hook api inline code
2015-01-17 15:05
337 查看
int rise_pri()
{
BOOL rc;
HANDLE hToken;
TOKEN_PRIVILEGES *pTokenPriv;
LUID_AND_ATTRIBUTES la;
DWORD Len;
rc=OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken);
if(rc==FALSE)return rc;
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&la.Luid);
la.Attributes=SE_PRIVILEGE_ENABLED;
pTokenPriv = new TOKEN_PRIVILEGES[2];
pTokenPriv-> PrivilegeCount=1;
memcpy(pTokenPriv-> Privileges,&la,sizeof(LUID_AND_ATTRIBUTES));
rc=AdjustTokenPrivileges(hToken,FALSE,pTokenPriv,0,NULL,&Len);
return rc;
}
ULONG GetMyFunctionLen(DWORD pfn)
{
ULONG res = 0;
__asm
{
pushad
MOV EAX, 0x90909090 // 新的函数以0x90909090作为结束的标志
MOV ECX, 0xFFFFFFFF
MOV EDI, pfn
CLD
REPNZ SCASD
NOT ECX
DEC ECX
MOV res, ECX
popad
}
return res * 4;
}
int makerw(int address,int size,int newmode)
{
ULONG oldaccessattr = 0;
//ULONG a;
if(! VirtualProtectEx(GetCurrentProcess(),(void*)address,size,PAGE_EXECUTE_READWRITE,&oldaccessattr)){
MessageBox(0,"failure","virtualprotect error",0);
return -1;
}
//VirtualProtectEx(GetCurrentProcess(),(void*)address,size,PAGE_EXECUTE_READWRITE,&a);
//outputdstring("address %x --> %x from %x status %x",address,PAGE_EXECUTE_READWRITE,global_attr,a);
return oldaccessattr;
}
DWORD Patch_new(DWORD codeaddress,int thisclausebytes, DWORD pfnNewFunction)
{
ULONG fakefunctionlen,newplacecodelength;
DWORD SectionGapStart;
rise_pri();
fakefunctionlen = GetMyFunctionLen( pfnNewFunction);
newplacecodelength=fakefunctionlen+thisclausebytes+5;
SectionGapStart = (DWORD)new char[newplacecodelength];
if (SectionGapStart == NULL) return 0;
makerw((int)SectionGapStart,newplacecodelength,0);
memcpy((void*)SectionGapStart,(void*)pfnNewFunction,fakefunctionlen);
memcpy((void*)(SectionGapStart+fakefunctionlen),(void*)codeaddress,thisclausebytes);
/* 我的机器上的CreateProcessW的代码,是这样了。
KERNEL32!CreateProcessW
001B:77E6B252 55 PUSH EBP
001B:77E6B253 8BEC MOV EBP, ESP
001B:77E6B255 FF752C PUSH DWORD PTR [EBP+2C]
第二条和第三条指令正好是5Byte的长度,所以,我选择把第二条和第三条改成跳转指令。
跳转指令码为0xE9,位移计算:目的地址 - 起始地址 - 跳转指令本身的长度。
*/
*(PUCHAR)((PUCHAR)SectionGapStart +fakefunctionlen+thisclausebytes) = 0xE9;
*(PULONG)((PUCHAR)SectionGapStart+fakefunctionlen+thisclausebytes+1) = (ULONG)(codeaddress + thisclausebytes)
- (ULONG)(SectionGapStart + fakefunctionlen+thisclausebytes) - 5;
//__asm CLI
makerw((int)codeaddress,5,0);
*(PUCHAR)((PUCHAR)codeaddress) = 0xE9;
*(PULONG)((PCHAR)codeaddress + 1) = (ULONG)SectionGapStart - (ULONG)codeaddress- 5;
//__asm STI
//PTE_ENTRY((ULONG)pfnOrig) &= 0xFFD;
return SectionGapStart;
}
char string1[] = "--->condition 1";
char string2[] = "--->condition 2";
DWORD opfn=(DWORD)OutputDebugStringA;
__declspec(naked) NewCreateProcessW1()
{
__asm
{
PUSHAD
lea eax, string1
push eax
call opfn
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
__declspec(naked) NewCreateProcessW2()
{
__asm
{
PUSHAD
lea eax, string2
push eax
call opfn
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
void hook_cond1(DWORD addresshook,int instructionlen)
{
DWORD temp = (DWORD)NewCreateProcessW1;
#ifdef _DEBUG
DWORD* ptr =(DWORD*) (temp+1);
temp = temp+5+ptr[0];
#endif
Patch_new(addresshook,instructionlen,temp);
}
void hook_cond2(DWORD addresshook,int instructionlen)
{
Patch_new(addresshook,instructionlen,(DWORD)NewCreateProcessW2);
}
{
BOOL rc;
HANDLE hToken;
TOKEN_PRIVILEGES *pTokenPriv;
LUID_AND_ATTRIBUTES la;
DWORD Len;
rc=OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken);
if(rc==FALSE)return rc;
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&la.Luid);
la.Attributes=SE_PRIVILEGE_ENABLED;
pTokenPriv = new TOKEN_PRIVILEGES[2];
pTokenPriv-> PrivilegeCount=1;
memcpy(pTokenPriv-> Privileges,&la,sizeof(LUID_AND_ATTRIBUTES));
