Usermode api hook removal

最新推荐文章于 2024-02-27 16:05:52 发布
转载 最新推荐文章于 2024-02-27 16:05:52 发布 · 683 阅读 · 0
文章标签:

#hook #api #module #header #null #function

本文介绍了一种针对导出表修补及代码覆盖攻击的防护方法。通过逆向工程手段,该方法能够检测并还原被恶意篡改的函数指针,有效保护软件免受病毒或恶意软件的侵害。
By: akcom Firewall's implementing usermode hooks to detect (shock) viral/malicious hooks is both idiotic and easy to bypass, the code to do it follows. This protected against Export Table Patching & extended/simple code overwrite (inline hooking).



#define makeptr( Base, Increment, Typecast ) ((Typecast)( (ULONG)(Base) + (ULONG)(Increment) ))
#define incptr( Base, Increment, Typecast ) ((Typecast)RVAToVA( (ULONG)(Base), (ULONG)(Increment) ))

ULONG RVAToVA( ULONG Base, ULONG Increment );

void Unhook( HMODULE Module, LPSTR Function )
{
char MFileName[MAX_PATH];
GetModuleFileName( Module, MFileName, sizeof(MFileName) );

HANDLE hFile = CreateFile( MFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL );
SetFilePointer( hFile, 0, NULL, FILE_BEGIN );

ULONG dwTemp;

dwTemp = GetFileSize( hFile, NULL );
BYTE *Base = new BYTE[dwTemp];
ReadFile( hFile, Base, dwTemp, &dwTemp, NULL );
CloseHandle( hFile );

PIMAGE_NT_HEADERS  Nt = makeptr( Base, ((PIMAGE_DOS_HEADER)Base)->e_lfanew, PIMAGE_NT_HEADERS );
PIMAGE_EXPORT_DIRECTORY Exports =
incptr( Base, Nt->OptionalHeader.DataDirectory[0].VirtualAddress, PIMAGE_EXPORT_DIRECTORY );

PBYTE FuncHooked = (PBYTE)GetProcAddress( Module, Function );
PBYTE FuncOriginal = NULL;

char **Names = incptr( Base, Exports->AddressOfNames, char ** );
ULONG *Functions = incptr( Base, Exports->AddressOfFunctions, ULONG * );

ULONG RVA;
ULONG VA;
for ( ULONG i = 0; i < Exports->NumberOfNames;i++ )
{
if ( _stricmp( incptr( Base, Names[i], char * ), Function ) == 0 )
{
  //protection against export table patching
  RVA = Functions[i];
  VA = (ULONG)GetProcAddress( Module, Function ) - (ULONG)Module;
  if ( VA != RVA )
  {
   ULONG *EATFunc =
    makeptr(
     Module,
     makeptr(
      Module,
      makeptr( Module, ((PIMAGE_DOS_HEADER)Module)->e_lfanew, PIMAGE_NT_HEADERS )->OptionalHeader.DataDirectory[0].VirtualAddress,
      PIMAGE_EXPORT_DIRECTORY )->AddressOfFunctions,
     PULONG
     );
   EATFunc[i] = RVA;
  }
  FuncOriginal = incptr( Base, Functions[i], PBYTE );

  break;
}
}

//protection against extended code overwriting
MEMORY_BASIC_INFORMATION Info;
VirtualQuery( FuncHooked, &Info, sizeof(Info) );
ULONG OldProtection;
VirtualProtect( FuncHooked, Info.RegionSize, PAGE_EXECUTE_READWRITE, &OldProtection );

i = 0;
while ( FuncHooked[i] != FuncOriginal[i] )
{
FuncHooked[i] = FuncOriginal[i];
i++;
}
delete []Base;
VirtualProtect( FuncHooked, Info.RegionSize, OldProtection, NULL );

