API HOOK之注册表简单监控

一、HOOK DLL的编写:

#include <windows.h>
#include <Tlhelp32.h>
#include <stdio.h>
//==========================================================================================

HINSTANCE glhInstance=NULL; //DLL实例句柄 

BYTE g_OldRegCreateKeyExCode[5] = {0}; //存放函数地址
BYTE g_NewRegCreateKeyExCode[5] = {0}; //存放函数地址

FARPROC FuncAddr = NULL;                //函数地址
DWORD PID=0;                            //进程PID
int count=0;
HANDLE hProcess;
//==========================================================================================
typedef struct tagReg_Info    //存放 RegCreateKeyEx() 的信息
{
	HKEY hKey;                // handle to an open key
	LPCTSTR lpSubKey;         // address of subkey name
	DWORD Reserved;           // reserved
	LPTSTR lpClass;           // address of class string
	DWORD dwOptions;          // special options flag
	REGSAM samDesired;        // desired security access
	LPSECURITY_ATTRIBUTES lpSecurityAttributes;
	// address of key security structure
	PHKEY phkResult;          // address of buffer for opened handle
	LPDWORD lpdwDisposition;   // address of disposition value buffer   
}Reg_Info;

Reg_Info RegInfo;

//==========================================================================================
#pragma data_seg("mydata") 
HHOOK hook=NULL;         //安装的鼠标勾子句柄  
#pragma data_seg() 
#pragma comment(linker,"/SECTION:mydata,RWS") 

//==========================================================================================
_declspec (dllexport) bool Inject();
_declspec (dllexport) bool SetHook();
_declspec (dllexport) bool UnSetHook();
bool Init();

LONG MyRegCreateKeyEx(
					  HKEY hKey,                // handle to an open key
					  LPCTSTR lpSubKey,         // address of subkey name
					  DWORD Reserved,           // reserved
					  LPTSTR lpClass,           // address of class string
					  DWORD dwOptions,          // special options flag
					  REGSAM samDesired,        // desired security access
					  LPSECURITY_ATTRIBUTES lpSecurityAttributes,
					  // address of key security structure
					  PHKEY phkResult,          // address of buffer for opened handle
					  LPDWORD lpdwDisposition   // address of disposition value buffer
					  );


LONG HookOff();
LRESULT CALLBACK ShellProc(
						   int nCode,      // hook code
						   WPARAM wParam,  // event-specific information
						   LPARAM lParam   // event-specific information
						   );
//==========================================================================================
//==========================================================================================

BOOL WINAPI DllMain(
					HINSTANCE hinstDLL,  // handle to DLL module
					DWORD fdwReason,     // reason for calling function
					LPVOID lpvReserved   // reserved
					)
{
	glhInstance=hinstDLL;
    return 1;
}
//==========================================================================================
_declspec (dllexport) bool Inject()
{
	Init();
    //hProcess = OpenProcess(PROCESS_ALL_ACCESS,0, PID); 
	if(hProcess == NULL) 
	{
		return false; 
	}
	CRITICAL_SECTION cs;
	InitializeCriticalSection(&cs);
	EnterCriticalSection(&cs);
	
	DWORD PROTECT=0;
	VirtualProtectEx(hProcess, FuncAddr, 5, PAGE_READWRITE, &PROTECT);          //申请CreateWindowExA地址处的写权限,
	WriteProcessMemory(hProcess, FuncAddr, g_NewRegCreateKeyExCode, 5, NULL);   //然后写入跳转代码,然后恢复权限
	VirtualProtectEx(hProcess, FuncAddr, 5, PROTECT, &PROTECT);
	   
	LeaveCriticalSection(&cs);
    DeleteCriticalSection(&cs);
	CloseHandle(hProcess);   
	return true;
}
//==========================================================================================
_declspec (dllexport) bool SetHook()
{
	
	hook=SetWindowsHookEx(WH_SHELL,ShellProc,glhInstance,0);
	if(NULL==hook)
	{
		::MessageBox(NULL,"SetWindowsHookEx!","Error!",MB_ICONERROR);
		return false;
	}
	return true;
}

