本教程边写代码边解释,运行环境VS2012+Qt
源码链接http://download.csdn.net/download/sky_calls/10264654
第一步、创建一个目标进程TargetProcess
关键函数解释
第二步、创建要注入的dll工程 ApiHook
{
LPCSTR lpFunctionName; // name of api 要拦截的函数名字
LPCTSTR lpDllName; // name of dll that has the api要拦截函数所属dll
LPVOID lpRecallfn; // recall function address 自定义的替换函数
LPVOID lpApiAddr; // api address 原始函数地址
PBYTE pOrgfnMem; // memory to save first few bytes of api and execute jmp code 原始函数跳转指令
int nOrgfnMemSize; // size of pOrgfnMem 跳转指令的大小
} RECALL_API_INFO, *PRECALL_API_INFO;
RECALL_API_INFO g_arHookAPIs[] =
{
"CreateFileA", "Kernel32.dll",
MyCreateFileA, CreateFileA, NULL, 0,
"CreateFileW", "Kernel32.dll",
MyCreateFileW, CreateFileW, NULL, 0,
"WriteFile", "Kernel32.dll",
MyWriteFile, WriteFile, NULL, 0,
"WriteFileEx", "Kernel32.dll",
MyWriteFileEx, WriteFileEx, NULL, 0
};
{
if (pApiRecall == NULL)
return false;
// 得到目标函数锁在的库名称
HMODULE hModule = LoadLibrary(pApiRecall->lpDllName);
if (!hModule)
return false;
// 得到目标函数在库里面的位置
FARPROC pfnStartAddr = (FARPROC)GetProcAddress(hModule, pApiRecall->lpFunctionName);
pApiRecall->lpApiAddr = pfnStartAddr; // 将目标函数保存起来,这一步可能不需要,没试下
if (!pfnStartAddr)
return false;
int nSize = 0;
int nDisassemblerLen = 0;
while(nSize < 5)
{
// GetOpCodeSize can get the assembly code size 得到跳转指令的大小 详见GetOpCodeSize的源文件解释
nDisassemblerLen = GetOpCodeSize((BYTE*)(pfnStartAddr) + nSize);
PrintMsg("nDisassemblerLen val %d\r\n", nDisassemblerLen);
nSize = nDisassemblerLen + nSize;
}
PrintMsg("nSize val %d\r\n", nSize);
DWORD dwProtect = 0;
if (!VirtualProtect(pfnStartAddr, nSize, PAGE_EXECUTE_READWRITE, &dwProtect)) // 修改内存地址的属性,将原目标函数地址跳转指令改为可读写模式
return false;
// be sure that we must change pOrgfnMem's protect, because the code in pOrgfnMem
// also need to execute
pApiRecall->pOrgfnMem = new BYTE[5 + nSize]; // 这个内存区域将保存原内存的跳转指令
DWORD dwMemProtect = 0;
if (!VirtualProtect(pApiRecall->pOrgfnMem, 5 + nSize, PAGE_EXECUTE_READWRITE, &dwMemProtect))
{
delete [] pApiRecall->pOrgfnMem;
pApiRecall->pOrgfnMem = NULL;
return false;
}
pApiRecall->nOrgfnMemSize = 5 + nSize;
// 下面这几行就是将原函数的跳转指令储存在pOrgfnMem里面,因为在调用了自定义函数后还要调用原函数,以免影响目标进程的功能
memcpy(pApiRecall->pOrgfnMem, pfnStartAddr, nSize);
*(BYTE*)(pApiRecall->pOrgfnMem + nSize) = 0xE9;
*(DWORD*)(pApiRecall->pOrgfnMem + nSize + 1) = (DWORD)pfnStartAddr + nSize - (DWORD)(pApiRecall->pOrgfnMem + 5 + nSize);
*(BYTE*)(pfnStartAddr) = 0xE9;
*(DWORD*)((BYTE*)pfnStartAddr + 1) = (DWORD)pApiRecall->lpRecallfn - ((DWORD)pfnStartAddr + 5); // lpRecallfn,这是我们自定义的函数,这段语句的作业是用我们自定义的函数覆盖原函数,例如MyWriteFile将会覆盖WriteFile
memset((BYTE*)pfnStartAddr + 5, 0x90, nSize - 5);
// be sure that we must set the rest to 0x90(assembly code for nop, do nothing,
// and occupy one byte), because we should't change the assembly code
VirtualProtect(pfnStartAddr, nSize, dwProtect, &dwProtect); // 将新函数的跳转指令的内存属性修改为原来的样子,可查看VirtualProtect的作用