}

ULONG RVAToVA( ULONG Base, ULONG Increment )
{
PIMAGE_NT_HEADERS  Nt = makeptr( Base, ((PIMAGE_DOS_HEADER)Base)->e_lfanew, PIMAGE_NT_HEADERS );
USHORT     SCount = Nt->FileHeader.NumberOfSections;
PIMAGE_SECTION_HEADER Sections = makeptr( Nt, sizeof(*Nt), PIMAGE_SECTION_HEADER );

for ( USHORT i = 0; i < SCount; i++ )
{
if ( (Increment >= Sections[i].VirtualAddress ) && (Increment <= (Sections[i].VirtualAddress + Sections[i].SizeOfRawData)) )
{
  return ( (Increment - Sections[i].VirtualAddress) + Sections[i].PointerToRawData + Base);
}
}
return Base + Increment;
}
 
arm57xx中的spi应用、驱动
技术联盟
03-11 480
应用及驱动源下载:https://download.youkuaiyun.com/download/mao0514/15728275 应用: #include <stdio.h> /*标准输入输出定义*/ #include <stdlib.h> /*标准函数库定义*/ #include <unistd.h> /*Unix标准函数定义*/ #include <sys/types.h> /**/ #includ
VC写加密壳
无名侠的博客
08-19 3050
这次我使用VC来写一个加密壳的框架。
Delphi API HOOK 完全说明
qiume的专栏
04-01 6665
一、关于 API Hook1. 什么是 API Hook不知道大家是否还记得,在 DOS 系统中编程,经常会采取截取中断向量的技术:我们可以设置新的中断服务程序,当系统其他的程序调用这个中断时,就让它先调用我们自己设置的新的中断服务程序,然后再调用原来的中断服务程序,这样就能够获得非凡的控制权。许多优秀的软件和大多数 DOS 病毒程序都采用了这个方法。
Delphi API HOOK完全说明
QUINCY_HU的专栏
01-05 1230
一、关于API Hook1.什么是API Hook不知道大家是否还记得,在DOS系统中编程,经常会采取截取中断向量的技术:我们可以设置新的中断服务程序,当系统其他的程序调用这个中断时,就让它先调用我们自己设置的新的中断服务程序,然后再调用原来的中断服务程序,这样就能够获得非凡的控制权。许多优秀的软件和大多数DOS 病毒程序都采用了这个方法。在Windows 中,我们也可以采取类似技
经典文章-API Hook Revealed
多媒体编程、网络编程、系统编程、网络安全编程、驱动编程
06-10 4585
原文:   Intercepting Win32 API calls has always been a challenging subject among most of the Windows developers and I have to admit, it's been one of my favorite topics. The term Hooking represents
[转] Delphi API HOOK 完全说明
Ψ星泪(JPEXE)
08-11 3121
// 本文转自网络, 原始出处不明确. // 转载目的: 学习 + 分享 一、关于 API Hook 1. 什么是 API Hook 不知道大家是否还记得,在 DOS 系统中编程,经常会采取截取中断向量的技术:我们可以设置新的中断服务程序,当系统其他的程序调用这个中断时,就让它先调用我们自己设置的新的中断服务程序,然后再调用原来的中断服务程序,这样就能够获得非凡的控制权。许多优秀的
API HOOK技术1
weixin_30457551的博客
07-28 122
拦截win32 API 调用对于多数w indows开发人员来说都一直是很有挑战性的课题,我承认,这也是我感兴趣的一个课题。钩子机制就是用一种底层 技术控制特定代码段的执行,它同时提供了一种直观的方法,很容易就能改变操作系统的行为,而并不需要涉及到代码。这跟一些第三方产品类似。 许多系统都通过拦截技术(spying techniques)利用现有windows应用...
Delphi API HOOK完全说明(存在错误的原文,含修正)
wts的专栏
08-08 2286
 从网上看到《Delphi API HOOK完全说明》这篇文章,基本上都是大家转来转去,原文出处我已经找不到了。这篇文章写的很不错,但最后部分“PermuteFunction 的终极版本”描述的不太清楚,完全按照该文章代码执行,是不行的。可能是作者故意这样做的?本文最后提供修正后的下载地址。原文如下:一、关于API Hook1.什么是API Hook不知道大家是否还记得,在DO
µC/OS-III Release Notes
wzk456的专栏
06-08 1570
µC/OS-III Release Notes Version 3.05.00 Version 3.04.05 Version 3.04.04 Version 3.04.03 Version 3.04.02 Version 3.04.01 Version 3.04.00 Version 3.03.01 Version 3.0
epoll的内核实现
网易搬砖头
02-27 8293
epoll是由一组系统调用组成。 int epoll_create(int size); int epoll_ctl(int epfd, int op, int fd, struct epoll_event *event); int epoll_wait(int epfd, struct epoll_event *events,int maxevents, in
(RoboTwin) wsh@amax-Super-Server:~/RoboTwin/pytorch3d$ pip install -e . Obtaining file:///home/wsh/RoboTwin/pytorch3d Preparing metadata (setup.py) ... done Requirement already satisfied: iopath in /home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages (from pytorch3d==0.7.8) (0.1.10) Requirement already satisfied: tqdm in /home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages (from iopath->pytorch3d==0.7.8) (4.67.1) Requirement already satisfied: typing_extensions in /home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages (from iopath->pytorch3d==0.7.8) (4.15.0) Requirement already satisfied: portalocker in /home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages (from iopath->pytorch3d==0.7.8) (3.2.0) Installing collected packages: pytorch3d DEPRECATION: Legacy editable install of pytorch3d==0.7.8 from file:///home/wsh/RoboTwin/pytorch3d (setup.py develop) is deprecated. pip 25.3 will enforce this behaviour change. A possible replacement is to add a pyproject.toml or enable --use-pep517, and use setuptools >= 64. If the resulting installation is not behaving as expected, try using --config-settings editable_mode=compat. Please consult the