//==========================================================================================
//==========================================================================================
_declspec (dllexport) bool UnSetHook()
{
	bool ret=false;
	if(hook)
	{
		ret=UnhookWindowsHookEx(hook);
		if(!ret)
		{
			::MessageBox(NULL,"UnhookWindowsHookEx!","Error!",MB_ICONERROR);
			return false;
		}
		
		return true;
	}	
	return false;
}

LRESULT CALLBACK ShellProc(int nCode, WPARAM wParam,LPARAM lParam)
{
	if(nCode==HSHELL_WINDOWCREATED)     //  HOOK的目的只在于映射进DLL,这里后面的处理也可以,
	{
		PID=GetCurrentProcessId();   	//  但是这里只做API注入,就不用了
		hProcess = OpenProcess(PROCESS_ALL_ACCESS,0, PID); 
		Init();
		Inject();
	}
	return CallNextHookEx(hook,nCode,wParam,lParam); 	
}

//==================================================================================
//==================================================================================
LONG MyRegCreateKeyEx(
					  HKEY hKey,                // handle to an open key
					  LPCTSTR lpSubKey,         // address of subkey name
					  DWORD Reserved,           // reserved
					  LPTSTR lpClass,           // address of class string
					  DWORD dwOptions,          // special options flag
					  REGSAM samDesired,        // desired security access
					  LPSECURITY_ATTRIBUTES lpSecurityAttributes,
					  // address of key security structure
					  PHKEY phkResult,          // address of buffer for opened handle
					  LPDWORD lpdwDisposition   // address of disposition value buffer
					  )
{
	char str[1000]={0};  
	if(HKEY_LOCAL_MACHINE==hKey)
	{
		sprintf(str,"注册表位置: HKEY_LOCAL_MACHINE\\%s \nRegedit is being Created !",lpSubKey); 
	}
	if(HKEY_USERS==hKey)
	{
		sprintf(str,"注册表位置: HKEY_USERS\\%s \nRegedit is being Created !",lpSubKey); 
	}
	if(HKEY_CLASSES_ROOT==hKey)
	{
		sprintf(str,"注册表位置: HKEY_CLASSES_ROOT\\%s \nRegedit is being Created !",lpSubKey); 
	}
	if(HKEY_CURRENT_CONFIG==hKey)
	{
		sprintf(str,"注册表位置: HKEY_CURRENT_CONFIG\\%s \nRegedit is being Created !",lpSubKey); 		
	}
	/**/else        //  if(HKEY_CURRENT_USER==hKey)         ((HKEY) (ULONG_PTR)((LONG)0x80000001))
	{
		sprintf(str,"注册表位置: HKEY_CURRENT_USER\\%s \nRegedit is being Created !\nPID: %ld",lpSubKey,PID); 
		
	}
	
	if(count<1)
	{
		::MessageBox(NULL,str,"warning",MB_ICONWARNING);
	}
    count++;
	/*	HANDLE hFile=CreateFile("C:\\RegLog.txt",GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
	if(hFile)
	{
	::MessageBox(NULL,"CreateFile Error","warning",MB_ICONWARNING);
	}
	
	  if(SetFilePointer(hFile,0,NULL,FILE_END)==0xFFFFFFFF)
	  {
	  ::MessageBox(NULL,"SetFilePointer Error","warning",MB_ICONWARNING);
	  }
	  OVERLAPPED olp;
	  olp.hEvent=NULL;
	  olp.OffsetHigh=0;
	  
		if(!WriteFileEx(hFile,str,strlen(str)+1,&olp,NULL))
		{
		::MessageBox(NULL,"SetFilePointer Error","warning",MB_ICONWARNING);
		}
		
