Windows API Inline Hook示例(api钩子)

已于 2023-11-29 16:27:40 修改
阅读量174 收藏
点赞数
文章标签: windows
于 2023-04-10 10:06:39 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/m0_37567738/article/details/130053538
版权

基于x86和amd64,用c++和vs开发的,兼容32位和64位的inline hook例子。

原理很简单,主要是分析机器跳转指令、指令插桩和替换,实现api劫持。

具体做法是:修改导入表函数入口指令,重新计算偏移地址,跳转到自己的函数接口地址。

略微有点意思,有兴趣的自己研究吧。

主要是留个纪念,省的丢了,用的时候乱巴拉,啥也找不到。

废话不说,示例代码如下:

	GetLogicalDrivesOld = (ptrGetLogicalDrives)hook(GetLogicalDrives, GetLogicalDrivesNew);
	FindFirstVolumeWOld = (ptrFindFirstVolumeW)hook(FindFirstVolumeW, FindFirstVolumeWNew);
	FindNextVolumeWOld = (ptrFindNextVolumeW)hook(FindNextVolumeW, FindNextVolumeWNew);
	GetLogicalDriveStringsWOld = (ptrGetLogicalDriveStringsW)hook(GetLogicalDriveStringsW, GetLogicalDriveStringsWNew);
	lpGetVolumeInformationWOld = (ptrGetVolumeInformationW)hook(GetVolumeInformationW, lpGetVolumeInformationWNew);

源码如下所示。

头文件:

#pragma once

#include <windows.h>

#define MAX_TRAMP_SIZE					128
#define TRAMP_BAR_LIMIT					128

#pragma pack(1)

typedef struct  
{
	unsigned char* oldaddr;
	char len;
}REPLACE_CODE;

typedef struct  _HOOK_TRAMPS
{
	_HOOK_TRAMPS * prev;
	_HOOK_TRAMPS * next;
	int valid;
	WCHAR apiName[32];
	//int apiTotal;
	
	BYTE code[MAX_TRAMP_SIZE];

	BYTE oldcode[MAX_TRAMP_SIZE];
	REPLACE_CODE replace;

}HOOK_TRAMPS;

#pragma pack()

//extern HOOK_TRAMPS *g_trump;

//extern HOOK_TRAMPS g_trump[MAX_TRAMP_SIZE];

HOOK_TRAMPS* searchTrump(const WCHAR* funcname);

int deleteTrump(const WCHAR* funcname);

HOOK_TRAMPS* addTrump(const WCHAR* funcname);

extern "C" __declspec(dllexport) int hook2(const WCHAR* modulename,const WCHAR* funcname, BYTE * newfuncaddr, PROC* keepaddr);

extern "C" __declspec(dllexport) int inlinehook64(BYTE * newfun, BYTE * oldfun, PROC* keepaddr, const WCHAR * funcname);

extern "C" __declspec(dllexport) int inlinehook32(BYTE * newfun, BYTE * oldfun, PROC* keepaddr, const WCHAR * funcname);

int unhook(CONST WCHAR* modulename, const WCHAR* wstrfuncname);

int  unhookall();

代码文件:


#include "functions.h"
#include "hookApi.h"
#include "log.h"

HOOK_TRAMPS g_trump[MAX_TRAMP_SIZE] = { 0 };

HOOK_TRAMPS* searchTrump(const WCHAR* funcname) {

	for (int i = 0; i < TRAMP_BAR_LIMIT; i++)
	{
		if (g_trump[i].valid)
		{
			if (lstrcmpiW(funcname, g_trump[i].apiName) == 0)
			{
				return &g_trump[i];
			}
		}
	}

	return 0;
}



int deleteTrump(const WCHAR* funcname) {
	for (int i = 0; i < TRAMP_BAR_LIMIT; i++)
	{
		if (g_trump[i].valid)
		{
			if (lstrcmpiW(funcname, g_trump[i].apiName) == 0)
			{
				g_trump[i].valid = FALSE;
				return TRUE;
			}
		}
	}
	return 0;
}



HOOK_TRAMPS* addTrump(const WCHAR* funcname) {
	int result = 0;
	for (int i = 0; i < MAX_TRAMP_SIZE; i++)
	{
		if (g_trump[i].valid == FALSE)
		{
			g_trump[i].valid = TRUE;
			lstrcpyW(g_trump[i].apiName, funcname);
			DWORD oldprotect = 0;
			result = VirtualProtect(&g_trump[i], sizeof(HOOK_TRAMPS), PAGE_EXECUTE_READWRITE, &oldprotect);
			return &g_trump[i];
		}
	}
	return 0;
}

#ifdef _WIN64
#include "hde/hde64.h"

#define ADDRESS64_HIGI_MASK				0xffffffff00000000L

#define ADDRESS64_LOW_MASK				0xffffffffL

#define AMD64_INLINE_HOOK_STUB_SIZE		14

int inlinehook64(BYTE* newfun, BYTE* hookaddr, PROC* keepaddr, const WCHAR* funcname) {
	int result = 0;

	if (hookaddr == newfun)
	{
		log(L"inlinehook64 function:%ws already exist\r\n", funcname);
		return FALSE;
	}

