HOOK是一種WINDOWS下存在很久的技術了。?
HOOK一般分兩種1。HOOK?MESSAGE??2。HOOK?API?本問討論的是HOOK?API。(如果你是HOOK高手就不要看了)?
在最初學HOOK-API的時候通常都是通過覆蓋地址和修改IAT的方法。
通過這兩種技術,我們基本都可以實現對本進程的API函數進行HOOK了。但是在高興之余會有點遺憾,
怎么才能HOOK其他進程的API函數呢?怎么才能對一個API函數進行全局的HOOK呢?
下面是我的一個簡單的“HOOK其他進程API函數”的實現。(對另一進程的MessageBoxA這個函數進行HOOK)?
其實里面的應用了兩個技術
1。遠程線程注入?
2。修改IAT,HOOK-API
好了貼出代碼如下:
一共是3個文件
install.c??注入程序?
fundll.cpp??DLL程序?
test.cpp??測試程序??
CODE:
//-------------------------install.c--------------------------
//
//install.c
#include?"windows.h"
#include?"tlhelp32.h"
#pragma?comment(lib,"th32.lib")
const?char?*pkill="fundll.dll";????????????????//DLL文件的路徑
//這個路徑很有意思,這個路徑是相對于目標進程的,而不是自身進程。
//所以要嘛寫成絕對路徑,要嘛寫成相對于目標進程的相對路徑。
//如果寫成相對于自身的路徑就要麻煩了,本程序就找不到DLL文件了。?
char?*prosess="test.exe";???//要注入的進程名(目標進程名)
int?main()
{
????????HANDLE?hSnap;
????????HANDLE?hkernel32;????????//被注入進程的句柄
????????PROCESSENTRY32?pe;?
????????BOOL?bNext;
????????HANDLE?hToken;
????????TOKEN_PRIVILEGES?tp;
????????LUID?Luid;
????????LPVOID?p;
????????FARPROC?pfn;
????????if?(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
????????{
????????????????return?1;
????????}
????????if?(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&Luid))
????????{
????????????????return?1;
????????}
????????tp.PrivilegeCount?=?1;
????????tp.Privileges[0].Attributes?=?SE_PRIVILEGE_ENABLED;
????????tp.Privileges[0].Luid?=?Luid;
????????if?(!AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
????????{
????????????????return?1;
????????}
????????pe.dwSize?=?sizeof(pe);
????????hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,?0);
????????bNext=Process32First(hSnap,?&pe);?
????????while(bNext)?
????????{
????????????????if(!stricmp(pe.szExeFile,prosess))????????????????//--->>
????????????????{
????????????????????????hkernel32=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_WRITE|PROCESS_VM_OPERATION,1,pe.th32ProcessID);
????????????????????????break;
????????????????}
????????????????bNext=Process32Next(hSnap,?&pe);?
????????}
????????CloseHandle(hSnap);
????????p=VirtualAllocEx(hkernel32,NULL,strlen(pkill),MEM_COMMIT,PAGE_READWRITE);
????????WriteProcessMemory(hkernel32,p,pkill,strlen(pkill),NULL);
????????pfn=GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
????????CreateRemoteThread(hkernel32,NULL,0,pfn,p,NULL,0);?
????????return?0;
}
//----------------------fundll.cpp-----------------------------
//
//fundll.cpp
#include?"windows.h"
#include?"process.h"
#include?"tlhelp32.h"
#include?"stdio.h"
#pragma?comment(lib,"th32.lib")
PIMAGE_DOS_HEADER??pDosHeader;
PIMAGE_NT_HEADERS??pNTHeaders;
PIMAGE_OPTIONAL_HEADER???pOptHeader;
PIMAGE_IMPORT_DESCRIPTOR??pImportDescriptor;
PIMAGE_THUNK_DATA?????????pThunkData;
PIMAGE_IMPORT_BY_NAME?????pImportByName;
HMODULE?hMod;
//?定義MessageBoxA函數原型
typedef?int?(WINAPI?*PFNMESSAGEBOX)(HWND,?LPCSTR,?LPCSTR,?UINT?uType);
int?WINAPI?MessageBoxProxy(IN?HWND?hWnd,?IN?LPCSTR?lpText,?IN?LPCSTR?lpCaption,?IN?UINT?uType);
int?*?addr?=?(int?*)MessageBoxA;????????//保存函數的入口地址
int?*?myaddr?=?(int?*)MessageBoxProxy;
void?ThreadProc(void?*param);//線程函數
//-------------------------------------------------------主函數開始
BOOL?WINAPI?DllMain(HINSTANCE?hinstDLL,DWORD?fdwReason,LPVOID?lpvReserved)
{
????????if(fdwReason==DLL_PROCESS_ATTACH)????????
