//
// Hook.h /* written by dummyz@126.com 2007/10/20 */ #ifndef __HOOK_INC__ #define __HOOK_INC__ typedef struct _HOOKIMPORT { FARPROC pfnOldProc; FARPROC pfnNewProc; } HOOKIMPORT, *PHOOKIMPORT; DWORD HookImportTable(LPVOID lpModuleBaseAddr, PHOOKIMPORT pHookImp, DWORD dwCount); DWORD UnHookImportTable(LPVOID lpModuleBaseAddr, PHOOKIMPORT pHookImp, DWORD dwCount); // // Hook.cpp /* written by dummyz@126.com 2007/10/20 */ #include <windows.h> #include "Hook.h" DWORD HookImportTable(LPVOID lpModuleBaseAddr, PHOOKIMPORT pHookImp, DWORD dwCount) { DWORD dwResult = 0; __try { PIMAGE_DOS_HEADER pDosH = (PIMAGE_DOS_HEADER)lpModuleBaseAddr; PIMAGE_NT_HEADERS pNtH = (PIMAGE_NT_HEADERS)((ULONG)pDosH + pDosH->e_lfanew); ULONG ImpRav = pNtH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; if ( ImpRav == 0 ) { return 0; } HANDLE hProcess = GetCurrentProcess(); PIMAGE_IMPORT_DESCRIPTOR pImpDesc = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG)pDosH + ImpRav); while ( pImpDesc->Name != 0 ) { PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)((ULONG)pDosH + pImpDesc->FirstThunk); while ( pThunk->u1.AddressOfData != 0 ) { for ( DWORD dwIndex = 0; dwIndex < dwCount; dwIndex++ ) { PHOOKIMPORT p = pHookImp + dwIndex; if ( pThunk->u1.AddressOfData == (DWORD)p->pfnOldProc ) { DWORD dwWritten; BOOL bSuccessed = WriteProcessMemory( hProcess, (PVOID)&pThunk->u1.AddressOfData, (PVOID)&p->pfnNewProc, sizeof (DWORD), &dwWritten ); if ( bSuccessed ) { dwResult++; } break; } } pThunk++; } pImpDesc++; } } __except ( EXCEPTION_EXECUTE_HANDLER ) { } return dwResult; } static void _Swap(PHOOKIMPORT pHookImp, DWORD dwCount) { for ( DWORD dwIndex = 0; dwIndex < dwCount; dwIndex++ ) { FARPROC pfnOldProc = pHookImp[dwIndex].pfnOldProc; pHookImp[dwIndex].pfnOldProc = pHookImp[dwIndex].pfnNewProc; pHookImp[dwIndex].pfnNewProc = pfnOldProc; } } DWORD UnHookImportTable(LPVOID lpModuleBaseAddr, PHOOKIMPORT pHookImp, DWORD dwCount) { _Swap(pHookImp, dwCount); DWORD dwResult = HookImportTable(lpModuleBaseAddr, pHookImp, dwCount); _Swap(pHookImp, dwCount); return dwResult; } // // GetFlv.cpp /* 提供 flv 路径捕获接口 written by dummyz@126.com 2007/10/20 */ #include <tchar.h> #include <stdlib.h> #include <string.h> #include <stdio.h> #include <windows.h> #include <TlHelp32.h> #include <shlwapi.h> #include "GetFlv.h" #include "Hook.h" // // 类型定义 // typedef HMODULE (WINAPI* PFN_LoadLibraryExW)(LPCWSTR,HANDLE,DWORD); // // 全局变量 // #pragma data_seg(".sh") HHOOK __hMouseHook = NULL; HWND __hWnd = NULL; int __nMonitorState = 0; #pragma data_seg() #pragma comment(linker, "/section:.sh,rws") HMODULE __hModule; HOOKIMPORT __HookImpStc[2]; struct { ULONG sub_300BE976; // 300BE976 ULONG PatchedCode; // 300910DB BOOL bPatched; } __PatchFlashOcx; // // 函数实现 // void __stdcall LogOut(PCTSTR