http://wenku.baidu.com/view/0946ce1155270722192ef74f.html
demo1
demo2
//demo3
阅读(296) | 评论(0) | 转发(0) |
<script>window._bd_share_config={"common":{"bdSnsKey":{},"bdText":"","bdMini":"2","bdMiniList":false,"bdPic":"","bdStyle":"0","bdSize":"16"},"share":{}};with(document)0[(getElementsByTagName('head')[0]||body).appendChild(createElement('script')).src='http://bdimg.share.baidu.com/static/api/js/share.js?v=89860593.js?cdnversion='+~(-new Date()/36e5)];</script>
demo1
- #include "stdafx.h"
- #include <Windows.h>
- #include <dbghelp.h>
- #pragma comment( lib, "dbghelp.lib")
-
- ULONG ReplaceIATEntryInOneMod( PCSTR pszCalleeModName,
- PROC pfnCurent, PROC pfnNew, HMODULE hmodCaller)
- {
- ULONG ulSize = 0;
- PIMAGE_IMPORT_DESCRIPTOR pImportDesc = ( PIMAGE_IMPORT_DESCRIPTOR )
- ImageDirectoryEntryToData( hmodCaller, TRUE,
- IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize );
-
- if ( NULL == pImportDesc )
- return 0;
-
- for ( ; pImportDesc->Name; pImportDesc++)
- {
- PSTR pszModName = (PSTR)
- ((PBYTE) hmodCaller + pImportDesc->Name );
- if ( 0 == lstrcmpiA( pszModName, pszCalleeModName) )
- break;
- }
-
- if ( 0 == pImportDesc->Name )
- {
- return 0;
- }
-
- PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)
- ((PBYTE) hmodCaller + pImportDesc->FirstThunk );
- for (; pThunk->u1.Function; pThunk++ )
- {
- PROC *ppfn = ( PROC *)&pThunk->u1.Function;
-
- BOOL bFound = (*ppfn == pfnCurent );
- if ( bFound )
- {
- MEMORY_BASIC_INFORMATION mbi = { 0 };
- VirtualQuery( pfnCurent, &mbi, sizeof(mbi) );
- DWORD dwOldProtect = 0;
- VirtualProtect( pfnCurent, sizeof(PROC), PAGE_READWRITE, &dwOldProtect );
- ULONG upfAddress = 0;
- ReadProcessMemory( GetCurrentProcess(),
- ppfn,
- &upfAddress,
- sizeof(PROC),
- NULL );
- WriteProcessMemory( GetCurrentProcess(),
- ppfn,
- &pfnNew,
- sizeof(pfnNew),
- NULL );
-
- VirtualProtect( ppfn, sizeof(PROC), dwOldProtect, 0 );
- return upfAddress;
- }
- }
-
-
- return 0;
- }
-
- typedef int(
- WINAPI
- *PMyMessageBoxW)(
- __in_opt HWND hWnd,
- __in_opt LPCWSTR lpText,
- __in_opt LPCWSTR lpCaption,
- __in UINT uType);
-
- PROC g_Proc = NULL;
- int
- WINAPI
- MyMessageBoxW(
- __in_opt HWND hWnd,
- __in_opt LPCWSTR lpText,
- __in_opt LPCWSTR lpCaption,
- __in UINT uType)
- {
- wprintf(L"%s\n", lpText );
- wprintf(L"%s\n", lpCaption );
- return ((PMyMessageBoxW)g_Proc)(
- hWnd,
- lpText,
- lpCaption,
- uType);
- }
- extern "C" IMAGE_DOS_HEADER __ImageBase;
-
-
-
-
-
- int _tmain(int argc, _TCHAR* argv[])
- {
-
- g_Proc = (PROC)ReplaceIATEntryInOneMod(
- "user32.dll",
- (PROC)MessageBoxW,
- (PROC)MyMessageBoxW,
- (HMODULE)&__ImageBase);
-
- MessageBoxW(NULL, L"TEST", L"HOOK", MB_OK );
-
- return 0;
- }
- // hooktest.cpp : Defines the entry point for the console application.