setuptools documentation for more information. Discussion can be found at https://github.com/pypa/pip/issues/11457 Running setup.py develop for pytorch3d error: subprocess-exited-with-error × python setup.py develop did not run successfully. │ exit code: 1 ╰─> [81 lines of output] /home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/torch/utils/cpp_extension.py:25: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81. from pkg_resources import packaging # type: ignore[attr-defined] running develop /home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/setuptools/_distutils/cmd.py:90: DevelopDeprecationWarning: develop command is deprecated. !! ******************************************************************************** Please avoid running ``setup.py`` and ``develop``. Instead, use standards-based tools like pip or uv. By 2025-Oct-31, you need to update your project and remove deprecated calls or your builds will no longer be supported. See https://github.com/pypa/setuptools/issues/917 for details. ******************************************************************************** !! self.initialize_options() Obtaining file:///home/wsh/RoboTwin/pytorch3d Installing build dependencies: started Installing build dependencies: finished with status 'done' Checking if build backend supports build_editable: started Checking if build backend supports build_editable: finished with status 'done' Getting requirements to build editable: started Getting requirements to build editable: finished with status 'error' error: subprocess-exited-with-error × Getting requirements to build editable did not run successfully. │ exit code: 1 ╰─> [19 lines of output] Traceback (most recent call last): File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py", line 389, in <module> main() File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py", line 373, in main json_out["return_val"] = hook(**hook_input["kwargs"]) File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py", line 157, in get_requires_for_build_editable return hook(config_settings) File "/tmp/pip-build-env-hfdrk10n/overlay/lib/python3.10/site-packages/setuptools/build_meta.py", line 473, in get_requires_for_build_editable return self.get_requires_for_build_wheel(config_settings) File "/tmp/pip-build-env-hfdrk10n/overlay/lib/python3.10/site-packages/setuptools/build_meta.py", line 331, in get_requires_for_build_wheel return self._get_build_requires(config_settings, requirements=[]) File "/tmp/pip-build-env-hfdrk10n/overlay/lib/python3.10/site-packages/setuptools/build_meta.py", line 301, in _get_build_requires self.run_setup() File "/tmp/pip-build-env-hfdrk10n/overlay/lib/python3.10/site-packages/setuptools/build_meta.py", line 512, in run_setup super().run_setup(setup_script=setup_script) File "/tmp/pip-build-env-hfdrk10n/overlay/lib/python3.10/site-packages/setuptools/build_meta.py", line 317, in run_setup exec(code, locals()) File "<string>", line 15, in <module> ModuleNotFoundError: No module named 'torch' [end of output] note: This error originates from a subprocess, and is likely not a problem with pip. error: subprocess-exited-with-error × Getting requirements to build editable did not run successfully. │ exit code: 1 ╰─> See above for output. note: This error originates from a subprocess, and is likely not a problem with pip. Traceback (most recent call last): File "<string>", line 2, in <module> File "<pip-setuptools-caller>", line 35, in <module> File "/home/wsh/RoboTwin/pytorch3d/setup.py", line 144, in <module> setup( File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/setuptools/__init__.py", line 115, in setup return distutils.core.setup(**attrs) File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/setuptools/_distutils/core.py", line 186, in setup return run_commands(dist) File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/setuptools/_distutils/core.py", line 