作者:新手村一霸 | 来源:互联网 | 2023-08-15 14:57
编写dll处理hook逻辑,注入到目标进程,实现apihook。Windows10notepad,通过hook kernel32.dll.WriteFile,实现小写字母转大写保存
编写dll处理hook逻辑,注入到目标进程,实现api hook。
Windows10 notepad,通过hook kernel32.dll.WriteFile,实现小写字母转大写保存到文件。
hook前kernel32.dll.WriteFile入口:
kernel32.dll.WriteFile在调用时入口是条jmp指令
跳转后
hook时通过GetProcAddress得到的是jmp处的地址,在jmp指令周边有一些int 3指令,这些空间可以用来做一些跳转操作。
#include "pch.h"
#include
#define DLLNAME "kernel32.dll"
#define WRITEFILE "WriteFile"
BYTE g_pOrgBytes[6] = { 0 };
FARPROC g_writefile = GetProcAddress(GetModuleHandleA(DLLNAME), WRITEFILE);
//此函数用来将api前5个字节改为jmp xxxx
BOOL hook_by_code(FARPROC pfnOrg, PROC pfnNew, PBYTE pOrgBytes) {
DWORD dwOldProtect, dwAddress;
BYTE pBuf[6] = { 0xE9,0,0,0,0, 0x90};
PBYTE pByte;
pByte = (PBYTE)pfnOrg;
if (pByte[0] == 0xE9)//若已被勾取,则返回False
return FALSE;
VirtualProtect((LPVOID)pfnOrg, 12, PAGE_EXECUTE_READWRITE, &dwOldProtect);//为了修改字节,先向内存添加“写”的属性
memcpy(pOrgBytes, pfnOrg, 6);//备份原有代码
dwAddress = (DWORD64)pfnNew - (DWORD64)pfnOrg - 5;//计算JMP地址 => XXXX = pfnNew - pfnOrg - 5
memcpy(&pBuf[1], &dwAddress, 4);//E9,剩下后面4个字节为跳转的地址
memcpy(pfnOrg, pBuf, 6);//复制指令,跳转到hook逻辑
memcpy(&pByte[6], pOrgBytes, 6);//后面的int 3指令进行修改,跳转到原api逻辑
pByte[8] -= 6;//修正跳转偏移
VirtualProtect((LPVOID)pfnOrg, 12, dwOldProtect, &dwOldProtect);//恢复内存属性
return TRUE;
}
BOOL unhook_by_code(FARPROC pFunc, PBYTE pOrgBytes) {
DWORD dwOldProtect;
PBYTE pByte;
pByte = (PBYTE)pFunc;
if (pByte[0] != 0xE9)//若已脱钩,则返回False
return FALSE;
VirtualProtect((LPVOID)pFunc, 6, PAGE_EXECUTE_READWRITE, &dwOldProtect);//向内存添加“写”的属性,为恢复原代码做准备
memcpy(pFunc, pOrgBytes, 6);//脱钩
VirtualProtect((LPVOID)pFunc, 6, dwOldProtect, &dwOldProtect);//恢复内存属性
return TRUE;
}
//WINBASEAPI
//BOOL
//WINAPI
//WriteFile(
// _In_ HANDLE hFile,
// _In_reads_bytes_opt_(nNumberOfBytesToWrite) LPCVOID lpBuffer,
// _In_ DWORD nNumberOfBytesToWrite,
// _Out_opt_ LPDWORD lpNumberOfBytesWritten,
// _Inout_opt_ LPOVERLAPPED lpOverlapped
//);
typedef BOOL(WINAPI* PFWriteFile)(
_In_ HANDLE hFile,
_In_reads_bytes_opt_(nNumberOfBytesToWrite) LPCVOID lpBuffer,
_In_ DWORD nNumberOfBytesToWrite,
_Out_opt_ LPDWORD lpNumberOfBytesWritten,
_Inout_opt_ LPOVERLAPPED lpOverlapped
);
BOOL WINAPI MyWriteFile(
_In_ HANDLE hFile,
_In_reads_bytes_opt_(nNumberOfBytesToWrite) LPCVOID lpBuffer,
_In_ DWORD nNumberOfBytesToWrite,
_Out_opt_ LPDWORD lpNumberOfBytesWritten,
_Inout_opt_ LPOVERLAPPED lpOverlapped) {
PBYTE ptr = (PBYTE)g_writefile;
//unhook_by_code(g_writefile, g_pOrgBytes);
BOOL ret = TRUE;
char* pc = (char*)lpBuffer;
while (*pc)
{
if (*pc >= ‘a‘ && *pc <= ‘z‘) {
*pc -= 0x20;
}
pc++;
}
ret = ((PFWriteFile)(ptr+6))(hFile, lpBuffer, nNumberOfBytesToWrite, lpNumberOfBytesWritten, lpOverlapped);//原入口偏移+6处是修正的原jmp指令
//hook_by_code(g_writefile, (PROC)MyWriteFile, g_pOrgBytes);
return ret;
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
hook_by_code(g_writefile,(PROC)MyWriteFile, g_pOrgBytes);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
unhook_by_code(g_writefile,g_pOrgBytes);
break;
}
return TRUE;
}
hook效果:
京公网安备 11010802041100号