	HOOK_TRAMPS* trump = addTrump(funcname);
	if (trump <= 0)
	{
		log(L"inlinehook64 addTrump function:%ws error\r\n", funcname);
		return FALSE;
	}

	//DebugBreak();

	ULONGLONG offset = 0;

	int codelen = 0;

	BYTE* oldcode = hookaddr;

	BYTE* oldfun = oldcode;

	int total = 0;

	ULONGLONG minimum = AMD64_INLINE_HOOK_STUB_SIZE;

	hde64s asm64 = { 0 };

	while (codelen < minimum)
	{
		int instructionlen = hde64_disasm(oldfun, &asm64);
		if (instructionlen <= 0)
		{
			log(L"inlinehook64 function:%ws address:%p hde64_disasm error\r\n", funcname, oldfun);
			deleteTrump(funcname);
			return FALSE;
		}

		if (total == 0)
		{
			if ((*oldfun == 0xff && *(oldfun + 1) == 0x25) || (*oldfun == 0xff && *(oldfun + 1) == 0x15))
			{
				offset = *(DWORD*)(oldfun + 2);
				offset = ((offset + 6 + (ULONGLONG)oldfun) & ADDRESS64_LOW_MASK) + ((ULONGLONG)oldfun & ADDRESS64_HIGI_MASK);
				offset = *(ULONGLONG*)offset;
				oldfun = (BYTE*)(offset);
				oldcode = oldfun;
				codelen = 0;

				continue;
			}
			else if ((*oldfun == 0x48 && *(oldfun + 1) == 0xff && *(oldfun + 2) == 0x25) ||
				(*oldfun == 0x48 && *(oldfun + 1) == 0xff && *(oldfun + 2) == 0x15))
			{
				offset = *(DWORD*)(oldfun + 3);
				offset = ((offset + 7 + (ULONGLONG)oldfun) & ADDRESS64_LOW_MASK) + ((ULONGLONG)oldfun & ADDRESS64_HIGI_MASK);
				offset = *(ULONGLONG*)offset;
				oldfun = (BYTE*)(offset);
				oldcode = oldfun;
				codelen = 0;
				continue;
			}
			else if (*oldfun == 0xeb)
			{
				offset = *(oldfun + 1);
				oldfun = (BYTE*)((offset + 2 + (ULONGLONG)oldfun) & ADDRESS64_LOW_MASK) + ((ULONGLONG)oldfun & ADDRESS64_HIGI_MASK);
				oldcode = oldfun;
				codelen = 0;
				continue;
			}
			else if (*oldfun == 0xe9 || *oldfun == 0xe8)		//if hooked by others ,how to find lost 5 bytes?
			{
				offset = *(DWORD*)(oldfun + 1);
				oldfun = (BYTE*)(((ULONGLONG)oldfun + 5 + offset) & ADDRESS64_LOW_MASK) + ((ULONGLONG)oldfun & ADDRESS64_HIGI_MASK);

				oldcode = oldfun;
				codelen = 0;
				continue;
			}

			else if (*oldfun == 0x83 && *(oldfun + 1) == 0x3d)
				//0000000180026130 83 3D 35 C8 08 00 05                    cmp     cs:?g_systemCallFilterId@@3KA, 5
				//0000000180026137 74 0C                                   jz      short loc_180026145
			{
				memcpy(trump->code + codelen, oldfun, instructionlen);

				offset = *(DWORD*)(oldfun + 2);

				ULONGLONG offsetlow = ((offset + 7 + (ULONGLONG)oldfun) & ADDRESS64_LOW_MASK);
				ULONGLONG offsethigh = ((ULONGLONG)oldfun & ADDRESS64_HIGI_MASK);

				ULONGLONG delta = (offsetlow - ((ULONGLONG)trump->code + codelen + instructionlen)) & ADDRESS64_LOW_MASK;
				*(DWORD*)(trump->code + codelen + 2) = (DWORD)delta;
			}
			else {
				memcpy(trump->code + codelen, oldfun, instructionlen);
			}
		}
		else {

			if ((*oldfun == 0xff && *(oldfun + 1) == 0x25) || (*oldfun == 0xff && *(oldfun + 1) == 0x15))
			{
				memcpy(trump->code + codelen, oldfun, instructionlen);

				offset = *(DWORD*)(oldfun + 2);

				ULONGLONG offsetlow = ((offset + 6 + (ULONGLONG)oldfun) & ADDRESS64_LOW_MASK);
				ULONGLONG offsethigh = ((ULONGLONG)oldfun & ADDRESS64_HIGI_MASK);

				ULONGLONG delta = (offsetlow - ((ULONGLONG)trump->code + codelen + instructionlen)) & ADDRESS64_LOW_MASK;
				*(DWORD*)(trump->code + codelen + 2) = (DWORD)delta;