- //
-
- #include "stdafx.h"
- #include <Windows.h>
-
- PROC install_api_hook(
- HMODULE hHookModule,
- const char * szDllName,
- PROC uHookFunAddr,
- PROC uNewFundAddr
- );
-
- BOOL TestFunctionInIAT( HMODULE hModule, ULONG FunctionAddress )
- {
- BOOL bReturn = FALSE;
- unsigned char *pBaseAddr = reinterpret_cast<unsigned char *>(hModule);
-
- // 获取DOS header 的位置
- PIMAGE_DOS_HEADER pDosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(pBaseAddr);
-
- // 获取NTImage header 的位置
- PIMAGE_NT_HEADERS pNtHeader = reinterpret_cast<PIMAGE_NT_HEADERS>(
- pBaseAddr + pDosHeader->e_lfanew );
-
- // 获取 PE option header的位置
- PIMAGE_OPTIONAL_HEADER pPEOptionHeader = &pNtHeader->OptionalHeader;
-
- // 获取导入表的目录结构
- PIMAGE_DATA_DIRECTORY pIATDataDirectory = &(pPEOptionHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]);
-
- // 获取导入表 descriptor
- PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor = reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(
- pBaseAddr + pIATDataDirectory->VirtualAddress );
-
- // 从pImportDescriptor 开始是一堆导入表,一张接着一张,直到
- // 导入表的名字为空为止,其实就是对应Windows 的一个dll,有几张表,就表示
- // 该模块依赖几个dll 的导出函数, Name 字段是dll的名称的相对虚拟地址
- while ( pImportDescriptor->Name != 0 )
- {
- // thunk data 就是表示导入dll 中函数描述
- PIMAGE_THUNK_DATA pThunkData = reinterpret_cast<PIMAGE_THUNK_DATA>(
- pBaseAddr + pImportDescriptor->FirstThunk);
- while( pThunkData->u1.Function != 0 )
- {
- ULONG *ppfn = ( ULONG *)&pThunkData->u1.Function;
- if ( *ppfn == FunctionAddress )
- {
-
- bReturn = TRUE;
- break;
- }
- ++pThunkData;
- }
- ++pImportDescriptor;
- }
-
- return bReturn;
- }
-
- PROC g_CreateFunc = NULL;
-
- typedef BOOL (WINAPI *PCreateProcessW)(
- __in_opt LPCWSTR lpApplicationName,
- __inout_opt LPWSTR lpCommandLine,
- __in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
- __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
- __in BOOL bInheritHandles,
- __in DWORD dwCreationFlags,
- __in_opt LPVOID lpEnvironment,
- __in_opt LPCWSTR lpCurrentDirectory,
- __in LPSTARTUPINFOW lpStartupInfo,
- __out LPPROCESS_INFORMATION lpProcessInformation);
-
- BOOL WINAPI MyCreateProcessW(
- __in_opt LPCWSTR lpApplicationName,
- __inout_opt LPWSTR lpCommandLine,
- __in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
- __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
- __in BOOL bInheritHandles,
- __in DWORD dwCreationFlags,
- __in_opt LPVOID lpEnvironment,
- __in_opt LPCWSTR lpCurrentDirectory,
- __in LPSTARTUPINFOW lpStartupInfo,
- __out LPPROCESS_INFORMATION lpProcessInformation)
- {
-
- MessageBoxW(NULL, lpCommandLine, L"CreateProcessW", MB_OK);
-
- return ((PCreateProcessW)g_CreateFunc)(
- lpApplicationName,
- lpCommandLine,
- lpProcessAttributes,
- lpThreadAttributes,