202, in run_commands dist.run_commands() File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/setuptools/_distutils/dist.py", line 1002, in run_commands self.run_command(cmd) File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/setuptools/dist.py", line 1102, in run_command super().run_command(command) File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/setuptools/_distutils/dist.py", line 1021, in run_command cmd_obj.run() File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/setuptools/command/develop.py", line 39, in run subprocess.check_call(cmd) File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/subprocess.py", line 369, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '['/home/wsh/miniconda3/envs/RoboTwin/bin/python3.10', '-m', 'pip', 'install', '-e', '.', '--use-pep517', '--no-deps']' returned non-zero exit status 1. [end of output] note: This error originates from a subprocess, and is likely not a problem with pip. error: subprocess-exited-with-error × python setup.py develop did not run successfully. │ exit code: 1 ╰─> [81 lines of output] /home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/torch/utils/cpp_extension.py:25: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81. from pkg_resources import packaging # type: ignore[attr-defined] running develop /home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/setuptools/_distutils/cmd.py:90: DevelopDeprecationWarning: develop command is deprecated. !! ******************************************************************************** Please avoid running ``setup.py`` and ``develop``. Instead, use standards-based tools like pip or uv. By 2025-Oct-31, you need to update your project and remove deprecated calls or your builds will no longer be supported. See https://github.com/pypa/setuptools/issues/917 for details. ******************************************************************************** !! self.initialize_options() Obtaining file:///home/wsh/RoboTwin/pytorch3d Installing build dependencies: started Installing build dependencies: finished with status 'done' Checking if build backend supports build_editable: started Checking if build backend supports build_editable: finished with status 'done' Getting requirements to build editable: started Getting requirements to build editable: finished with status 'error' error: subprocess-exited-with-error × Getting requirements to build editable did not run successfully. │ exit code: 1 ╰─> [19 lines of output] Traceback (most recent call last): File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py", line 389, in <module> main() File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py", line 373, in main json_out["return_val"] = hook(**hook_input["kwargs"]) File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py", line 157, in get_requires_for_build_editable return hook(config_settings) File "/tmp/pip-build-env-hfdrk10n/overlay/lib/python3.10/site-packages/setuptools/build_meta.py", line 473, in get_requires_for_build_editable return self.get_requires_for_build_wheel(config_settings) File "/tmp/pip-build-env-hfdrk10n/overlay/lib/python3.10/site-packages/setuptools/build_meta.py", line 331, in get_requires_for_build_wheel return self._get_build_requires(config_settings, requirements=[]) File "/tmp/pip-build-env-hfdrk10n/overlay/lib/python3.10/site-packages/setuptools/build_meta.py", line 301, in _get_build_requires self.run_setup() File "/tmp/pip-build-env-hfdrk10n/overlay/lib/python3.10/site-packages/setuptools/build_meta.py", line 512, in run_setup super().run_setup(setup_script=setup_script) File "/tmp/pip-build-env-hfdrk10n/overlay/lib/python3.10/site-packages/setuptools/build_meta.py", line 317, in run_setup exec(code, locals()) File "<string>", line 15, in <module> ModuleNotFoundError: No module named 'torch' [end of output] note: