 4);
  61.     CopyMemory(pSrcAddr, szJMPCode, 5 );

  62.     VirtualProtect( pSrcAddr, 5, dwOldProtect, NULL );
  63. }

  64. void restore_hook(PROC pfnOrigAddr)
  65. {
  66.     unsigned char *pSrcAddr =
  67.         reinterpret_cast<unsigned char *>( pfnOrigAddr );
  68.     DWORD dwOldProtect = 0;
  69.     VirtualProtect( pSrcAddr, 5, PAGE_READWRITE, &dwOldProtect );
  70.     CopyMemory(pSrcAddr, g_StubCode, 5);
  71.     VirtualProtect( pSrcAddr, 5, dwOldProtect, NULL );
  72. }

  73. int _tmain(int argc, _TCHAR* argv[])
  74. {
  75.     g_CreateFunc = GetProcAddress(GetModuleHandle(L"kernel32.dll"),"CreateProcessW");
  76.     
  77.     set_hook(g_CreateFunc, (PROC)MyCreateProcessW1);
  78.     wchar_t szProcessName[] = L"notepad.exe";
  79.     STARTUPINFO si = {sizeof(si)};
  80.     PROCESS_INFORMATION pi;
  81.     CreateProcessW(NULL,
  82.         szProcessName,
  83.         NULL,
  84.         NULL,
  85.         FALSE,
  86.         0,
  87.         NULL,
  88.         NULL,
  89.         &si,
  90.         &pi);

  91.     return 0;
  92. }

阅读(950) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~