return true;
}
第三步、创建注入工程 TestBqDll
执行进程注入操作
操作如下
// 提升进程的权限,不过好像不是必须的
bool promotePrivilege()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if ( !OpenProcessToken( GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)
)
{
return false;
}
if( !LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue) )
{
CloseHandle(hToken);
return false;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if( !AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL) )
{
CloseHandle(hToken);
return false;
}
return true;
}
// 根据进程的名称获得进程ID,因为进程注入需要进程的ID号
void GetTargetProcessIds(std::string inTarget, std::vector<int > &outIds)
{
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hProcessSnap == INVALID_HANDLE_VALUE)
return;
BOOL bProcess = Process32First(hProcessSnap, &pe32);
int targetNameLen = inTarget.length();
while(bProcess)
{
int searchLen = wcslen(pe32.szExeFile);
if (targetNameLen == searchLen)
{
bool isEqualName = true;
for (int i = 0; i < targetNameLen; ++i)
{
if (inTarget[i] != pe32.szExeFile[i])
{
isEqualName = false;
break;
}
}
if (isEqualName)
outIds.push_back(pe32.th32ProcessID);
}
// 继续查找
bProcess = Process32Next(hProcessSnap,&pe32);
}
CloseHandle(hProcessSnap);
}
// 进程注入
bool InjectDllByProcessID(const std::wstring dllPath, unsigned long inProcessID)
{
wchar_t* DirPath = new wchar_t[MAX_PATH];
wchar_t* FullPath = new wchar_t[MAX_PATH];
GetCurrentDirectory(MAX_PATH, DirPath);
swprintf_s(FullPath, MAX_PATH, dllPath.c_str(), DirPath);
HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION |
PROCESS_VM_WRITE, FALSE, inProcessID);
if (hProcess == NULL)
{
delete[] DirPath;
delete[] FullPath;
return false;
}
LPVOID LoadLibraryAddr = (LPVOID)GetProcAddress(GetModuleHandle(L"kernel32.dll"),
"LoadLibraryW");
if (LoadLibraryAddr == NULL)
{
CloseHandle(hProcess);
delete[] DirPath;
delete[] FullPath;
return false;
}
LPVOID LLParam = (LPVOID)VirtualAllocEx(hProcess, NULL, (wcslen(FullPath) + 1) * sizeof(wchar_t),
MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, LLParam, FullPath, (wcslen(FullPath) + 1)* sizeof(wchar_t), NULL);
HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibraryAddr,
LLParam, NULL, NULL);
// 等待远程线程结束
::WaitForSingleObject(hRemoteThread, INFINITE);
// 清理
::VirtualFreeEx(hProcess, LLParam, (wcslen(FullPath) + 1), MEM_DECOMMIT);
::CloseHandle(hRemoteThread);
::CloseHandle(hProcess);
delete[] DirPath;
delete[] FullPath;
return true;
}
void TestBqDll::inject()
{
promotePrivilege();
std::vector<int > processIds;
//GetTargetProcessIds("PosTouch.exe", processIds);
GetTargetProcessIds("TargetProcess.exe", processIds);
QString _workPath = QCoreApplication::applicationDirPath();
QString dllPath = _workPath + "/ApiHook.dll";
if (processIds.size() > 0)
InjectDllByProcessID(dllPath.toStdWString(), processIds[0]);
}
源码链接http://download.csdn.net/download/sky_calls/10264654