			}
			else if (*oldfun == 0x83 && *(oldfun + 1) == 0x3d)
				//GetDC in user32.dll in win10 and win11 x64
				//0000000180026130 83 3D 35 C8 08 00 05                    cmp     cs:?g_systemCallFilterId@@3KA, 5
				//0000000180026137 74 0C                                   jz      short loc_180026145
			{
				memcpy(trump->code + codelen, oldfun, instructionlen);

				offset = *(DWORD*)(oldfun + 2);

				ULONGLONG offsetlow = ((offset + 7 + (ULONGLONG)oldfun) & ADDRESS64_LOW_MASK);
				ULONGLONG offsethigh = ((ULONGLONG)oldfun & ADDRESS64_HIGI_MASK);

				ULONGLONG delta = (offsetlow - ((ULONGLONG)trump->code + codelen + instructionlen)) & ADDRESS64_LOW_MASK;
				*(DWORD*)(trump->code + codelen + 2) = (DWORD)delta;
			}
			else if (*oldfun == 0x48 && *(oldfun + 1) == 0x8b && *(oldfun + 2) == 0x05)
				//OpenPrinterW in win10 and win11 x64,winspool.drv
				//0000000180003294 48 8B 05 E5 30 07 00		mov     rax, cs:qword_180076380
				//000000018000329B 
			{
				memcpy(trump->code + codelen, oldfun, instructionlen);

				offset = *(DWORD*)(oldfun + 3);

				ULONGLONG offsetlow = ((offset + 7 + (ULONGLONG)oldfun) & ADDRESS64_LOW_MASK);
				ULONGLONG offsethigh = ((ULONGLONG)oldfun & ADDRESS64_HIGI_MASK);

				ULONGLONG delta = (offsetlow - ((ULONGLONG)trump->code + codelen + instructionlen)) & ADDRESS64_LOW_MASK;
				*(DWORD*)(trump->code + codelen + 3) = (DWORD)delta;
			}
			else if ((*oldfun == 0x48 && *(oldfun + 1) == 0xff && *(oldfun + 2) == 0x25) ||
				(*oldfun == 0x48 && *(oldfun + 1) == 0xff && *(oldfun + 2) == 0x15))
			{
				memcpy(trump->code + codelen, oldfun, instructionlen);

				offset = *(DWORD*)(oldfun + 3);
				ULONGLONG offsetlow = ((offset + 7 + (ULONGLONG)oldfun) & ADDRESS64_LOW_MASK);
				ULONGLONG offsethigh = ((ULONGLONG)oldfun & ADDRESS64_HIGI_MASK);

				ULONGLONG delta = (offsetlow - ((ULONGLONG)trump->code + codelen + instructionlen)) & ADDRESS64_LOW_MASK;
				*(DWORD*)(trump->code + codelen + 3) = (DWORD)delta;
			}
			else if (*oldfun == 0xe9 || *oldfun == 0xe8 || *oldfun == 0xea)		//if hooked by others ,how to find lost 5 bytes?
			{
				memcpy(trump->code + codelen, oldfun, instructionlen);

				offset = *(DWORD*)(oldfun + 1);
				ULONGLONG offsetlow = ((offset + 5 + (ULONGLONG)oldfun) & ADDRESS64_LOW_MASK);
				ULONGLONG offsethigh = ((ULONGLONG)oldfun & ADDRESS64_HIGI_MASK);

				ULONGLONG delta = (offsetlow - ((ULONGLONG)trump->code + codelen + instructionlen)) & ADDRESS64_LOW_MASK;
				*(DWORD*)(trump->code + codelen + 1) = (DWORD)delta;
			}
			else if (*oldfun == 0xeb)
			{
				offset = *(oldfun + 1);
				byte* next_instruction = (BYTE*)((offset + 2 + (ULONGLONG)oldfun) & ADDRESS64_LOW_MASK) + ((ULONGLONG)oldfun & ADDRESS64_HIGI_MASK);
				minimum = next_instruction - oldcode + 1;
				if (minimum > MAX_TRAMP_SIZE - AMD64_INLINE_HOOK_STUB_SIZE || minimum <= 0)
				{
					log(L"inlinehook64 function:%ws jump to target address:%p out of range on base:%p\r\n", funcname, oldfun, oldcode);
					deleteTrump(funcname);
					return FALSE;
				}
				memcpy(trump->code + codelen, oldfun, instructionlen);
			}
			else if (*oldfun == 0x0f && (*(oldfun + 1) >= 0x80 && *(oldfun + 1) <= 0x8f))
			{
				log(L"inlinehook64 function:%ws address:%p found irregular jump instruction: %02x %02x\r\n", funcname, oldfun, *oldfun, *(oldfun + 1));

				memcpy(trump->code + codelen, oldfun, instructionlen);

				offset = *(WORD*)(oldfun + 2);
				byte* next_instruction = (BYTE*)((offset + 4 + (ULONGLONG)oldfun) & ADDRESS64_LOW_MASK) + ((ULONGLONG)oldfun & ADDRESS64_HIGI_MASK);

				minimum = next_instruction - oldcode + 1;
				if (minimum > MAX_TRAMP_SIZE - AMD64_INLINE_HOOK_STUB_SIZE || minimum <= 0)
				{
					log(L"inlinehook64 function:%ws jump to target address:%p out of range on base:%p\r\n", funcname, oldfun, oldcode);
					deleteTrump(funcname);
					return FALSE;
				}