- bInheritHandles,
- dwCreationFlags,
- lpEnvironment,
- lpCurrentDirectory,
- lpStartupInfo,
- lpProcessInformation);
- }
-
- int _tmain(int argc, _TCHAR* argv[])
- {
- HMODULE hModule = NULL;
- GetModuleHandleEx(
- GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS,
- (LPCTSTR)TestFunctionInIAT,
- &hModule);
- BOOL bReturn = TestFunctionInIAT( hModule , (ULONG_PTR)CreateProcessW );
- if ( bReturn )
- {
- printf("Found address CreateProcessW!\n");
- }
- else
- {
- printf("found failed!\n");
- }
-
- g_CreateFunc = install_api_hook(hModule, "kernel32.dll", (PROC)CreateProcessW, (PROC)MyCreateProcessW);
-
- wchar_t szProcessName[] = L"notepad.exe";
- STARTUPINFO si = {sizeof(si)};
- PROCESS_INFORMATION pi;
- CreateProcessW(NULL,
- szProcessName,
- NULL,
- NULL,
- FALSE,
- 0,
- NULL,
- NULL,
- &si,
- &pi);
-
- return 0;
- }
-
- PROC install_api_hook(
- HMODULE hHookModule,
- const char * szDllName,
- PROC pfnHookFunAddr,
- PROC pfnNewFundAddr
- )
- {
- PROC pOrigFunc = NULL;
-
- unsigned char *pBaseAddr =
- reinterpret_cast<unsigned char *>(hHookModule);
-
- PIMAGE_DOS_HEADER pDosHeader =
- reinterpret_cast<PIMAGE_DOS_HEADER>(pBaseAddr);
-
- PIMAGE_NT_HEADERS pNtHeader =
- reinterpret_cast<PIMAGE_NT_HEADERS>(
- pBaseAddr + pDosHeader->e_lfanew );
-
- PIMAGE_OPTIONAL_HEADER pPEOptionHeader =
- &pNtHeader->OptionalHeader;
-
- PIMAGE_DATA_DIRECTORY pIATDataDirectory =
- &(pPEOptionHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]);
-
- PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor =
- reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(
- pBaseAddr + pIATDataDirectory->VirtualAddress );
-
- for ( ; pImportDescriptor->Name; pImportDescriptor++ )
- {
- const char* pszModName =
- reinterpret_cast<const char*>(
- pBaseAddr + pImportDescriptor->Name);
- if ( 0 == lstrcmpiA( pszModName, szDllName ) )
- {
- break;
- }
- }
-
- if ( 0 == pImportDescriptor->Name )
- {
- return pOrigFunc;
- }
-
- PIMAGE_THUNK_DATA pThunkData =
- reinterpret_cast<PIMAGE_THUNK_DATA>(
- pBaseAddr + pImportDescriptor->FirstThunk);
- while( pThunkData->u1.Function != 0 )
- {
- PROC *ppFunc = reinterpret_cast<PROC*>(
- &pThunkData->u1.Function);
- if ( *ppFunc == pfnHookFunAddr )
- {
- DWORD dwOldProtect = 0;
- VirtualProtect( ppFunc, sizeof(PROC), PAGE_READWRITE, &dwOldProtect );
-
- pOrigFunc = *ppFunc;
- CopyMemory(ppFunc, &pfnNewFundAddr, sizeof(PROC));
- // SIZE_T stMemorySize = 0;
- // WriteProcessMemory(
- // GetCurrentProcess(),
- // ppFunc,
- // &uNewFundAddr,
- // sizeof(*ppFunc),
- // &stMemorySize);
- VirtualProtect( ppFunc, sizeof(PROC), dwOldProtect, 0 );
- break;
- }
- }
-
- return pOrigFunc;
- }
- // JmpHook.cpp : Defines the entry point for the console application.
