HookLib with lable dynamic code generating

最新推荐文章于 2025-01-22 09:24:49 发布

weixin_33794672

最新推荐文章于 2025-01-22 09:24:49 发布

阅读量74

点赞数

CC 4.0 BY-SA版权

原文链接：http://www.cnblogs.com/jeffreytan/archive/2006/05/18/403694.html

本文介绍了一个使用Windows API Hooking技术的具体实现案例，通过修改目标进程内存中的指令来拦截和修改API调用行为。该方法利用了WriteProcessMemory和ReadProcessMemory等函数，并详细展示了如何创建一个简单的HOOK以达到拦截特定API调用的目的。

#include<windows.h>
#include<stdio.h>
#include<libdasm.h>

#pragma comment(lib, "libdasm.lib")

int inst_len = 0;
FARPROC hAPI=NULL;
char *szInstruction=NULL;
PDWORD pHookFuncAddr;

void MB(LPTSTR pszInfo)
{
MessageBox(NULL, pszInfo, TEXT("alert"), MB_OK);
}

BOOL fRet=FALSE;
DWORD temp;

void __declspec(naked) HookFunc()
{
__asm
{
pushad
pushfd
}

__asm
{
lea eax, APISub
mov temp, eax
}

OutputDebugString(TEXT("This call comes from hookfunc\n"));

fRet=WriteProcessMemory(GetCurrentProcess(), (PVOID)temp, szInstruction,
inst_len, NULL);
if(!fRet)
{
printf("WriteProcessMemory failed with error %d", GetLastError());
}

hAPI=(FARPROC)((DWORD)hAPI+inst_len);

__asm
{
  popfd
  popad
}

APISub:
__asm
{
  __emit 0x90
  __emit 0x90
  __emit 0x90
  __emit 0x90
  __emit 0x90
  __emit 0x90
  __emit 0x90
  __emit 0x90
  __emit 0x90
  __emit 0x90
  __emit 0x90
  __emit 0x90
  jmp hAPI
}
}

BOOL StartHook()
{
INSTRUCTION inst;
BOOL fRet=FALSE, fOk=FALSE;
int len, lenlimit=6;
BYTE *buf=(BYTE *)hAPI;
char szError[100];
char *newcode=NULL;

__try
{
  do {
   len = get_instruction(&inst, buf+inst_len, MODE_32);
   inst_len += len;
  } while (inst_len < lenlimit);

  newcode=new char[inst_len];
  if(NULL==newcode)
  {
   sprintf(szError, "new newcode fails with %d",GetLastError());
   MB(szError);
   __leave;
  }

  memset(newcode,0x90, inst_len);
  newcode[0]=0xff;
  newcode[1]=0x25;
  newcode[2]=0x11;
  newcode[3]=0x22;
  newcode[4]=0x33;
  newcode[5]=0x44;

  pHookFuncAddr=(PDWORD)HookFunc;
  *(PDWORD)&newcode[2]=(DWORD)(&pHookFuncAddr);

  szInstruction=new char[inst_len];
  if(NULL==newcode)
  {
   sprintf(szError, "new szInstruction fails with %d",GetLastError());
   MB(szError);
   __leave;
  }

  fRet=ReadProcessMemory(GetCurrentProcess(), hAPI, szInstruction, inst_len, NULL);
  if(!fRet)
  {
   sprintf(szError, "ReadProcessMemory fails with %d",GetLastError());
   MB(szError);
   __leave;
  }

  fRet=WriteProcessMemory(GetCurrentProcess(), hAPI, newcode,
   inst_len, NULL);
  if(!fRet)
  {
   sprintf(szError, "WriteProcessMemory fails with %d",GetLastError());
   MB(szError);
   __leave;
  }
  fOk=TRUE;
}
__finally
{
  delete[] newcode;
}
return fOk;
}

BOOL WINAPI DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved
)
{
HANDLE hFileMapping=FALSE;
PVOID pView=NULL;
TCHAR szModule[50], szAPI[50];
HINSTANCE hModule=NULL;

char szError[100];
switch(fdwReason)
{
case DLL_PROCESS_ATTACH:
  __try
  {
   hFileMapping=OpenFileMapping(FILE_MAP_READ|FILE_MAP_WRITE, FALSE, TEXT("APISPY1.0"));
   if(NULL==hFileMapping)
   {
    sprintf(szError, "OpenFileMapping fails with %d",GetLastError());
    MB(szError);
    __leave;
   }

   pView=MapViewOfFile(hFileMapping, FILE_MAP_WRITE, 0, 0, 0);
   if(NULL==pView)
   {
    sprintf(szError, "MapViewOfFile fails with %d",GetLastError());
    MB(szError);
    __leave;
   }

CopyMemory(szModule, pView, sizeof(szModule));
CopyMemory(szAPI, (PBYTE)pView+sizeof(szModule), sizeof(szAPI));

   hModule=GetModuleHandle(szModule);
   if(NULL==hModule)
   {
    sprintf(szError, "GetModuleHandle fails with %d",GetLastError());
    MB(szError);
    __leave;
   }
   hAPI=GetProcAddress(hModule, szAPI);
   if(NULL==hAPI)
   {
    sprintf(szError, "GetProcAddress fails with %d",GetLastError());
    MB(szError);
    __leave;
   }

   StartHook();
  }
  __finally
  {
   if(pView!=NULL)
   {
    UnmapViewOfFile(pView);
   }
   if(hFileMapping!=NULL)
   {
    CloseHandle(hFileMapping);
   }
  }
  break;
case DLL_PROCESS_DETACH:
  delete[] szInstruction;
  break;
}
return TRUE;
}