rc=AdjustTokenPrivileges(hToken,FALSE,pTokenPriv,0,NULL,&Len);
return rc;
}
ULONG GetMyFunctionLen(DWORD pfn)
{
ULONG res = 0;
__asm
{
pushad
MOV EAX, 0x90909090 // 新的函数以0x90909090作为结束的标志
MOV ECX, 0xFFFFFFFF
MOV EDI, pfn
CLD
REPNZ SCASD
NOT ECX
DEC ECX
MOV res, ECX
popad
}
return res * 4;
}
int makerw(int address,int size,int newmode)
{
ULONG oldaccessattr = 0;
//ULONG a;
if(! VirtualProtectEx(GetCurrentProcess(),(void*)address,size,PAGE_EXECUTE_READWRITE,&oldaccessattr)){
MessageBox(0,"failure","virtualprotect error",0);
return -1;
}
//VirtualProtectEx(GetCurrentProcess(),(void*)address,size,PAGE_EXECUTE_READWRITE,&a);
//outputdstring("address %x --> %x from %x status %x",address,PAGE_EXECUTE_READWRITE,global_attr,a);
return oldaccessattr;
}
DWORD Patch_new(DWORD codeaddress,int thisclausebytes, DWORD pfnNewFunction)
{
ULONG fakefunctionlen,newplacecodelength;
DWORD SectionGapStart;
rise_pri();
fakefunctionlen = GetMyFunctionLen( pfnNewFunction);
newplacecodelength=fakefunctionlen+thisclausebytes+5;
SectionGapStart = (DWORD)new char[newplacecodelength];
if (SectionGapStart == NULL) return 0;
makerw((int)SectionGapStart,newplacecodelength,0);
memcpy((void*)SectionGapStart,(void*)pfnNewFunction,fakefunctionlen);
memcpy((void*)(SectionGapStart+fakefunctionlen),(void*)codeaddress,thisclausebytes);
/* 我的机器上的CreateProcessW的代码,是这样了。
KERNEL32!CreateProcessW
001B:77E6B252 55 PUSH EBP
001B:77E6B253 8BEC MOV EBP, ESP
001B:77E6B255 FF752C PUSH DWORD PTR [EBP+2C]
第二条和第三条指令正好是5Byte的长度,所以,我选择把第二条和第三条改成跳转指令。
跳转指令码为0xE9,位移计算:目的地址 - 起始地址 - 跳转指令本身的长度。
*/
*(PUCHAR)((PUCHAR)SectionGapStart +fakefunctionlen+thisclausebytes) = 0xE9;
*(PULONG)((PUCHAR)SectionGapStart+fakefunctionlen+thisclausebytes+1) = (ULONG)(codeaddress + thisclausebytes)
- (ULONG)(SectionGapStart + fakefunctionlen+thisclausebytes) - 5;
//__asm CLI
makerw((int)codeaddress,5,0);
*(PUCHAR)((PUCHAR)codeaddress) = 0xE9;
*(PULONG)((PCHAR)codeaddress + 1) = (ULONG)SectionGapStart - (ULONG)codeaddress- 5;
//__asm STI
//PTE_ENTRY((ULONG)pfnOrig) &= 0xFFD;
return SectionGapStart;
}
char string1[] = "--->condition 1";
char string2[] = "--->condition 2";
DWORD opfn=(DWORD)OutputDebugStringA;
__declspec(naked) NewCreateProcessW1()
{
__asm
{
PUSHAD
lea eax, string1
push eax
call opfn
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
__declspec(naked) NewCreateProcessW2()
{
__asm
{
PUSHAD
lea eax, string2
push eax
call opfn
POPAD
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
void hook_cond1(DWORD addresshook,int instructionlen)
{
DWORD temp = (DWORD)NewCreateProcessW1;
#ifdef _DEBUG
DWORD* ptr =(DWORD*) (temp+1);
temp = temp+5+ptr[0];
#endif
Patch_new(addresshook,instructionlen,temp);
}
void hook_cond2(DWORD addresshook,int instructionlen)
{
Patch_new(addresshook,instructionlen,(DWORD)NewCreateProcessW2);
}
相关文章推荐
- Windows下Hook API技术 inline hook
- Ring3 下 API Inline Hook 优化方案探索与实现
- SSDT Hook的妙用-对抗ring0 inline hook
- Building a Web Application->Code Behind vs. Code Inline
- SSDT Hook的妙用-对抗ring0 inline hook
- Inline hook KeyboardClassServiceCallback实现键盘记录
- HookAPI source code
- kernel inline hook 绕过vice检测
- Two Projects in CodePlex about SkyDrive API
- 检测和恢复SSDT HOOK,INLINE SSDT HOOK
- 【转帖】SSDT Hook的妙用-对抗ring0 inline hook
- Windows内核API HOOK 之 Inline Hook
- the way to compart a long code line into parts in order to make the Horizontal scroll bar disappear in V.S' Text Editor
- Inline Hook IofCallDriver 截获所有IRP
- 对付kernel / fsd inline hook/ssdt hook
- 解决wxutil .cpp(626) : error C2400: inline assembler syntax error in 'opcode'; found 'newline'
- Windows内核API HOOK 之 Inline Hook
- SSDT Hook的妙用-对抗ring0 inline hook
- Ring0 inline hook For Delphi.
- Windows内核API HOOK 之 Inline Hook