				//oldfun = oldfun + 4;
			}
			else if (*oldfun >= 0x70 && *oldfun <= 0x7f)		//jump with flag range in 128 bytes
			{
				memcpy(trump->code + codelen, oldfun, instructionlen);

				offset = *(oldfun + 1);

				byte* next_instruction = oldfun + 2 + offset;

				minimum = next_instruction - oldcode + 1;
				if (minimum > MAX_TRAMP_SIZE - AMD64_INLINE_HOOK_STUB_SIZE || minimum <= 0)
				{
					log(L"inlinehook64 function:%ws jump to target address:%p out of range on base:%p\r\n", funcname, oldfun, oldcode);
					deleteTrump(funcname);
					return FALSE;
				}
				//oldfun += 2;
			}
			// 			else if (*oldfun == 0xc3 )
			// 			{
			// 
			// 			}
			else {
				memcpy(trump->code + codelen, oldfun, instructionlen);
			}
		}

		total++;
		if (total >= 1024)
		{
			log(L"inlinehook64 function:%ws something error!\r\n", funcname);
			//__debugbreak();
			return FALSE;
		}
		codelen += instructionlen;
		oldfun += instructionlen;
	}

	DWORD oldprotect = 0;
	result = VirtualProtect(oldcode, codelen, PAGE_EXECUTE_READWRITE, &oldprotect);
	if (result == 0)
	{
		log(L"inlinehook64 VirtualProtect function:%ws address:%p error\r\n", funcname, oldcode);
		deleteTrump(funcname);
		return FALSE;
	}

	memcpy(trump->oldcode, oldcode, codelen);

	oldcode[0] = 0xff;
	oldcode[1] = 0x25;
	*(DWORD*)(oldcode + 2) = 0;
	*(ULONGLONG*)(oldcode + 6) = (ULONGLONG)newfun;

	trump->code[codelen] = 0xff;
	trump->code[codelen + 1] = 0x25;
	*(DWORD*)(trump->code + codelen + 2) = 0;
	*(ULONGLONG*)(trump->code + codelen + 6) = (ULONGLONG)(oldcode + codelen);

	*keepaddr = (FARPROC) & (trump->code);

	DWORD dummyprotect = 0;
	result = VirtualProtect(oldcode, codelen, oldprotect, &dummyprotect);

	trump->replace.oldaddr = oldcode;
	trump->replace.len = codelen;


	log(L"inlinehook64 function:%ws, hook size:%d ,tramp address:%p, instruction address:%p,new func address:%p,keep address:%p",
		funcname, codelen, trump->code, oldcode, newfun, *keepaddr);
	WCHAR szout[1024];
	WCHAR* loginfo = szout;
	int len = 0;

	for (int i = 0; i < 14; i++)
	{
		len = wsprintfW(loginfo, L" %02X ", *(oldcode + i));
		loginfo = loginfo + len;
	}
	*loginfo = 0;
	log(szout);

	loginfo = szout;
	for (int i = 0; i < codelen + 14; i++)
	{
		len = wsprintfW(loginfo, L" %02X ", *(trump->code + i));
		loginfo = loginfo + len;
	}
	*loginfo = 0;
	log(szout);

	return result;
}
#else
#include "hde/hde32.h"

#define IA32_INLINE_HOOK_STUB_SIZE		5

int inlinehook32(BYTE* newfun, BYTE* hookaddr, PROC* keepaddr, const WCHAR* funcname) {
	int result = 0;

	if (hookaddr == newfun)
	{
		log(L"inlinehook32 function:%ws already exist\r\n", funcname);
		return FALSE;
	}

	HOOK_TRAMPS* trump = addTrump(funcname);
	if (trump <= 0)
	{
		log(L"inlinehook32 addTrump function:%ws error\r\n", funcname);
		return FALSE;
	}

	DWORD offset = 0;

	int codelen = 0;

	hde32s asm32 = { 0 };

	BYTE* oldcode = hookaddr;

	BYTE* oldfun = oldcode;

	int total = 0;

	int minimum = IA32_INLINE_HOOK_STUB_SIZE;

	while (codelen < minimum)
	{
		int instructionlen = hde32_disasm(oldfun, &asm32);
		if (instructionlen <= 0)
		{
			log(L"inlinehook32 function:%ws address:%p hde64_disasm error\r\n", funcname, oldfun);
			deleteTrump(funcname);
			return FALSE;
		}

		if (total == 0)
		{
			if ((*oldfun == 0xff && *(oldfun + 1) == 0x25) || (*oldfun == 0xff && *(oldfun + 1) == 0x15))
			{
				//FF 25 D4 0F B1 76
				//76b10fd4:76 1e a4 70
				//70a41e76:CreateFileA
				offset = *(DWORD*)(oldfun + 2);
				offset = *(DWORD*)offset;
				oldfun = (BYTE*)offset;