This error originates from a subprocess, and is likely not a problem with pip. error: subprocess-exited-with-error × Getting requirements to build editable did not run successfully. │ exit code: 1 ╰─> See above for output. note: This error originates from a subprocess, and is likely not a problem with pip. Traceback (most recent call last): File "<string>", line 2, in <module> File "<pip-setuptools-caller>", line 35, in <module> File "/home/wsh/RoboTwin/pytorch3d/setup.py", line 144, in <module> setup( File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/setuptools/__init__.py", line 115, in setup return distutils.core.setup(**attrs) File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/setuptools/_distutils/core.py", line 186, in setup return run_commands(dist) File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/setuptools/_distutils/core.py", line 202, in run_commands dist.run_commands() File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/setuptools/_distutils/dist.py", line 1002, in run_commands self.run_command(cmd) File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/setuptools/dist.py", line 1102, in run_command super().run_command(command) File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/setuptools/_distutils/dist.py", line 1021, in run_command cmd_obj.run() File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/site-packages/setuptools/command/develop.py", line 39, in run subprocess.check_call(cmd) File "/home/wsh/miniconda3/envs/RoboTwin/lib/python3.10/subprocess.py", line 369, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '['/home/wsh/miniconda3/envs/RoboTwin/bin/python3.10', '-m', 'pip', 'install', '-e', '.', '--use-pep517', '--no-deps']' returned non-zero exit status 1. [end of output] note: This error originates from a subprocess, and is likely not a problem with pip. 新的报错 什么原因
10-25
[System.Environment]::SetEnvironmentVariable('CUB_HOME', 'C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v11.3\include\cub', 'User') ``` ##### ✅ 步骤 3:禁用构建隔离 ```bash cd /home/wsh/...
卓胜微(MAXSCEND)芯片的cmmb驱动【ANDROID+展讯8810平台】
duanlove(技术路途)专栏
08-23 2497
#include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #i
BP神经网络+PID控制Simulink仿真
11-26
提供了基于BP(Back Propagation)神经网络结合PID(比例-积分-微分)控制策略的Simulink仿真模型。该模型旨在实现对杨艺所著论文《基于S函数的BP神经网络PID控制器及Simulink仿真》中的理论进行实践验证。在Matlab 2016b环境下开发,经过测试,确保能够正常运行,适合学习和研究神经网络在控制系统中的应用。 特点 集成BP神经网络:模型中集成了BP神经网络用于提升PID控制器的性能,使之能更好地适应复杂控制环境。 PID控制优化:利用神经网络的自学习能力,对传统的PID控制算法进行了智能调整,提高控制精度和稳定性。 S函数应用:展示了如何在Simulink中通过S函数嵌入MATLAB代码,实现BP神经网络的定制化逻辑。 兼容性说明:虽然开发于Matlab 2016b,但理论上兼容后续版本,可能会需要调整少量配置以适配不同版本的Matlab。 使用指南 环境要求:确保你的电脑上安装有Matlab 2016b或更高版本。 模型加载: 下载本仓库到本地。 在Matlab中打开.slx文件。 运行仿真: 调整模型参数前,请先熟悉各模块功能和输入输出设置。 运行整个模型,观察控制效果。 参数调整: 用户可以自由调节神经网络的层数、节点数以及PID控制器的参数,探索不同的控制性能。 学习和修改: 通过阅读模型中的注释和查阅相关文献,加深对BP神经网络与PID控制结合的理解。 如需修改S函数内的MATLAB代码,建议有一定的MATLAB编程基础。
sketch_nov26a_anjian.zip
11-26
sketch_nov26a_anjian.zip
Python控制,分支,猜数字游戏
11-26
Python控制,分支,猜数字游戏
44页-非接触新经济安全治理报告(赛博&安恒信息)(1).pdf
11-26
44页-非接触新经济安全治理报告(赛博&安恒信息)(1)
AIR-AP2800-K9-ME-8-10-196-0.zip 2800和3800 Mobile Express
最新发布
11-26
Description : Cisco 2800 & 3800 Series Mobility Express Release 8.10 Software. Access Point image bundle, to be used for software update and/or supported access points images. Release : 8.10.196.0 Release Date : 13-May-2024 FileName : AIR-AP2800-K9-ME-8-10-196-0.zip & AIR-AP3800-K9-ME-8-10-196-0.zip Size : 502.40 MB ( 526809432 bytes) MD5 Checksum : 2bc8cb0f124d7535742119de89fb5ead SHA512 Checksum : cc25cbeaa043da2122d460bc8b518913bddf76a36516e96a5fdaa74580be6ae335b565ed1b14a1e930d759150bc39ecad0f565859412b00d832f749a73dce7f7
API HOOK技术示例分析
在探讨API HOOK的实践案例之前,有必要先了解一下API HOOK的含义。API HOOKAPI钩子的简称,在计算机科学中,它是一种特殊的软件技术,用于拦截操作系统、库函数或应用程序调用的API函数调用。通过这种技术,开发者...
评论
成就一亿技术人!
拼手气红包6.0元
还能输入1000个字符
 
红包 添加红包
表情包 插入表情
表情包 代码片
 条评论被折叠 查看
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值