????????????????_beginthread(ThreadProc,0,NULL);????????
????????return?TRUE;?
}
//結束進程的函數
void?ThreadProc(void?*param)
{
????????//------------hook?api----------------
????????hMod?=?GetModuleHandle(NULL);
????????pDosHeader?=?(PIMAGE_DOS_HEADER)hMod;
????????pNTHeaders?=?(PIMAGE_NT_HEADERS)((BYTE?*)hMod?+?pDosHeader->e_lfanew);
????????pOptHeader?=?(PIMAGE_OPTIONAL_HEADER)&(pNTHeaders->OptionalHeader);
????????pImportDescriptor?=?(PIMAGE_IMPORT_DESCRIPTOR)((BYTE?*)hMod?+?pOptHeader->DataDirectory[1].VirtualAddress);
????????while(pImportDescriptor->FirstThunk)
????????{
????????????????char?*?dllname?=?(char?*)((BYTE?*)hMod?+?pImportDescriptor->Name);
????????????????pThunkData?=?(PIMAGE_THUNK_DATA)((BYTE?*)hMod?+?pImportDescriptor->OriginalFirstThunk);
????????????????int?no?=?1;
????????????????while(pThunkData->u1.Function)
????????????????{
????????????????????????char?*?funname?=?(char?*)((BYTE?*)hMod?+?(DWORD)pThunkData->u1.AddressOfData?+?2);
????????????????????????PDWORD?lpAddr?=?(DWORD?*)((BYTE?*)hMod?+?(DWORD)pImportDescriptor->FirstThunk)?+(no-1);
????????????????
????????????????????????//修改內存的部分
????????????????????????if((*lpAddr)?==?(int)addr)
????????????????????????{
????????????????????????????????//修改內存頁的屬性
????????????????????????????????DWORD?dwOLD;
????????????????????????????????MEMORY_BASIC_INFORMATION??mbi;
????????????????????????????????VirtualQuery(lpAddr,&mbi,sizeof(mbi));
????????????????????????????????VirtualProtect(lpAddr,sizeof(DWORD),PAGE_READWRITE,&dwOLD);
????????????????????????????????
????????????????????????????????WriteProcessMemory(GetCurrentProcess(),?
????????????????????????????????????????????????lpAddr,?&myaddr,?sizeof(DWORD),?NULL);
????????????????????????????????//恢復內存頁的屬性
????????????????????????????????VirtualProtect(lpAddr,sizeof(DWORD),dwOLD,0);
????????????????????????}
????????????//---------
????????????????????????no++;
????????????????????????pThunkData++;
????????????????}
????????????????pImportDescriptor++;
????????}
????????//-------------------HOOK?END-----------------
}
//new?messagebox?function
int?WINAPI?MessageBoxProxy(IN?HWND?hWnd,?IN?LPCSTR?lpText,?IN?LPCSTR?lpCaption,?IN?UINT?uType)
{
????????return?????????((PFNMESSAGEBOX)addr)(NULL,?"gxter_test",?"gxter_title",?0);
????????//這個地方可以寫出對這個API函數的處理代碼
}
//----------------------------test.cpp------------------------------------
//test.cpp
#include?"stdio.h"
#include?"windows.h"
int?main()
{
????????printf("test---\n");
????????while(1)
????????{
????????????????getchar();
????????????????MessageBoxA(NULL,?"原函數",?"09HookDemo",?0);
????????}
????????return?0;
}
測試過程:先運行TEST不要關閉(建立目標),再運行install(進行注入)。但要注意FUNDLL和TEST文件位置。?
上面的代碼進本上就實現了對其他進程的API進行HOOK了。
但還有一個問題就是對“API函數進行全局的HOOK”。我的想法就是注入所有進程就可以實現了。
只要簡單的改一下上面的代碼就可以實現了。?這好象有點像SetWindowsHookEx這個函數的的實現過程。
以上就是我想法了,如果在什么地方有錯誤還請糾正。?
參考資料:
《WINDOWS?程序設計》
《WINDOWS?核心編程》