__declspec(naked)?test()
{
??_asm
??{
????ret
????jmp?oldaddr
??}
}
DWORD?*?KernelCallbackTable?=?NULL;
_asm
{
?????push?eax
?????mov?eax,dword?ptr?fs:[0x18]
?????mov?eax,dword?ptr?ds:[eax+0x30]
?????mov?eax,dword?ptr?ds:[eax+0x2C]
?????mov?KernelCallbackTable,?eax
?????pop?eax
}
DWORD?old?=?0;
if(VirtualProtect(&KernelCallbackTable[40],?sizeof(PVOID),PAGE_EXECUTE_READWRITE,?&old))
{
??oldaddr?=?KernelCallbackTable[40];
??KernelCallbackTable[40]?=?(DWORD)test;
}
前幾天研究windows的消息機制時偶爾發現。
通過修改KernelCallbackTable內供ring3回調用ring0的函數分派表實現
-0------
HideTool就是這么做的,不過人家是在驅動實現的,在ntdll領空內找一個ret
另外,你這個硬編碼40是從哪來的,好像不對,各平臺上是不一樣的。
--------
跟這個不一樣吧,防全局鉤子攔ClientLoadLibrary,XP下是66,不知道你的40是哪來的。。
查了下XPSP2的40是fnHkINDWORD,不知道你攔截了什么。也能攔鍵盤鉤子?離奇了吧?呵呵
XP?SP2的callback函數對照表
01???????fnCOPYDATA
02???????fnCOPYGLOBALDATA
03???????fnDWORD
04???????fnNCDESTROY
05???????fnDWORDOPTINLPMSG
06???????fnINOUTDRAG
07???????fnGETTEXTLENGTHS
08???????fnINCNTOUTSTRING
09???????fnPOUTLPINT
10???????fnINLPCOMPAREITEMSTRUCT
11???????fnINLPCREATESTRUCT
12???????fnINLPDELETEITEMSTRUCT
13???????fnINLPDRAWITEMSTRUCT
14???????fnINLPHLPSTRUCT
15???????fnINLPHLPSTRUCT
16???????fnINLPMDICREATESTRUCT
17???????fnINOUTLPMEASUREITEMSTRUCT
18???????fnINLPWINDOWPOS
19???????fnINOUTLPPOINT5
20???????fnINOUTLPSCROLLINFO
21???????fnINOUTLPRECT
22???????fnINOUTNCCALCSIZE
23???????fnINOUTLPSCROLLINFO
24???????fnINPAINTCLIPBRD
25???????fnINSIZECLIPBRD
26???????fnINDESTROYCLIPBRD
27???????fnINSTRINGNULL
28???????fnINSTRINGNULL
29???????fnINDEVICECHANGE
30???????fnINOUTNEXTMENU
31???????fnLOGONNOTIFY
32???????fnOPTOUTLPDWORDOPTOUTLPDWORD
33???????fnOPTOUTLPDWORDOPTOUTLPDWORD
34???????fnOUTDWORDINDWORD
35???????fnOUTLPRECT
36???????fnPOUTLPINT
37???????fnINLPHLPSTRUCT
38???????fnPOUTLPINT
39???????fnSENTDDEMSG
40???????fnINOUTSTYLECHANGE
41???????fnHkINDWORD
42???????fnHkINLPCBTACTIVATESTRUCT
43???????fnHkINLPCBTCREATESTRUCT
44???????fnHkINLPDEBUGHOOKSTRUCT
45???????fnHkINLPMOUSEHOOKSTRUCTEX
46???????fnHkINLPKBDLLHOOKSTRUCT
47???????fnHkINLPMSLLHOOKSTRUCT
48???????fnHkINLPMSG
49???????fnHkINLPRECT
50???????fnHkOPTINLPEVENTMSG
51???????ClientCopyDDEIn1
52???????ClientCopyDDEIn2
53???????ClientCopyDDEOut1
54???????ClientCopyDDEOut2
55???????ClientCopyImage
56???????ClientEventCallback
57???????ClientFindMnemChar
58???????ClientFontSweep
59???????ClientFreeDDEHandle
60???????ClientFreeLibrary
61???????ClientGetCharsetInfo
62???????ClientGetDDEFlags
63???????ClientGetDDEHookData
64???????ClientGetListboxString
65???????ClientGetMessageMPH
66???????ClientLoadImage
67???????ClientLoadLibrary
68???????ClientLoadMenu
69???????ClientLoadLocalT1Fonts
70???????ClientLoadRemoteT1Fonts
71???????ClientPSMTextOut
72???????ClientLpkDrawTextEx
73???????ClientExtTextOutW
74???????ClientGetTextExtentPointW
75???????ClientCharToWchar
76???????ClientAddFontResourceW
77???????ClientThreadSetup
78???????ClientDeliverUserApc
79???????ClientNoMemoryPopup
80???????ClientMonitorEnumProc
81???????ClientCallWinEventProc
82???????ClientWaitMessageExMPH
83???????ClientWOWGetProcModule
84???????ClientWOWTask16SchedNotify
85???????ClientImmLoadLayout
86???????ClientImmProcessKey
87???????fnIMECONTROL
88???????fnINWPARAMDBCSCHAR
89???????fnGETTEXTLENGTHS
90???????fnINLPKDRAWSWITCHWND
91???????ClientLoadStringW
92???????ClientLoadOLE
93???????ClientRegisterDragDrop
94???????ClientRevokeDragDrop
95???????fnINOUTMENUGETOBJECT
96???????ClientPrinterThunk
97???????fnOUTLPCOMBOBOXINFO
98???????fnOUTLPSCROLLBARINFO