				oldcode = oldfun;
				codelen = 0;
				continue;
			}
			else if (*oldfun == 0xe9 || *oldfun == 0xe8)		//if hooked by others ,how to find lost 5 bytes?
			{
				offset = *(DWORD*)(oldfun + 1);
				oldfun += offset + 5;

				oldcode = oldfun;
				codelen = 0;
				continue;
			}
			else if (*oldfun == 0xeb)
			{
				offset = *(oldfun + 1);
				oldfun += offset + 2;

				oldcode = oldfun;
				codelen = 0;
				continue;
			}
			else {
				memcpy(trump->code + codelen, oldfun, instructionlen);
			}
		}
		else {
			if ((*oldfun == 0xff && *(oldfun + 1) == 0x25) || (*oldfun == 0xff && *(oldfun + 1) == 0x15))
			{
				memcpy(trump->code + codelen, oldfun, instructionlen);

				//FF 25 D4 0F B1 76
				//76b10fd4:76 1e a4 70
				//70a41e76:CreateFileA
			}
			else if (*oldfun == 0xe9 || *oldfun == 0xe8 || *oldfun == 0xea)		//if hooked by others ,how to find lost 5 bytes?
			{
				memcpy(trump->code + codelen, oldfun, instructionlen);

				offset = *(DWORD*)(oldfun + 1);

				offset = (DWORD)oldfun + offset + 5;

				DWORD delta = offset - ((DWORD)trump->code + codelen + instructionlen);

				*(DWORD*)(trump->code + codelen + 1) = delta;
			}

			else if (*oldfun == 0xeb)
			{
				memcpy(trump->code + codelen, oldfun, instructionlen);

				offset = *(oldfun + 1);
				byte* next_instruction = oldfun + offset + 2;

				minimum = next_instruction - oldcode + 1;
				if (minimum > MAX_TRAMP_SIZE - IA32_INLINE_HOOK_STUB_SIZE || minimum <= 0)
				{
					log(L"inlinehook32 function:%ws jump to target address:%p out of range on base:%p\r\n", funcname, oldfun, oldcode);
					deleteTrump(funcname);
					return FALSE;
				}
			}

			else if (*oldfun == 0x0f && (*(oldfun + 1) >= 0x80 && *(oldfun + 1) <= 0x8f))
			{
				log(L"inlinehook32 function:%ws address:%p found irregular jump instruction: %02x %02x\r\n", funcname, oldfun, *oldfun, *(oldfun + 1));

				memcpy(trump->code + codelen, oldfun, instructionlen);
				offset = *(WORD*)(oldfun + 2);
				byte* next_instruction = (BYTE*)(offset + 4 + oldfun);

				minimum = next_instruction - oldcode + 1;
				if (minimum > MAX_TRAMP_SIZE - IA32_INLINE_HOOK_STUB_SIZE || minimum <= 0)
				{
					log(L"inlinehook32 function:%ws jump to target address:%p out of range on base:%p\r\n", funcname, oldfun, oldcode);
					deleteTrump(funcname);
					return FALSE;
				}
				//oldfun += 4;
			}
			else if (*oldfun >= 0x70 && *oldfun <= 0x7f)		//jump with flag range in 128 bytes
			{
				memcpy(trump->code + codelen, oldfun, instructionlen);

				offset = *(oldfun + 1);

				byte* next_instruction = oldfun + 2 + offset;

				minimum = next_instruction - oldcode + 1;
				if (minimum > MAX_TRAMP_SIZE - IA32_INLINE_HOOK_STUB_SIZE || minimum <= 0)
				{
					log(L"inlinehook32 function:%ws jump to target address:%p out of range on base:%p\r\n", funcname, oldfun, oldcode);
					deleteTrump(funcname);
					return FALSE;
				}
				//oldfun += 2;
			}
			else {
				memcpy(trump->code + codelen, oldfun, instructionlen);
			}
		}
		codelen += instructionlen;
		oldfun += instructionlen;
		total++;
	}

	DWORD oldprotect = 0;
	result = VirtualProtect(oldcode, codelen, PAGE_EXECUTE_READWRITE, &oldprotect);
	if (result == 0)
	{
		log(L"inlinehook32 VirtualProtect function:%ws address:%p error\r\n", funcname, oldcode);
		deleteTrump(funcname);
		return FALSE;
	}

	memcpy(trump->oldcode, oldcode, codelen);

	oldcode[0] = 0xe9;

	*(DWORD*)(oldcode + 1) = newfun - (oldcode + 5);

	trump->code[codelen] = 0xe9;

	*(DWORD*)(trump->code + codelen + 1) = oldcode + codelen - (trump->code + codelen + 5);

	*keepaddr = (FARPROC) & (trump->code);

