HOOK API
合集下载
相关主题
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
这种HOOK API开始有用了,它可以HOOK 别的进程的API,许多程序的进程隐藏,进程的保护,文件,端口,注册表的隐藏就是使用它.现在实现进程的隐藏(隐藏程序名开头3个字母为CIW的进程),用DLL注入(可以省去很多麻烦).
Dll源代码:
#include <Windows.h>
#include <stdio.h>
typedef DWORD SYSTEM_INFORMATION_CLASS;
typedef int (WINAPI *pNtQuerySystemInformationFun)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
{
wcout<<L"hWnd:"<<(int)hWnd<<endl;
wcout<<L"lpText:"<<lpText<<endl;
wcout<<L"lpCaption:"<<lpCaption<<endl;
wcout<<L"uType:"<<uType<<endl<<endl;
WriteProcessMemory((void*)-1, pMessageBox, szJmpMyMessageBox, 5, NULL);//写入我们处理后的5个字节
MessageBoxW(GetForegroundWindow(), L"Inline Hook:MessageBox", L"HOOK API", MB_OK);
ULONG PagefileUsage;
ULONG PeakPagefileUsage;
}VM_COUNTERS,*PVM_COUNTERS;
typedef struct _IO_COUNTERS
{
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
return 0;
}
int main()
{
DWORD dwJmpAddr = 0;
HMODULE hModule = LoadLibrary("User32.Dll");
pMessageBox = (pMessageBoxDef)GetProcAddress(hModule, "MessageBoxW");
char szJmpMyMessageBox[5] = {(char)0xe9};
pMessageBoxDef pMessageBox = NULL;
int WINAPI MyMessageBox(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType)
WriteProcessMemory((void*)-1, pMessageBox, szOldMessageBox, 5, NULL);
MessageBoxW(hWnd, lpText, lpCaption, uType);
WriteProcessMemory((void*)-1, pMessageBox, szJmpMyMessageBox, 5, NULL);
typedef struct _CLIENT_ID
{
HANDLE UniqueProcess;
HANDLE UniqueThread;
}CLIENT_ID;
typedef enum _THREAD_STATE
{
StateInitialized,
StateReady,
ULONG SystemInformationLength,
HOOK MessageBoxW 这个,让它跳到我们自己的函数处理之后再调用原来的MessageBoxW,这种本地的HOOK API应该是最简单的HOOK API而且它的作用也不是很明显,但是可以了解什么是HOOK API.
#include <windows.h>
#include <iostream>
StateRunning,
StateStandby,
StateTerminated,
StateWait,
StateTransition,
StateUnknown
}THREAD_STATE;
typedef enum _KWAIT_REASON
{
Executive,
using namespace std;
typedef int (WINAPI *pMessageBoxDef)(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType);
char szOldMessageBox[5] = {0};
LONG BasePriority; //基本优先级;
ULONG ContextSwitchCount; //环境切换数目;
THREAD_STATE State; //当前状态;
KWAIT_REASON WaitReason; //等待原因;
}SYSTEM_THREADS,*PSYSTEM_THREADS;
typedef const UNICODE_STRING *PCUNICODE_STRING;
typedef struct _VM_COUNTERS
{
ULONG PeakVirtualSize;
ULONG VirtualSize;
ULONG PageFaultCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
}IO_COUNTERS,*PIO_COUNTERS;
PROC pfnCurrent, PROC pfnNew, HMODULE hmodCaller);
LONG WINAPI InvalidReadExceptionFilter(PEXCEPTION_POINTERS pep);
#define NTSTATUS DWORD
#define NT_SUCCESS(Status) ((NTSTATUS)(Status)>=0)
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters; //windows 2000 only
struct _SYSTEM_THREADS Threads[1];
};
BOOL WINAPI DllMain(
HANDLE hinstDLL,
DWORD dwReason,
LPVOID lpvReserved