pszString) { if ( pszString != NULL ) { if ( StrStrI(pszString, "flv") != NULL ) // 肯定存在不准确性,暂时这样宁可误判,不可误漏 { #if 0 FILE* f = fopen("c://getflv.log", "a+"); if ( f != NULL ) { fprintf(f, "%s/n", pszString); fclose(f); } #else COPYDATASTRUCT cds; cds.dwData = 0x8702; cds.cbData = strlen(pszString) + 1; cds.lpData = (LPVOID)pszString; SendMessage(__hWnd, WM_COPYDATA, 0, (LPARAM)&cds); #endif } } } int __declspec(naked) Dummy_Sub300BE976() { __asm { mov eax, [esp + 8] push ecx push eax call LogOut pop ecx jmp [__PatchFlashOcx].sub_300BE976 } } BOOL PatchFlashOcx(LPVOID lpBaseAddr) { __try { // search code PIMAGE_DOS_HEADER pDosH = (PIMAGE_DOS_HEADER)lpBaseAddr; PIMAGE_NT_HEADERS pNtH = (PIMAGE_NT_HEADERS)((ULONG)pDosH + pDosH->e_lfanew); PBYTE pb = (PBYTE)pDosH + pNtH->OptionalHeader.BaseOfCode; PBYTE pe = pb + pNtH->OptionalHeader.SizeOfCode - 100; while ( pb < pe ) { /* 300910D3 >|> /FF76 1C push dword ptr [esi+1C] 300910D6 |. |68 F8A11A30 push 301AA1F8 ; ASCII "url_request" 300910DB |. |E8 96D80200 call <sub_300BE976> */ if ( pb[0] == 0xff && pb[1] == 0x76 && pb[2] == 0x1c && pb[3] == 0x68 && pb[8] == 0xe8 ) { __try { const char* s = *(char**)(pb + 4); if ( _stricmp(s, "url_request") == 0 ) { DWORD dwCallOffset, dwWritten; dwCallOffset = (DWORD)Dummy_Sub300BE976 - (DWORD)(pb + 8 + 5); __PatchFlashOcx.PatchedCode = (DWORD)(pb + 9); __PatchFlashOcx.sub_300BE976 = *(PDWORD)(pb + 9) + (DWORD)(pb + 8 + 5); __PatchFlashOcx.bPatched = WriteProcessMemory( GetCurrentProcess(), pb + 9, &dwCallOffset, 4, &dwWritten); break; } } __except ( EXCEPTION_EXECUTE_HANDLER ) { } } pb++; } } __except ( EXCEPTION_EXECUTE_HANDLER ) { } return __PatchFlashOcx.bPatched; } BOOL UnPatchFlashOcx() { if ( __PatchFlashOcx.bPatched ) { DWORD dwWritten; DWORD dwOffset = __PatchFlashOcx.sub_300BE976 - __PatchFlashOcx.PatchedCode - 4; __PatchFlashOcx.bPatched = !WriteProcessMemory(GetCurrentProcess(), (PVOID)__PatchFlashOcx.PatchedCode, &dwOffset, 4, &dwWritten); } return !__PatchFlashOcx.bPatched; } HMODULE WINAPI NewLoadLibraryExA( LPCSTR lpFileName, HANDLE hFile, DWORD dwFlags ) { HMODULE hModule = LoadLibraryExA(lpFileName, hFile, dwFlags); if ( hModule != NULL && (dwFlags & LOAD_LIBRARY_AS_DATAFILE) == 0 ) { OutputDebugStringA(lpFileName); PCSTR lpName = strrchr(lpFileName, L'//'); if ( lpName == NULL ) { lpName = strrchr(lpFileName, L'/'); if ( lpName == NULL ) lpName = lpFileName; } lpName++; static PCSTR pszFlashOcx[] = { "flash9c.ocx", "flash9d.ocx" }; for ( unsigned i = 0; i < sizeof (pszFlashOcx) / sizeof (pszFlashOcx[0]); i++ ) { if ( stricmp(lpName, pszFlashOcx[i]) == 0 ) { PatchFlashOcx((LPVOID)hModule); break; } } HookImportTable((LPVOID)hModule, __HookImpStc, sizeof (__HookImpStc) / sizeof (__HookImpStc[0])); } return hModule; } HMODULE WINAPI