	DWORD dummyprotect = 0;
	result = VirtualProtect(oldcode, codelen, oldprotect, &dummyprotect);

	trump->replace.oldaddr = oldcode;
	trump->replace.len = codelen;


	log(L"inlinehook32 function:%ws,hook size:%d,tramp address:%p,instruction address:%p,new func address:%p,keep address:%p",
		funcname, codelen, trump->code, oldcode, newfun, keepaddr);
	WCHAR szout[1024];
	WCHAR* loginfo = szout;
	int len = 0;

	for (int i = 0; i < 5; i++)
	{
		len = wsprintfW(loginfo, L" %02X ", *(oldcode + i));
		loginfo = loginfo + len;
	}
	*loginfo = 0;
	log(szout);

	loginfo = szout;
	for (int i = 0; i < codelen + 5; i++)
	{
		len = wsprintfW(loginfo, L" %02X ", *(trump->code + i));
		loginfo = loginfo + len;
	}
	*loginfo = 0;
	log(szout);

	return result;
}

#endif

int hook2(CONST WCHAR* modulename, const WCHAR* wstrfuncname, BYTE* newfuncaddr, PROC* keepaddr) {
	int result = 0;
	HMODULE h = GetModuleHandleW(modulename);
	if (h)
	{
		CHAR funcname[MAX_PATH];
		result = WideCharToMultiByte(CP_ACP, 0, wstrfuncname, -1, funcname, MAX_PATH, 0, 0);
		if (result)
		{
			LPBYTE  oldfunc = (LPBYTE)GetProcAddress(h, funcname);
			if (oldfunc)
			{
#ifdef _WIN64
				result = inlinehook64(newfuncaddr, oldfunc, keepaddr, wstrfuncname);
#else
				result = inlinehook32(newfuncaddr, oldfunc, (FARPROC*)keepaddr, wstrfuncname);
#endif
				log(L"[LYSM]inlinehook finish %ws %ws ok\r\n", modulename, wstrfuncname);
				if (result)
				{
					log(L"[LYSM]hook %ws %ws ok\r\n", modulename, wstrfuncname);
				}
				return result;
			}
			else {
				log(L"[LYSM]function %ws not found in %ws", wstrfuncname, modulename);
			}
		}
		else {
			log(L"[LYSM]WideCharToMultiByte function %ws error", wstrfuncname);
		}
	}
	else {
		log(L"[LYSM]module %ws not found", modulename);
	}
	return FALSE;
}


int unhook(CONST WCHAR* modulename, const WCHAR* wstrfuncname) {
	int result = 0;

	for (int i = 0; i < TRAMP_BAR_LIMIT; i++)
	{
		if (g_trump[i].valid)
		{
			if (lstrcmpiW(wstrfuncname, g_trump[i].apiName) == 0)
			{
				unsigned char* oldcode = g_trump[i].replace.oldaddr;
				int oldcodelen = g_trump[i].replace.len;
				DWORD oldprotect = 0;
				result = VirtualProtect(oldcode, oldcodelen, PAGE_EXECUTE_READWRITE, &oldprotect);
				memcpy(oldcode, g_trump[i].oldcode, oldcodelen);
				DWORD dummyprotect = 0;
				result = VirtualProtect(oldcode, oldcodelen, oldprotect, &dummyprotect);

				g_trump[i].valid = FALSE;

				log(L"delete hooked function:%ws ok", wstrfuncname);
				return TRUE;
			}
		}
	}

	return FALSE;
}


int  unhookall() {
	int result = 0;

	for (int i = 0; i < TRAMP_BAR_LIMIT; i++)
	{
		if (g_trump[i].valid != 0 && g_trump[i].valid != 1) {
			log(L"funciton :%d error", i);
		}
		if (g_trump[i].valid == TRUE /*&& g_trump[i].apiName[0]*/)
		{
			unsigned char* oldcode = g_trump[i].replace.oldaddr;

			int oldcodelen = g_trump[i].replace.len;
			result = IsBadReadPtr(oldcode, oldcodelen);
			if (result == 0)
			{
				DWORD oldprotect = 0;
				result = VirtualProtect(oldcode, oldcodelen, PAGE_EXECUTE_READWRITE, &oldprotect);

				memcpy(oldcode, g_trump[i].oldcode, oldcodelen);
				DWORD dummyprotect = 0;
				result = VirtualProtect(oldcode, oldcodelen, oldprotect, &dummyprotect);
				log(L"delete hooked function:%ws ok", g_trump[i].apiName);
			}
			else {
				log(L"funciton:%ws address:%p can not be write,maybe the dll has been unload?", g_trump[i].apiName, oldcode);
			}

			g_trump[i].valid = FALSE;
		}
		else {

		}
	}

	return TRUE;
}




PUCHAR allocTrampAddress(PUCHAR  module) {
	IMAGE_NT_HEADERS64* hdr = (IMAGE_NT_HEADERS64*)module;
	PUCHAR* address = (PUCHAR*)hdr->OptionalHeader.ImageBase + hdr->OptionalHeader.SizeOfImage;

