HOOK是一種WINDOWS下存在很久的技術(shù)了。?
HOOK一般分兩種1。HOOK?MESSAGE??2。HOOK?API?本問討論的是HOOK?API。(如果你是HOOK高手就不要看了)?
在最初學(xué)HOOK-API的時(shí)候通常都是通過覆蓋地址和修改IAT的方法。
通過這兩種技術(shù),我們基本都可以實(shí)現(xiàn)對(duì)本進(jìn)程的API函數(shù)進(jìn)行HOOK了。但是在高興之余會(huì)有點(diǎn)遺憾,
怎么才能HOOK其他進(jìn)程的API函數(shù)呢?怎么才能對(duì)一個(gè)API函數(shù)進(jìn)行全局的HOOK呢?
下面是我的一個(gè)簡(jiǎn)單的“HOOK其他進(jìn)程API函數(shù)”的實(shí)現(xiàn)。(對(duì)另一進(jìn)程的MessageBoxA這個(gè)函數(shù)進(jìn)行HOOK)?
其實(shí)里面的應(yīng)用了兩個(gè)技術(shù)
1。遠(yuǎn)程線程注入?
2。修改IAT,HOOK-API
好了貼出代碼如下:
一共是3個(gè)文件
install.c??注入程序?
fundll.cpp??DLL程序?
test.cpp??測(cè)試程序??
CODE:
//-------------------------install.c--------------------------
//
//install.c
#include?"windows.h"
#include?"tlhelp32.h"
#pragma?comment(lib,"th32.lib")
const?char?*pkill="fundll.dll";????????????????//DLL文件的路徑
//這個(gè)路徑很有意思,這個(gè)路徑是相對(duì)于目標(biāo)進(jìn)程的,而不是自身進(jìn)程。
//所以要嘛寫成絕對(duì)路徑,要嘛寫成相對(duì)于目標(biāo)進(jìn)程的相對(duì)路徑。
//如果寫成相對(duì)于自身的路徑就要麻煩了,本程序就找不到DLL文件了。?
char?*prosess="test.exe";???//要注入的進(jìn)程名(目標(biāo)進(jìn)程名)
int?main()
{
????????HANDLE?hSnap;
????????HANDLE?hkernel32;????????//被注入進(jìn)程的句柄
????????PROCESSENTRY32?pe;?
????????BOOL?bNext;
????????HANDLE?hToken;
????????TOKEN_PRIVILEGES?tp;
????????LUID?Luid;
????????LPVOID?p;
????????FARPROC?pfn;
????????if?(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
????????{
????????????????return?1;
????????}
????????if?(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&Luid))
????????{
????????????????return?1;
????????}
????????tp.PrivilegeCount?=?1;
????????tp.Privileges[0].Attributes?=?SE_PRIVILEGE_ENABLED;
????????tp.Privileges[0].Luid?=?Luid;
????????if?(!AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
????????{
????????????????return?1;
????????}
????????pe.dwSize?=?sizeof(pe);
????????hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,?0);
????????bNext=Process32First(hSnap,?&pe);?
????????while(bNext)?
????????{
????????????????if(!stricmp(pe.szExeFile,prosess))????????????????//--->>
????????????????{
????????????????????????hkernel32=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_WRITE|PROCESS_VM_OPERATION,1,pe.th32ProcessID);
????????????????????????break;
????????????????}
????????????????bNext=Process32Next(hSnap,?&pe);?
????????}
????????CloseHandle(hSnap);
????????p=VirtualAllocEx(hkernel32,NULL,strlen(pkill),MEM_COMMIT,PAGE_READWRITE);
????????WriteProcessMemory(hkernel32,p,pkill,strlen(pkill),NULL);
????????pfn=GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
????????CreateRemoteThread(hkernel32,NULL,0,pfn,p,NULL,0);?
????????return?0;
}
//----------------------fundll.cpp-----------------------------
//
//fundll.cpp
#include?"windows.h"
#include?"process.h"
#include?"tlhelp32.h"
#include?"stdio.h"
#pragma?comment(lib,"th32.lib")
PIMAGE_DOS_HEADER??pDosHeader;
PIMAGE_NT_HEADERS??pNTHeaders;
PIMAGE_OPTIONAL_HEADER???pOptHeader;
PIMAGE_IMPORT_DESCRIPTOR??pImportDescriptor;
PIMAGE_THUNK_DATA?????????pThunkData;
PIMAGE_IMPORT_BY_NAME?????pImportByName;
HMODULE?hMod;
//?定義MessageBoxA函數(shù)原型
typedef?int?(WINAPI?*PFNMESSAGEBOX)(HWND,?LPCSTR,?LPCSTR,?UINT?uType);
int?WINAPI?MessageBoxProxy(IN?HWND?hWnd,?IN?LPCSTR?lpText,?IN?LPCSTR?lpCaption,?IN?UINT?uType);
int?*?addr?=?(int?*)MessageBoxA;????????//保存函數(shù)的入口地址
int?*?myaddr?=?(int?*)MessageBoxProxy;
void?ThreadProc(void?*param);//線程函數(shù)
//-------------------------------------------------------主函數(shù)開始
BOOL?WINAPI?DllMain(HINSTANCE?hinstDLL,DWORD?fdwReason,LPVOID?lpvReserved)
{
????????if(fdwReason==DLL_PROCESS_ATTACH)????????
