这个模板的思路是这样的:
1.破坏原地址的指令(至少5字节,此处如果含有跳转会报失败),写一个跳转,被破坏的指令迁移到别的地方;
2.跳转到中转函数,中转函数中会调用用户定义的功能函数;
3.执行原地址被破坏的指令,跳转到原地址的下一指令处。
如果是在API(或普通call)头部进行hook的话,还支持执行API前调用用户定义的“执行前处理函数”,并在执行完API后调用用户定义的“执行后处理函数”。
使用了bea引擎来识别指令长度;
使用了Tls进行线程同步;
对API或者call进行hook的时候不需要知道函数原型;
对API或者call进行hook的时候支持修改函数参数和函数返回值;
肯定还是有很多不足的地方,欢迎朋友们指出和指导!
普通地址hook的中转函数x64代码:
push rax
push rcx
push rdx
mov ecx,<TlsValue_for_register>
mov rdx,rsp
sub rdx,68
sub rsp,20
call @lable1 //e8 00 00 00 00
@lable1:
add dword ptr ss:[rsp],12
push <low_32bit_TlsSetValue>
mov dword ptr ss:[rsp+4],<high_32bit_TlsSetValue>
ret
add rsp,20
push rbx
push rbp
push rsp
push rsi
push rdi
push r8
push r9
push r10
push r11
push r12
push r13
push r14
push r15
call @lable2 //e8 00 00 00 00
@lable2:
add dword ptr ss:[rsp],12
push <low_32bit_user_define_function>
mov dword ptr ss:[rsp+4],<high_32bit_user_define_function>
ret
pop r15
pop r14
pop r13
pop r12
pop r11
pop r10
pop r9
pop r8
pop rdi
pop rsi
pop rsp
pop rbp
pop rbx
pop rdx
pop rcx
pop rax
nop //复制原地址被破坏的指令到这里
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
pushfq
push rax
push rcx
push rdx
sub rsp,20
mov ecx,<TlsValue_for_register>
xor rdx,rdx
call @lable3 //e8 00 00 00 00
@lable3:
add dword ptr ss:[rsp],12
push <low_32bit_TlsSetValue>
mov dword ptr ss:[rsp+4],<high_32bit_TlsSetValue>
ret
add rsp,20
pop rdx
pop rcx
pop rax
popfq
push <low_32bit_jmpbackAdr>
mov dword ptr ss:[rsp+4],<high_32bit_jmpbackAdr>
ret
API的hook中转函数x64代码:
push rax
push rcx
push rdx
mov ecx,<TlsValue_for_register>
mov rdx,rsp
sub rdx,68
sub rsp,20
call @lable1 //e8 00 00 00 00
@lable1:
add dword ptr ss:[rsp],12
push <low_32bit_TlsSetValue>
mov dword ptr ss:[rsp+4],<high_32bit_TlsSetValue>
ret
add rsp,20
push rbx
push rbp
push rsp
push rsi
push rdi
push r8
push r9
push r10
push r11
push r12
push r13
push r14
push r15
call @lable2 //e8 00 00 00 00
@lable2:
add dword ptr ss:[rsp],12
push <low_32bit_user_define_function>
mov dword ptr ss:[rsp+4],<high_32bit_user_define_function>
ret
pop r15
pop r14
pop r13
pop r12
pop r11
pop r10
pop r9
pop r8
pop rdi
pop rsi
pop rsp
pop rbp
pop rbx
pop rdx
pop rcx
pop rax
nop //复制原地址被破坏的指令到这里
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
pushfq
push rax
push rcx
push rdx
sub rsp,20
mov ecx,<TlsValue_for_register>
xor rdx,rdx
call @lable3 //e8 00 00 00 00
@lable3:
add dword ptr ss:[rsp],12
push <low_32bit_TlsSetValue>
mov dword ptr ss:[rsp+4],<high_32bit_TlsSetValue>
ret
add rsp,20
pop rdx
pop rcx
pop rax
popfq
push <low_32bit_jmpbackAdr>
mov dword ptr ss:[rsp+4],<high_32bit_jmpbackAdr>
ret
x86的中转函数也没必要贴了,搜索一下满地都是。
利用代码就不贴了,需要成品的可以到零日论坛下载:http://www.jmpoep.com/thread-1053-1-1.html