NewLoadLibraryExW( LPCWSTR lpFileName, HANDLE hFile, DWORD dwFlags ) { HMODULE hModule = LoadLibraryExW(lpFileName, hFile, dwFlags); if ( hModule != NULL && (dwFlags & LOAD_LIBRARY_AS_DATAFILE) == 0 ) { OutputDebugStringW(lpFileName); PCWSTR lpName = wcsrchr(lpFileName, L'//'); if ( lpName == NULL ) { lpName = wcsrchr(lpFileName, L'/'); if ( lpName == NULL ) lpName = lpFileName; } lpName++; static PCWSTR pszFlashOcx[] = { L"flash9c.ocx", L"flash9d.ocx" }; for ( unsigned i = 0; i < sizeof (pszFlashOcx) / sizeof (pszFlashOcx[0]); i++ ) { if ( _wcsicmp(lpName, pszFlashOcx[i]) == 0 ) { PatchFlashOcx((LPVOID)hModule); break; } } HookImportTable((LPVOID)hModule, __HookImpStc, sizeof (__HookImpStc) / sizeof (__HookImpStc[0])); } return hModule; } void HookModules(BOOL bHook) { MODULEENTRY32 me; me.dwSize = sizeof (me); HANDLE hModSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId()); BOOL bContinue = hModSnap != NULL && Module32First(hModSnap, &me); while ( bContinue ) { if ( me.hModule !=__hModule ) { if ( bHook ) { HookImportTable(me.modBaseAddr, __HookImpStc, sizeof (__HookImpStc) / sizeof (__HookImpStc[0])); static PCSTR pszFlashOcx[] = { _T("flash9c.ocx"), _T("flash9d.ocx") }; for ( unsigned i = 0; i < sizeof (pszFlashOcx) / sizeof (pszFlashOcx[0]); i++ ) { if ( _tcsicmp(me.szModule, pszFlashOcx[i]) == 0 ) { PatchFlashOcx(me.modBaseAddr); break; } } } else { UnHookImportTable(me.modBaseAddr, __HookImpStc, sizeof (__HookImpStc) / sizeof (__HookImpStc[0])); } } bContinue = Module32Next(hModSnap, &me); } if ( hModSnap != NULL ) { CloseHandle(hModSnap); } } LRESULT WINAPI MouseHookProc(int nCode, WPARAM wParam, LPARAM lParam) { return CallNextHookEx(__hMouseHook, nCode, wParam, lParam); } BOOL WINAPI InstallMonitor(HWND hWnd) { if ( __hMouseHook == NULL && IsWindow(hWnd) ) { __hWnd = hWnd; __hMouseHook = SetWindowsHookEx(WH_MOUSE, MouseHookProc, __hModule, 0); return (__hMouseHook != NULL); } return FALSE; } BOOL WINAPI UninstallMonitor() { if ( __hMouseHook != NULL ) { if ( !UnhookWindowsHookEx(__hMouseHook) ) { return FALSE; } __hWnd = NULL; __hMouseHook = NULL; } return TRUE; } void WINAPI SetMonitorState(int nState) { __nMonitorState = nState; } BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID p) { if ( dwReason == DLL_PROCESS_ATTACH ) { __hModule = hModule; HMODULE hKnl32Mod = GetModuleHandle(_T("kernel32.dll")); __HookImpStc[0].pfnOldProc = GetProcAddress(hKnl32Mod, "LoadLibraryExA"); __HookImpStc[0].pfnNewProc = (FARPROC)NewLoadLibraryExA; __HookImpStc[1].pfnOldProc = GetProcAddress(hKnl32Mod, "LoadLibraryExW"); __HookImpStc[1].pfnNewProc = (FARPROC)NewLoadLibraryExW; HookModules(TRUE); } else if ( dwReason == DLL_PROCESS_DETACH ) { HookModules(FALSE); UnPatchFlashOcx(); } return TRUE; } |
GetFlv
最新推荐文章于 2021-02-05 02:11:59 发布