????????????????_beginthread(ThreadProc,0,NULL);????????
????????return?TRUE;?
}
//結(jié)束進(jìn)程的函數(shù)
void?ThreadProc(void?*param)
{
????????//------------hook?api----------------
????????hMod?=?GetModuleHandle(NULL);
????????pDosHeader?=?(PIMAGE_DOS_HEADER)hMod;
????????pNTHeaders?=?(PIMAGE_NT_HEADERS)((BYTE?*)hMod?+?pDosHeader->e_lfanew);
????????pOptHeader?=?(PIMAGE_OPTIONAL_HEADER)&(pNTHeaders->OptionalHeader);
????????pImportDescriptor?=?(PIMAGE_IMPORT_DESCRIPTOR)((BYTE?*)hMod?+?pOptHeader->DataDirectory[1].VirtualAddress);
????????while(pImportDescriptor->FirstThunk)
????????{
????????????????char?*?dllname?=?(char?*)((BYTE?*)hMod?+?pImportDescriptor->Name);
????????????????pThunkData?=?(PIMAGE_THUNK_DATA)((BYTE?*)hMod?+?pImportDescriptor->OriginalFirstThunk);
????????????????int?no?=?1;
????????????????while(pThunkData->u1.Function)
????????????????{
????????????????????????char?*?funname?=?(char?*)((BYTE?*)hMod?+?(DWORD)pThunkData->u1.AddressOfData?+?2);
????????????????????????PDWORD?lpAddr?=?(DWORD?*)((BYTE?*)hMod?+?(DWORD)pImportDescriptor->FirstThunk)?+(no-1);
????????????????
????????????????????????//修改內(nèi)存的部分
????????????????????????if((*lpAddr)?==?(int)addr)
????????????????????????{
????????????????????????????????//修改內(nèi)存頁(yè)的屬性
????????????????????????????????DWORD?dwOLD;
????????????????????????????????MEMORY_BASIC_INFORMATION??mbi;
????????????????????????????????VirtualQuery(lpAddr,&mbi,sizeof(mbi));
????????????????????????????????VirtualProtect(lpAddr,sizeof(DWORD),PAGE_READWRITE,&dwOLD);
????????????????????????????????
????????????????????????????????WriteProcessMemory(GetCurrentProcess(),?
????????????????????????????????????????????????lpAddr,?&myaddr,?sizeof(DWORD),?NULL);
????????????????????????????????//恢復(fù)內(nèi)存頁(yè)的屬性
????????????????????????????????VirtualProtect(lpAddr,sizeof(DWORD),dwOLD,0);
????????????????????????}
????????????//---------
????????????????????????no++;
????????????????????????pThunkData++;
????????????????}
????????????????pImportDescriptor++;
????????}
????????//-------------------HOOK?END-----------------
}
//new?messagebox?function
int?WINAPI?MessageBoxProxy(IN?HWND?hWnd,?IN?LPCSTR?lpText,?IN?LPCSTR?lpCaption,?IN?UINT?uType)
{
????????return?????????((PFNMESSAGEBOX)addr)(NULL,?"gxter_test",?"gxter_title",?0);
????????//這個(gè)地方可以寫出對(duì)這個(gè)API函數(shù)的處理代碼
}
//----------------------------test.cpp------------------------------------
//test.cpp
#include?"stdio.h"
#include?"windows.h"
int?main()
{
????????printf("test---\n");
????????while(1)
????????{
????????????????getchar();
????????????????MessageBoxA(NULL,?"原函數(shù)",?"09HookDemo",?0);
????????}
????????return?0;
}
測(cè)試過程:先運(yùn)行TEST不要關(guān)閉(建立目標(biāo)),再運(yùn)行install(進(jìn)行注入)。但要注意FUNDLL和TEST文件位置。?
上面的代碼進(jìn)本上就實(shí)現(xiàn)了對(duì)其他進(jìn)程的API進(jìn)行HOOK了。
但還有一個(gè)問題就是對(duì)“API函數(shù)進(jìn)行全局的HOOK”。我的想法就是注入所有進(jìn)程就可以實(shí)現(xiàn)了。
只要簡(jiǎn)單的改一下上面的代碼就可以實(shí)現(xiàn)了。?這好象有點(diǎn)像SetWindowsHookEx這個(gè)函數(shù)的的實(shí)現(xiàn)過程。
以上就是我想法了,如果在什么地方有錯(cuò)誤還請(qǐng)糾正。?
參考資料:
《WINDOWS?程序設(shè)計(jì)》
《WINDOWS?核心編程》