__declspec(naked)?test()
{
??_asm
??{
????ret
????jmp?oldaddr
??}
}
DWORD?*?KernelCallbackTable?=?NULL;
_asm
{
?????push?eax
?????mov?eax,dword?ptr?fs:[0x18]
?????mov?eax,dword?ptr?ds:[eax+0x30]
?????mov?eax,dword?ptr?ds:[eax+0x2C]
?????mov?KernelCallbackTable,?eax
?????pop?eax
}
DWORD?old?=?0;
if(VirtualProtect(&KernelCallbackTable[40],?sizeof(PVOID),PAGE_EXECUTE_READWRITE,?&old))
{
??oldaddr?=?KernelCallbackTable[40];
??KernelCallbackTable[40]?=?(DWORD)test;
}
前幾天研究windows的消息機(jī)制時(shí)偶爾發(fā)現(xiàn)。
通過(guò)修改KernelCallbackTable內(nèi)供ring3回調(diào)用ring0的函數(shù)分派表實(shí)現(xiàn)
-0------
HideTool就是這么做的,不過(guò)人家是在驅(qū)動(dòng)實(shí)現(xiàn)的,在ntdll領(lǐng)空內(nèi)找一個(gè)ret
另外,你這個(gè)硬編碼40是從哪來(lái)的,好像不對(duì),各平臺(tái)上是不一樣的。
--------
跟這個(gè)不一樣吧,防全局鉤子攔ClientLoadLibrary,XP下是66,不知道你的40是哪來(lái)的。。
查了下XPSP2的40是fnHkINDWORD,不知道你攔截了什么。也能攔鍵盤(pán)鉤子?離奇了吧?呵呵
XP?SP2的callback函數(shù)對(duì)照表
01???????fnCOPYDATA
02???????fnCOPYGLOBALDATA
03???????fnDWORD
04???????fnNCDESTROY
05???????fnDWORDOPTINLPMSG
06???????fnINOUTDRAG
07???????fnGETTEXTLENGTHS
08???????fnINCNTOUTSTRING
09???????fnPOUTLPINT
10???????fnINLPCOMPAREITEMSTRUCT
11???????fnINLPCREATESTRUCT
12???????fnINLPDELETEITEMSTRUCT
13???????fnINLPDRAWITEMSTRUCT
14???????fnINLPHLPSTRUCT
15???????fnINLPHLPSTRUCT
16???????fnINLPMDICREATESTRUCT
17???????fnINOUTLPMEASUREITEMSTRUCT
18???????fnINLPWINDOWPOS
19???????fnINOUTLPPOINT5
20???????fnINOUTLPSCROLLINFO
21???????fnINOUTLPRECT
22???????fnINOUTNCCALCSIZE
23???????fnINOUTLPSCROLLINFO
24???????fnINPAINTCLIPBRD
25???????fnINSIZECLIPBRD
26???????fnINDESTROYCLIPBRD
27???????fnINSTRINGNULL
28???????fnINSTRINGNULL
29???????fnINDEVICECHANGE
30???????fnINOUTNEXTMENU
31???????fnLOGONNOTIFY
32???????fnOPTOUTLPDWORDOPTOUTLPDWORD
33???????fnOPTOUTLPDWORDOPTOUTLPDWORD
34???????fnOUTDWORDINDWORD
35???????fnOUTLPRECT
36???????fnPOUTLPINT
37???????fnINLPHLPSTRUCT
38???????fnPOUTLPINT
39???????fnSENTDDEMSG
40???????fnINOUTSTYLECHANGE
41???????fnHkINDWORD
42???????fnHkINLPCBTACTIVATESTRUCT
43???????fnHkINLPCBTCREATESTRUCT
44???????fnHkINLPDEBUGHOOKSTRUCT
45???????fnHkINLPMOUSEHOOKSTRUCTEX
46???????fnHkINLPKBDLLHOOKSTRUCT
47???????fnHkINLPMSLLHOOKSTRUCT
48???????fnHkINLPMSG
49???????fnHkINLPRECT
50???????fnHkOPTINLPEVENTMSG
51???????ClientCopyDDEIn1
52???????ClientCopyDDEIn2
53???????ClientCopyDDEOut1
54???????ClientCopyDDEOut2
55???????ClientCopyImage
56???????ClientEventCallback
57???????ClientFindMnemChar
58???????ClientFontSweep
59???????ClientFreeDDEHandle
60???????ClientFreeLibrary
61???????ClientGetCharsetInfo
62???????ClientGetDDEFlags
63???????ClientGetDDEHookData
64???????ClientGetListboxString
65???????ClientGetMessageMPH
66???????ClientLoadImage
67???????ClientLoadLibrary
68???????ClientLoadMenu
69???????ClientLoadLocalT1Fonts
70???????ClientLoadRemoteT1Fonts
71???????ClientPSMTextOut
72???????ClientLpkDrawTextEx
73???????ClientExtTextOutW
74???????ClientGetTextExtentPointW
75???????ClientCharToWchar
76???????ClientAddFontResourceW
77???????ClientThreadSetup
78???????ClientDeliverUserApc
79???????ClientNoMemoryPopup
80???????ClientMonitorEnumProc
81???????ClientCallWinEventProc
82???????ClientWaitMessageExMPH
83???????ClientWOWGetProcModule
84???????ClientWOWTask16SchedNotify
85???????ClientImmLoadLayout
86???????ClientImmProcessKey
87???????fnIMECONTROL
88???????fnINWPARAMDBCSCHAR
89???????fnGETTEXTLENGTHS
90???????fnINLPKDRAWSWITCHWND
91???????ClientLoadStringW
92???????ClientLoadOLE
93???????ClientRegisterDragDrop
94???????ClientRevokeDragDrop
95???????fnINOUTMENUGETOBJECT
96???????ClientPrinterThunk
97???????fnOUTLPCOMBOBOXINFO
98???????fnOUTLPSCROLLBARINFO