本文介绍了如何将NtUserSetWindowsHookEx返回的HHOOK转换为PHOOK。关键在于找到win32k SSDT中NtUserUnhookWindowsHookEx的函数入口,调用HMValidateHandle@8地址实现转换。提供了一个汇编代码示例来演示转换过程。
不少人问NtUserSetWindowsHookEx返回的HHOOK怎么换成PHOOK,这里说明一下。
主要是找到那个转换函数地址直接调用就是了。
原理:
找到 win32k ssdt的NtUserUnhookWindowsHookEx的函数入口,
直接取@HMValidateHandle@8 的地址
使用方法:
#define GetObjectFromHandle (handle,object)
{
__asm push ecx
__asm push edx
__asm mov ecx,handle
__asm mov dl,5
__asm call @HMValidateHandle@8
__asm mov object,eax
__asm pop edx
__asm pop ecx
}
/
//NtUserUnhookWindowsHookEx的代码
/
.text:A0013B47 ; __stdcall NtUserUnhookWindowsHookEx(x)
.text:A0013B47 _NtUserUnhookWindowsHookEx@4 proc near ; DATA XREF: .data:A016BD34o
.text:A0013B47
.text:A0013B47 arg_0 = dword ptr 8
.text:A0013B47
.text:A0013B47 56 push esi
.text:A0013B48 E8 3D D1 FE FF call _EnterCrit@0 ; EnterCrit()
.text:A0013B4D 8B 4C 24 08 mov ecx, [esp+arg_0]
.text:A0013B51 B2 05 mov dl, 5
.text:A0013B53 E8 48 96 FF FF call @HMValidateHandle@8 ; HMValidateHandle(x,x)
.text:A0013B58 85 C0 test eax, eax
.text:A0013B5A 75 04 jnz short loc_A0013B60
.text:A0013B5C 33 F6 xor esi, esi
.text:A0013B5E EB 08 jmp short loc_A0013B68
.text:A0013B60 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:A0013B60
.text:A0013B60 loc_A0013B60: ; CODE XREF: NtUserUnhookWindowsHookEx(x)+13j
.text:A0013B60 50 push eax
.text:A0013B61 E8 2A C8 08 00 call _zzzUnhookWindowsHookEx@4 ; zzzUnhookWindowsHookEx(x)
.text:A0013B66 8B F0 mov esi, eax
.text:A0013B68
.text:A0013B68 loc_A0013B68: ; CODE XREF: NtUserUnhookWindowsHookEx(x)+17j
.text:A0013B68 E8 E4 D0 FE FF call _LeaveCrit@0 ; LeaveCrit()
.text:A0013B6D 8B C6 mov eax, esi
.text:A0013B6F 5E pop esi
.text:A0013B70 C2 04 00 retn 4
.text:A0013B70 _NtUserUnhookWindowsHookEx@4 endp
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