	PUCHAR* alloc = (PUCHAR*)VirtualAlloc(address, 0x4000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if (alloc)
	{
	}
	return 0;
}
satadriver
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
Windows内核API HOOKInline Hook
daiwen的专栏
04-18 1382
名字起得好,Inline hook,乍一听,似乎很高深。此处的Inline,我以为,意指将汇编代码直接写入内核API的内存区域。Inline Hook不像用户态Hook或SSDT hook(用C语言就足够),它需要在程序中嵌入汇编代码(Inline Assembly)以操作堆栈和执行内核API对应的部分汇编指令。当然,这些都须以驱动的形式进行。所谓API Hook,就是用自己写的函数去替代系统AP
Inline Hook示例
精彩的艺术
03-01 375
#include "stdafx.h" #include char g_OldAddress[0x5] = {}; char g_NewAddress[0x5] = { 0xE9 }; void HookMessageBox(); void unHookMessageHook(); //自己的MessageBox函数 //思路:拦截到MessageBox之后,修复原来的地方,再执行原来的
InlineHookAPI HOOK从原理开始,一次性掌握劫持技术
qq_50749602的博客
09-22 508
在汇编中可以转移指令执行流程的指令是JMP和CALL,我们要干的就是在要将原来的执行流中插入JMP或CALL,在开始写代码之前,你需要想清楚使用JMP还是CALL,如何使用在于你的目的,使用JMP可以保证堆栈偏移不会发生变化,但需要计算两次JMP 的偏移量,而使用CALL则只需要计算一次,就是CALL的偏移量,而回跳地址直接使用ret,但缺点是CALL会更改堆栈的偏移,因为要压入回跳地址,我通常喜欢使用CALL来做劫持,因为堆栈的偏移相对于JMP那种繁琐的计算是不值一提(😄)的。
win10 x64中inlineHook SSDT里面的函数
吾无法无天的博客
02-13 4506
inlineHook的原理: 为了方便好理解,一些变量名和函数名在这里使用中文命名,有些编译器不支持中文命名,在这里要注意(我的是VS2019) hook.h: #pragma once #include<ntifs.h> #include<ntddk.h> #pragma intrinsic(__readmsr) //SSDT表 typedef str...
5.9 Windows驱动开发:内核InlineHook挂钩技术
最新发布
CSDN
12-07 7185
内核挂钩的原理是一种劫持系统函数调用的技术,用于在运行时对系统函数进行修改或者监控。其基本思想是先获取要被劫持的函数的地址,然后将该函数的前15个字节的指令保存下来,接着将自己的代理函数地址写入到原始函数上,这样当API被调用时,就会默认转向到自己的代理函数上执行,从而实现函数的劫持。
Windows API Hook钩子大揭密.zip
03-28
"Windows API Hook钩子大揭密"这个主题深入探讨了这一核心技术,通过APISpion.exe示例程序、源代码(src)、图像处理库(diblib)以及HOOK相关资料,为学习者提供了全面的理解和实践。 1. **什么是API Hook**: API ...
Windows Inline Hook代码实现细节
04-18
本文将深入探讨如何使用内嵌汇编和Windows API来实现一个简单的`add`函数DLL注入Inline Hook,以达到修改其返回结果的目的。 首先,我们要理解Inline Hook的基本原理。Inline Hook是在目标函数的入口处插入自定义...
inline hook
07-30
《深入理解inline hook技术》 inline hook是一种在编程领域中广泛应用的技术,特别是在系统级调试、插件开发和安全分析...提供的Hook.cpp和Hook.h文件可能是实现inline hook的源代码示例,读者可以进一步研究和学习。
inline hook x86 x64
01-27
内联钩子Inline Hook)是Windows编程中一种常见的技术,它允许开发者在程序运行时动态地修改函数的行为,以实现诸如日志记录、性能监控、功能增强等功能。本文将深入探讨内联钩子在x86和x64架构下的原理、实现方法...
Vb6 InLineHook(通用版)
03-11
【标题】"Vb6 InLineHook(通用版)" 描述了这是一个使用Visual Basic 6(Vb6)开发的API钩子实现,名为InLineHook,它具有跨平台兼容性,支持Windows XP、Windows 7、Server 2003以及Windows 2000操作系统。...
windows hook示例代码
10-26
windows hook示例代码, hook 的基本实现
Windows驱动开发学习笔记(六)—— Inline HOOK
qq_41988448的博客
12-16 1184
Windows驱动开发学习笔记(六)—— Inline HOOK前言实验一:3环 Inline HOOK实验二:0环 Inline Hook 前言 一、学习自滴水编程达人中级班课程,官网:https://bcdaren.com 二、海东老师牛逼! 实验一:3环 Inline HOOK #include <stdio.h> #include <windows.h> BY...
