本文提供了一个使用MASM实现的本地hook MessageBoxA函数的例子。该示例展示了如何通过读取和更改目标进程内存来实现hook操作,适用于Windows XP + SP1环境。
;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
;FileName:msgbox2.asm
;Function:DemohowtohookMessageBoxAlocally
;Author:PurpleEndurer
;
;log
;--------------------------------------------------
;2006-07-10Optimizedcode
;2006-07-08Created,successunderWindowsXP+SP1
;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
.586p
.modelflat,stdcall
optioncasemap:none
include/masm32/include/windows.inc
include/masm32/include/kernel32.inc
include/masm32/include/user32.inc
includelib/masm32/lib/kernel32.lib
includelib/masm32/lib/user32.lib
m_m2mMACROd1,d2
pushd2
popd1
ENDM
MEMORY_BASIC_INFORMATION_SIZEEQU28
.data
g_szUser32dllDB"user32.dll",0
g_szMsgBoxDB"MessageBoxA",0
g_szHookedOKdb"hasbeenhookedOK!",0
.data?
g_dwOld_protectDD?
g_lpfnMessagBoxdword?
g_dbOldCodedb10dup(?)
g_dwReadeddword?
g_hCurProcHANDLE?
.code
start:
do_hook:
invokeGetModuleHandle,ADDRg_szUser32dll
invokeGetProcAddress,eax,ADDRg_szMsgBox
movedi,eax;finallygotMessageBoxAaddress
movg_lpfnMessagBox,eax
push0
pushOFFSETg_szMsgBox
pushOFFSETg_szMsgBox
push0
callg_lpfnMessagBox;确认得到MessageBoxA的地址
invokeGetCurrentProcess
movg_hCurProc,eax
;BOOLReadProcessMemory(
;HANDLEhProcess,//handleoftheprocesswhosememoryisread
;LPCVOIDlpBaseAddress,//addresstostartreading
;LPVOIDlpBuffer,//addressofbuffertoplacereaddata
;DWORDnSize,//numberofbytestoread
;LPDWORDlpNumberOfBytesRead//addressofnumberofbytesread
;);
invokeReadProcessMemory,eax,g_lpfnMessagBox,ADDRg_dbOldCode,10,ADDRg_dwReaded
testeax,eax
jz@FinalMsgBox
invokeVirtualAlloc,0,MEMORY_BASIC_INFORMATION_SIZE,MEM_COMMIT,PAGE_READWRITE
testeax,eax
jz@FinalMsgBox
movesi,eax;allocationforMBI
invokeVirtualQuery,edi,esi,MEMORY_BASIC_INFORMATION_SIZE
;typedefstruct_MEMORY_BASIC_INFORMATION{//mbi
;PVOIDBaseAddress;//baseaddressofregion
;PVOIDAllocationBase;//allocationbaseaddress
;DWORDAllocationProtect;//initialaccessprotection
;DWORDRegionSize;//size,inbytes,ofregion
;DWORDState;//committed,reserved,free
;DWORDProtect;//currentaccessprotection
;DWORDType;//typeofpages
;}MEMORY_BASIC_INFORMATION;
testeax,eax
jz@free_mem
invokeFlushInstructionCache,g_hCurProc,edi,5;justtobesure
leaeax,[esi+014h]
pusheax
pushPAGE_EXECUTE_READWRITE
leaeax,[esi+0Ch]
push[eax]
push[esi]
callVirtualProtect
;wewillchangeprotectionforamoment,sowewillbeabletowritethere
testeax,eax
jz@free_mem
movbyteptr[edi],0E9h;写入jmp跳转指令
moveax,OFFSET@newMsgBox;计算跳转地址
subeax,edi
subeax,5
incedi
stosd;传送32位跳转地址
pushOFFSETg_dwOld_protect
leaeax,[esi+014h]
push[eax]
leaeax,[esi+0Ch]
push[eax]
push[esi]
callVirtualProtect;returnbacktheprotectionofpage
@free_mem:
pushMEM_RELEASE
push0
pushesi
callVirtualFree;freememory
@FinalMsgBox:
invokeMessageBoxA,0,ADDRg_szMsgBox,ADDRg_szMsgBox,0
invokeExitProcess,0
@newMsgBox:;004010CD
;mov[esp+16],MB_ICONINFORMATION;修改信息ICON
m_m2m[esp+16],MB_ICONINFORMATION
;mov[esp+12],OFFSETg_szHookedOK;修改标题
moveax,[esp+8];修改信息内容
invokelstrcat,eax,ADDRg_szHookedOK
;BOOLWriteProcessMemory(
;HANDLEhProcess,//handletoprocesswhosememoryiswrittento
;LPVOIDlpBaseAddress,//addresstostartwritingto
;LPVOIDlpBuffer,//pointertobuffertowritedatato
;DWORDnSize,//numberofbytestowrite
;LPDWORDlpNumberOfBytesWritten//actualnumberofbyteswritten
;);
invokeWriteProcessMemory,g_hCurProc,g_lpfnMessagBox,ADDRg_dbOldCode,10,ADDRg_dwReaded
jmpg_lpfnMessagBox;pushg_lpfnMessagBox
;ret;10H
endstart
;FileName:msgbox2.asm
;Function:DemohowtohookMessageBoxAlocally
;Author:PurpleEndurer
;
;log
;--------------------------------------------------
;2006-07-10Optimizedcode
;2006-07-08Created,successunderWindowsXP+SP1
;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
.586p
.modelflat,stdcall
optioncasemap:none
include/masm32/include/windows.inc
include/masm32/include/kernel32.inc
include/masm32/include/user32.inc
includelib/masm32/lib/kernel32.lib
includelib/masm32/lib/user32.lib
m_m2mMACROd1,d2
pushd2
popd1
ENDM
MEMORY_BASIC_INFORMATION_SIZEEQU28
.data
g_szUser32dllDB"user32.dll",0
g_szMsgBoxDB"MessageBoxA",0
g_szHookedOKdb"hasbeenhookedOK!",0
.data?
