hook engine:
nthookengine
mhook
Detour
方法:
本进程hook,直接调用hook函数(自己进程还要hook?),否则写一个dll,在dll里hook每一个函数,然后将该dll注入到目标进程,达到hook目标进程中的函数的目的。
MHOOK
要获取原始函数地址
#include mhook.h
typedef ULONG (WINAPI* _NtOpenProcess)(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN PVOID ObjectAttributes,
IN PCLIENT_ID ClientId );
_NtOpenProcess TrueNtOpenProcess = (_NtOpenProcess)
GetProcAddress(GetModuleHandle(L"ntdll"), "NtOpenProcess");
ULONG WINAPI HookNtOpenProcess(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN PVOID ObjectAttributes,
IN PCLIENT_ID ClientId)
{
return TrueNtOpenProcess(ProcessHandle,
AccessMask,
ObjectAttributes,
ClientId);
}
Mhook_SetHook((PVOID*)&TrueNtOpenProcess, HookNtOpenProcess);
Mhook_Unhook((PVOID*)&TrueNtOpenProcess);
NTHookEngine
引擎提供一个hook表自己找到原来的函数
int WINAPI MyMessageBoxW(HWND hWnd, LPCWSTR lpText,
LPCWSTR lpCaption, UINT uType,
WORD wLanguageId, DWORD dwMilliseconds)
{
int (WINAPI *pMessageBoxW)(HWND hWnd, LPCWSTR lpText,
LPCWSTR lpCaption, UINT uType, WORD wLanguageId,
DWORD dwMilliseconds);
pMessageBoxW = (int (WINAPI *)(HWND, LPCWSTR, LPCWSTR, UINT, WORD, DWORD))
GetOriginalFunction((ULONG_PTR) MyMessageBoxW);
return pMessageBoxW(hWnd, lpText, L"Hooked MessageBox",
uType, wLanguageId, dwMilliseconds);
}
HookFunction((ULONG_PTR) GetProcAddress(LoadLibrary(_T("User32.dll")),
"MessageBoxTimeoutW"),
(ULONG_PTR) &MyMessageBoxW);
UnhookFunction((ULONG_PTR) GetProcAddress(LoadLibrary(_T("User32.dll")),
"MessageBoxTimeoutW"));
R3跨进程hook思路
就是一个dll文件,调用hookengine负责hookAPI,hooker来把dll注入目标进程中,hookee,获取pid并被hooker打开被注入。
需要dll注入才能hook原因是r3进程地址私有
NThook的dll代码片段
VOID HookIt(VOID)
{
HMODULE hHookEngineDll = LoadLibrary(_T("NtHookEngine.dll"));
HookFunction = (BOOL (__cdecl *)(ULONG_PTR, ULONG_PTR))
GetProcAddress(hHookEngineDll, "HookFunction");
UnhookFunction = (VOID (__cdecl *)(ULONG_PTR))
GetProcAddress(hHookEngineDll, "UnhookFunction");
GetOriginalFunction = (ULONG_PTR (__cdecl *)(ULONG_PTR))
GetProcAddress(hHookEngineDll, "GetOriginalFunction");
if (HookFunction == NULL || UnhookFunction == NULL ||
GetOriginalFunction == NULL)
return;
//
// Hook ALL the apis you want here
//
HookFunction((ULONG_PTR) GetProcAddress(LoadLibrary(_T("User32.dll")),
"MessageBoxTimeoutW"),
(ULONG_PTR) &MyMessageBoxW);
HookFunction((ULONG_PTR) GetProcAddress(LoadLibrary(_T("KERNEL32.DLL")),
"CreateProcessA"),
(ULONG_PTR) &myCreateProcessA);
HookFunction((ULONG_PTR) GetProcAddress(LoadLibrary(_T("KERNEL32.DLL")),
"CreateProcessW"),
(ULONG_PTR) &myCreateProcessW);
// save the original api address
OldCreateProcessW = (CREATPROCESSW) GetOriginalFunction((ULONG_PTR) myCreateProcessW);
OldCreateProcessA = (CREATPROCESSA) GetOriginalFunction((ULONG_PTR) myCreateProcessA);
OldMessageBoxW = (MESSAGEBOXW)GetOriginalFunction((ULONG_PTR) MyMessageBoxW);
}
hooker代码
AddDebugPrivilege();
UpdateData(TRUE);
//MessageBox(_T("Failed"));
HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD |
PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE |
PROCESS_VM_READ,FALSE, m_dwPid);
if (hProcess == NULL)
{
MessageBox(_T("Failed"));
return;
}
InjectDll(hProcess, _T("hookdll.dll"));
//(CButton*)GetDlgItem(IDOK)->EnableWindow(FALSE);
//OnOK();