Ring3下Inline Hook API

最新推荐文章于 2021-05-11 16:15:06 发布

sysprogram

最新推荐文章于 2021-05-11 16:15:06 发布

阅读量4.1k

点赞数 2

分类专栏： C/C++/MFC 文章标签： hook api attributes winapi null byte

本文链接：https://blog.csdn.net/SysProgram/article/details/6611229

版权

C/C++/MFC 专栏收录该内容

129 篇文章 3 订阅

订阅专栏

用CreateFile为例子，讲解一下Ring3下的Inline Hook API，基本原理很简单

1、获取CreateFile函数的地址

2、读取CreateFile函数的前8个字节

3、将CreateFile函数的前8个字节，修改成mov eax,我的函数地址 jmp eax

4、进入我的函数地址之后，记得恢复CreateFile函数原来的8个字节，不然没法正常使用CreateFile

代码如下：

#include <windows.h>
#include <stdio.h>
#include <iostream.h>
#include <tchar.h>

//修改API入口为 mov eax, 00400000;jmp eax是程序能跳转到自己的函数
BYTE NewBytes[8] = {0xB8, 0x0, 0x0, 0x40, 0x0, 0xFF, 0xE0, 0x0};
BYTE OldBytes[8] = {0};

FARPROC CreateFile_Addr;

HANDLE WINAPI MyCreateFile(
		__in          LPCTSTR lpFileName,
		__in          DWORD dwDesiredAccess,
		__in          DWORD dwShareMode,
		__in          LPSECURITY_ATTRIBUTES lpSecurityAttributes,
		__in          DWORD dwCreationDisposition,
		__in          DWORD dwFlagsAndAttributes,
		__in          HANDLE hTemplateFile
		)
{
	MessageBox(0,"MyCreateFile",0,0);
	//恢复API头8个字节
	WriteProcessMemory( INVALID_HANDLE_VALUE, (void*)CreateFile_Addr,
		(void*)OldBytes, 8, NULL);

	printf("lpFileName is %s\n",lpFileName);

	//调用正确的函数
	HANDLE hFile=CreateFileA(lpFileName,dwDesiredAccess,dwShareMode,
		lpSecurityAttributes,dwCreationDisposition,dwFlagsAndAttributes,hTemplateFile);
		
	//写入跳转语句，继续Hook
       WriteProcessMemory(INVALID_HANDLE_VALUE, (void*)CreateFile_Addr,
       (void*)NewBytes, 8, NULL);

	return hFile;
}


void main()
{
	HMODULE hModule_Kernel32 = LoadLibrary("Kernel32.dll");
	CreateFile_Addr = GetProcAddress(hModule_Kernel32, "CreateFileA");

	printf("CreateFileA_Addr is %x\n",CreateFile_Addr);
	printf("MyCreateFile Addr is %x\n",MyCreateFile);
	
	//读CreateFile函数的前8个字节
	if(ReadProcessMemory(INVALID_HANDLE_VALUE,CreateFile_Addr,OldBytes,8,NULL)==0)
	{
		printf("ReadProcessMemory error\n");
		return;
	}
	
	printf("OldBytes is %x%x%x%x%x%x%x%x\n",OldBytes[0],OldBytes[1],OldBytes[2],
		OldBytes[3],OldBytes[4],OldBytes[5],OldBytes[6],OldBytes[7]);
	
	//将NewBytes改成My函数地址
	*(DWORD*)(NewBytes + 1) = (DWORD)MyCreateFile;
	
	printf("NewBytes is %x%x%x%x%x%x%x%x\n",NewBytes[0],NewBytes[1],NewBytes[2],NewBytes[3],
		NewBytes[4],NewBytes[5],NewBytes[6],NewBytes[7]);
	
	//写入跳转，开始Hook
	WriteProcessMemory(INVALID_HANDLE_VALUE,CreateFile_Addr,NewBytes,8,NULL);

	//调用CreateFileA测试一下。
	HANDLE hFile=CreateFileA("C:\\1.txt",GENERIC_ALL,FILE_SHARE_READ,0,CREATE_ALWAYS,0,0);
	CloseHandle(hFile);
}