	*/
    ZeroMemory(&RegInfo,sizeof(RegInfo));
	RegInfo.dwOptions=dwOptions;       // 保存传入的信息:
	RegInfo.hKey=hKey;
	RegInfo.lpClass=lpClass;
	RegInfo.lpdwDisposition=lpdwDisposition;
	RegInfo.lpSecurityAttributes=lpSecurityAttributes;
	RegInfo.lpSubKey=lpSubKey;
	RegInfo.phkResult=phkResult;
	RegInfo.Reserved=Reserved;
	RegInfo.samDesired=samDesired;
	
	HookOff();
	Sleep(1000);
	LONG  ret=RegCreateKeyEx(RegInfo.hKey,
		RegInfo.lpSubKey,
		RegInfo.Reserved,
		RegInfo.lpClass,
		RegInfo.dwOptions,
		RegInfo.samDesired,
		RegInfo.lpSecurityAttributes,
		RegInfo.phkResult,
		RegInfo.lpdwDisposition);
	Sleep(1000);
	Inject();	return ret;
	
}
//==================================================================================
LONG HookOff()
{	
	//hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, PID); 
	if(hProcess == NULL) 
	{
		return (LONG)1; 
	}
	//写入原CreateWindowExA的5个字节代码 
	CRITICAL_SECTION cs;
	InitializeCriticalSection(&cs);
	EnterCriticalSection(&cs);
	
	   DWORD PROTECT=0;
	   VirtualProtectEx(hProcess, FuncAddr, 5, PAGE_READWRITE, &PROTECT); 
	   WriteProcessMemory(hProcess, FuncAddr, g_OldRegCreateKeyExCode, 5, NULL); 
	   VirtualProtectEx(hProcess, FuncAddr, 5, PROTECT, &PROTECT);
	   
	   LeaveCriticalSection(&cs);
	   DeleteCriticalSection(&cs);
       
	   
	   //CloseHandle(hProcess);  
	   return (LONG)1;
}

bool Init()
{
	   //FuncAddr = GetProcAddress(LoadLibrary("Advapi32.dll"),"RegCreateKeyExW");
	   FuncAddr = GetProcAddress(LoadLibrary("Advapi32.dll"),"RegCreateKeyExA");
	   if(NULL==FuncAddr)
		   return false;
	   
	   CRITICAL_SECTION cs;
	   InitializeCriticalSection(&cs);
	   EnterCriticalSection(&cs);
	   
	   _asm 
	   { 
		   lea edi, g_OldRegCreateKeyExCode
			   mov esi, FuncAddr 
			   cld 
			   movsd //将CreateWindowExA地址起始的4个字节(dword)写入g_OldCreateWindowExACode 
			   movsb //将CreateWindowExA+4地址起始处的1个字节(byte)写入g_OldCreateWindowExACode+4 
	   } 
	   //jmp xxxxxxxx的机器码为e9xxxxxxxx,其中e9后的xxxxxxxx为相对跳转偏移,共5个字节
	   g_NewRegCreateKeyExCode[0] = 0xe9; 
	   _asm 
	   { 
		   lea eax, MyRegCreateKeyEx   //
			   mov ebx, FuncAddr    
			   sub eax, ebx 
			   sub eax, 5 //获得相对跳转偏移  //偏移地址 = 我们函数的地址 - 原API函数的地址 - 5
			   mov dword ptr [g_NewRegCreateKeyExCode + 1], eax 
	   }
	   LeaveCriticalSection(&cs);
	   DeleteCriticalSection(&cs);
	   
}

二、监控程序(略)

调用DLL中的函数即可,可以自行扩展hook的函数,这里只hook了 RegCreateKeyEx

(菜鸟所作,如有错误,恳请指出。谢谢)

阅读更多
个人分类: C/C++
想对作者说点什么? 我来说一句

没有更多推荐了,返回首页

加入CSDN,享受更精准的内容推荐,与500万程序员共同成长!
关闭
关闭