使用windows钩子(HOOK)实现DLL注入
new9232的博客
08-21 6230
本文章介绍如何使用HOOK技术实现DLL注入。通过一个测试程序,记录你的任何键盘输入信息,见识到HOOK技术的强大之处。
windows系统之Hook实例DIPS
WeinKee的博客
04-18 392
windows系统下Hook 文章示例来至《Windows核心编程》第22章实例Desktop Item Position Saver工具 原理说明 windows下使用Hook实现对远程进程注入DLL技术,通过共用操作系统下同一份DLL,实现对目标进程的特定消息传输,甚至达到控制的技术。 首先需要了解的实现DLL注入实现Hook进程的方式 HHOOK hHook = SetWindowsHook...
WindowsHook API技术小结
benny5609的专栏
10-03 3076
 1、基本概念  钩子(Hook),是Windows消息处理机制的一个平台,应用程序可以在上面设置子程以监视指定窗口的某种消息,而且所监视的窗口可以是其他进程所创建的。当消息到达后,在目标窗口处理函数之前处理它。钩子机制允许应用程序截获处理window消息或特定事件。钩子实际上是一个处理消息的程序段,通过系统调用,把它挂入系统。每当特定的消息发出,在没有到达目的窗口前,钩子程序就先捕获该消
Windows核心编程_Hook
热门推荐
17岁boy的博客
06-22 1万+
一、前言HookWindows下的一个机制,Hook的中文意思是钩子的意思,顾名思义,钩子就是用来钩东西的,就好像钓鱼一样,你把鱼钩放入鱼塘里,钓到了某条鱼,即便我们不把鱼钓上来,我们可以通过鱼钩知道鱼在做什么,比如鱼飞速游动,鱼钩上的鱼线会做出反应,或者鱼原地不动,我们都可以通过鱼钩知道鱼在做什么!Windows就像一个鱼塘,而程序,就是鱼塘里的鱼,而用来监视这些鱼的鱼钩就是Hook!众所周知...
挂上神奇的钩子,改变目标内容展现样式->MinHook测试与分析(x64下 E9,EB,CALL指令测试,且逆推测试微软热补丁)...
weixin_33790053的博客
09-19 192
依稀记得第一次接触Hook的概念是在周伟民先生的书中-><<多任务下的数据结构与算法>>,当时觉得Hook很奇妙,有机会要学习到,正好近段日子找来了MiniHook,就一起分享一下。 本篇文章是在x64下测试与分析jmp+offset类型的Hook,并且逆推测出热补丁的简单用法,MinHook它的中心就是覆盖重写并且可以复原。知道大概的思路后后让我们先来具体的...
Windows Hook案例分析与技术探索
John_ToStr的博客
06-29 4186
HookWindows中提供的一种用以替换DOS下“中断“的系统机制,中文译为“挂钩”或“钩子”。在对 特定的系统事件进行Hook后,一旦发生已Hook事件,对该事件进行Hook的程序就会收到系统的通知, 这时程序就能在第一时间对该事件做出响应。 钩子实际上是一个处理消息的程序段,通过系统调用,把它挂入系统。每当特定的消息发出,在没有 到达目的程序前,钩子程序就先捕获该消息,亦即钩子函数先得到控制权。这时钩子函数即可以加工处理 (改变)该消息,也可以不作处理而继续传递该消息,还可以强制结束消息的传递。..
WIN32 Inline HOOK
hambaga的博客
08-14 502
Inline hook 和CE里面的代码注入很像(应该是一个东西),这个技术的原理是,修改汇编指令,让某个指令跳转到我们定义的函数,然后在函数内完成被替换的指令,然后再跳转回去。在我们定义的函数内,我们可以实时获取寄存器的值,从而可以完成对函数行为的监视和修改。 在我们定义的函数内,需要注意,寄存器的值和堆栈状态,执行前后必须完全一致,否则程序会出错。为了实现这个目的,我们需要用到裸函数。 下面是代码,要注意代码中使用的地址仅在我的机器上有效,如果你要编译这个程序,第一次运行会失败,请根据生成的汇编代码,找
windows api hook & rootkits资料大全
12-03
Windows API Hook 是一种技术,用于截获和修改 Microsoft Windows 操作系统中的 API 调用。API 是应用程序与操作系统之间进行交互的接口,通过 Hook 技术,我们可以在 API 被调用前或者调用后注入自定义的代码来监控、修改甚至完全替换原本的 API 行为。 Windows API Hook 技术通常用于以下几个方面: 1. 监控和记录:通过 Hook 技术,我们可以截获特定 API 的调用,并记录下来,以供后续分析使用。这对于软件调试、异常捕获和性能分析非常有用,可以帮助开发人员定位和解决问题。 2. 行为修改:通过修改 API 调用的参数或返回值,我们可以改变原本的行为逻辑。可以用于对软件进行自定义的增强或者修改,提供特定的功能或者保护隐私等。 3. 恶意行为检测与防范:通过 Hook 技术,可以监控系统中的 API 调用,检测和阻止恶意软件的行为。例如,可以截获网络 API 调用,检测恶意软件的通信行为,并阻止其传输敏感信息。 4. 系统级别功能拓展:通过 Hook 技术,可以在系统层面为应用程序提供额外的功能。例如,可以通过 Hook 来添加全局热键、截获鼠标事件、自定义窗口样式等。 需要注意的是,Windows API Hook 是一项强大但也易被滥用的技术。如果不正确使用,可能会导致系统不稳定、性能下降甚至安全问题。因此,在使用 API Hook 技术时,开发人员需要谨慎设计和测试,确保对系统的干扰和风险最小化。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值