- //
-
- #include "stdafx.h"
- #include <windows.h>
-
- unsigned char g_StubCode[6] = {0x0};
- PROC g_CreateFunc = 0;
- void restore_hook(PROC pfnOrigAddr);
- void set_hook(PROC pfnOrigAddr, PROC pfnNewAddr );
-
- typedef BOOL (WINAPI *PCreateProcessW)(
- __in_opt LPCWSTR lpApplicationName,
- __inout_opt LPWSTR lpCommandLine,
- __in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
- __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
- __in BOOL bInheritHandles,
- __in DWORD dwCreationFlags,
- __in_opt LPVOID lpEnvironment,
- __in_opt LPCWSTR lpCurrentDirectory,
- __in LPSTARTUPINFOW lpStartupInfo,
- __out LPPROCESS_INFORMATION lpProcessInformation);
-
- BOOL WINAPI MyCreateProcessW1(
- __in_opt LPCWSTR lpApplicationName,
- __inout_opt LPWSTR lpCommandLine,
- __in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
- __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
- __in BOOL bInheritHandles,
- __in DWORD dwCreationFlags,
- __in_opt LPVOID lpEnvironment,
- __in_opt LPCWSTR lpCurrentDirectory,
- __in LPSTARTUPINFOW lpStartupInfo,
- __out LPPROCESS_INFORMATION lpProcessInformation)
- {
-
- restore_hook(g_CreateFunc);
-
- MessageBoxW(NULL, lpCommandLine, L"CreateProcessW", MB_OK);
-
- BOOL bRetCode = ((PCreateProcessW)g_CreateFunc)(
- lpApplicationName,
- lpCommandLine,
- lpProcessAttributes,
- lpThreadAttributes,
- bInheritHandles,
- dwCreationFlags,
- lpEnvironment,
- lpCurrentDirectory,
- lpStartupInfo,
- lpProcessInformation);
-
- set_hook(g_CreateFunc, (PROC)MyCreateProcessW1);
-
- return bRetCode;
- }
-
-
- void set_hook(PROC pfnOrigAddr, PROC pfnNewAddr )
- {
- unsigned char *pSrcAddr =
- reinterpret_cast<unsigned char *>( pfnOrigAddr );
-
- unsigned char *pDestAddr =
- reinterpret_cast<unsigned char *>( pfnNewAddr );
-
- ULONG uOperand = static_cast<ULONG>
- ( pDestAddr - (pSrcAddr + 5) );
-
- CopyMemory(g_StubCode, pSrcAddr, 5);
-
- DWORD dwOldProtect = 0;
- VirtualProtect( pSrcAddr, 5, PAGE_READWRITE, &dwOldProtect );
-
- unsigned char szJMPCode[5] = {0xE9};
- CopyMemory(&szJMPCode[1], &uOperand, 4);
- CopyMemory(pSrcAddr, szJMPCode, 5 );
-
- VirtualProtect( pSrcAddr, 5, dwOldProtect, NULL );
- }
-
- void restore_hook(PROC pfnOrigAddr)
- {
- unsigned char *pSrcAddr =
- reinterpret_cast<unsigned char *>( pfnOrigAddr );
- DWORD dwOldProtect = 0;
- VirtualProtect( pSrcAddr, 5, PAGE_READWRITE, &dwOldProtect );
- CopyMemory(pSrcAddr, g_StubCode, 5);
- VirtualProtect( pSrcAddr, 5, dwOldProtect, NULL );
- }
-
- int _tmain(int argc, _TCHAR* argv[])
- {
- g_CreateFunc = GetProcAddress(GetModuleHandle(L"kernel32.dll"),"CreateProcessW");
-
- set_hook(g_CreateFunc, (PROC)MyCreateProcessW1);
- wchar_t szProcessName[] = L"notepad.exe";
- STARTUPINFO si = {sizeof(si)};
- PROCESS_INFORMATION pi;
- CreateProcessW(NULL,
- szProcessName,
- NULL,
- NULL,
- FALSE,
- 0,
- NULL,
- NULL,
- &si,
- &pi);
-
- return 0;
- }
相关热门文章
给主人留下些什么吧!~~
评论热议