g_dwOld_protectDD?
g_lpfnMessagBoxdword?
g_dbOldCodedb10dup(?)
g_dwReadeddword?
g_hCurProcHANDLE?
.code
start:
do_hook:
invokeGetModuleHandle,ADDRg_szUser32dll
invokeGetProcAddress,eax,ADDRg_szMsgBox
movedi,eax;finallygotMessageBoxAaddress
movg_lpfnMessagBox,eax
push0
pushOFFSETg_szMsgBox
pushOFFSETg_szMsgBox
push0
callg_lpfnMessagBox;确认得到MessageBoxA的地址
invokeGetCurrentProcess
movg_hCurProc,eax
;BOOLReadProcessMemory(
;HANDLEhProcess,//handleoftheprocesswhosememoryisread
;LPCVOIDlpBaseAddress,//addresstostartreading
;LPVOIDlpBuffer,//addressofbuffertoplacereaddata
;DWORDnSize,//numberofbytestoread
;LPDWORDlpNumberOfBytesRead//addressofnumberofbytesread
;);
invokeReadProcessMemory,eax,g_lpfnMessagBox,ADDRg_dbOldCode,10,ADDRg_dwReaded
testeax,eax
jz@FinalMsgBox
invokeVirtualAlloc,0,MEMORY_BASIC_INFORMATION_SIZE,MEM_COMMIT,PAGE_READWRITE
testeax,eax
jz@FinalMsgBox
movesi,eax;allocationforMBI
invokeVirtualQuery,edi,esi,MEMORY_BASIC_INFORMATION_SIZE
;typedefstruct_MEMORY_BASIC_INFORMATION{//mbi
;PVOIDBaseAddress;//baseaddressofregion
;PVOIDAllocationBase;//allocationbaseaddress
;DWORDAllocationProtect;//initialaccessprotection
;DWORDRegionSize;//size,inbytes,ofregion
;DWORDState;//committed,reserved,free
;DWORDProtect;//currentaccessprotection
;DWORDType;//typeofpages
;}MEMORY_BASIC_INFORMATION;
testeax,eax
jz@free_mem
invokeFlushInstructionCache,g_hCurProc,edi,5;justtobesure
leaeax,[esi+014h]
pusheax
pushPAGE_EXECUTE_READWRITE
leaeax,[esi+0Ch]
push[eax]
push[esi]
callVirtualProtect
;wewillchangeprotectionforamoment,sowewillbeabletowritethere
testeax,eax
jz@free_mem
movbyteptr[edi],0E9h;写入jmp跳转指令
moveax,OFFSET@newMsgBox;计算跳转地址
subeax,edi
subeax,5
incedi
stosd;传送32位跳转地址
pushOFFSETg_dwOld_protect
leaeax,[esi+014h]
push[eax]
leaeax,[esi+0Ch]
push[eax]
push[esi]
callVirtualProtect;returnbacktheprotectionofpage
@free_mem:
pushMEM_RELEASE
push0
pushesi
callVirtualFree;freememory
@FinalMsgBox:
invokeMessageBoxA,0,ADDRg_szMsgBox,ADDRg_szMsgBox,0
invokeExitProcess,0
@newMsgBox:;004010CD
;mov[esp+16],MB_ICONINFORMATION;修改信息ICON
m_m2m[esp+16],MB_ICONINFORMATION
;mov[esp+12],OFFSETg_szHookedOK;修改标题
moveax,[esp+8];修改信息内容
invokelstrcat,eax,ADDRg_szHookedOK
;BOOLWriteProcessMemory(
;HANDLEhProcess,//handletoprocesswhosememoryiswrittento
;LPVOIDlpBaseAddress,//addresstostartwritingto
;LPVOIDlpBuffer,//pointertobuffertowritedatato
;DWORDnSize,//numberofbytestowrite
;LPDWORDlpNumberOfBytesWritten//actualnumberofbyteswritten
;);
invokeWriteProcessMemory,g_hCurProc,g_lpfnMessagBox,ADDRg_dbOldCode,10,ADDRg_dwReaded
jmpg_lpfnMessagBox;pushg_lpfnMessagBox
;ret;10H
endstart
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