)
{
if( DLL_PROCESS_ATTACH == dwReason )
{
CreateThread(NULL, NULL, ThreadProc, NULL, NULL, NULL);
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
LONG BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
}
return TRUE;
}
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;
FreePage,
PageIn,
PoolAllocation,
DelayExecution,
Suspended,
UserRequest,
WrExecutive,
WrFreePage,
WrPageIn,
WrPoolAllocation,
WrDelayExecution,
1楼
1.本地HOOK API(Inline HOOK)
2.Ring3 下 HOOK API(IAT HOOK)
3.Ring0 下 HOOK API(SSDT HOOK)
2009-1-14 15:57 回复
CIW_BLUE
203位粉丝
2楼
1.本地HOOK API(Inline HOOK):
ULONG PeakWorkingSetSize;
ULONG WorkingSetSize;
ULONG QuotaPeakPagedPoolUsage;
ULONG QuotaPagedPoolUsage;
ULONG QuotaPeakNonPagedPoolUsage;
ULONG QuotaNonPagedPoolUsage;
Spare5,
Spare6, WrKerne Nhomakorabea }KWAIT_REASON;
typedef struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime; //CPU内核模式使用时间;
LARGE_INTEGER UserTime; //CPU用户模式使用时间;
2009-1-14 16:23 回复
CIW_BLUE
203位粉丝
4楼
struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved[6];
LARGE_INTEGER CreateTime;
dwJmpAddr = (DWORD)MyMessageBox - (DWORD)pMessageBox - 5;
memcpy(szJmpMyMessageBox + 1, &dwJmpAddr, 4);
FreeLibrary(hModule);
ReadProcessMemory((void*)-1, pMessageBox, szOldMessageBox, 5, NULL);//读出原来的前5个字节
WrSuspended,
WrUserRequest,
WrEventPair,
WrQueue,
WrLpcReceive,
WrLpcReply,
WrVertualMemory,
WrPageOut,
WrRendezvous,
Spare2,
Spare3,
Spare4,
LARGE_INTEGER CreateTime; //线程创建时间;
ULONG WaitTime; //等待时间;
PVOID StartAddress; //线程开始的虚拟地址;
CLIENT_ID ClientId; //线程标识符;
LONG Priority; //线程优先级;
MessageBoxW(GetForegroundWindow(), L"Hello World", L"Win32", MB_OK);
return 0;
}
2009-1-14 16:01 回复
CIW_BLUE
203位粉丝
3楼
2.Ring3 下 HOOK API(IAT HOOK)
#include <ImageHlp.h>
#include <Tlhelp32.h>
#include <commctrl.h>
DWORD WINAPI ThreadProc(LPVOID lpParameter);
void ReplaceIATEntryInOneMod(PSTR pszCalleeModName,
Dll源代码:
#include <Windows.h>
#include <stdio.h>
typedef DWORD SYSTEM_INFORMATION_CLASS;
typedef int (WINAPI *pNtQuerySystemInformationFun)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
{
wcout<<L"hWnd:"<<(int)hWnd<<endl;
wcout<<L"lpText:"<<lpText<<endl;
wcout<<L"lpCaption:"<<lpCaption<<endl;
wcout<<L"uType:"<<uType<<endl<<endl;
WriteProcessMemory((void*)-1, pMessageBox, szJmpMyMessageBox, 5, NULL);//写入我们处理后的5个字节
MessageBoxW(GetForegroundWindow(), L"Inline Hook:MessageBox", L"HOOK API", MB_OK);
ULONG PagefileUsage;
ULONG PeakPagefileUsage;
}VM_COUNTERS,*PVM_COUNTERS;
typedef struct _IO_COUNTERS
{
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
return 0;
}
int main()
{
DWORD dwJmpAddr = 0;
HMODULE hModule = LoadLibrary("User32.Dll");
pMessageBox = (pMessageBoxDef)GetProcAddress(hModule, "MessageBoxW");
char szJmpMyMessageBox[5] = {(char)0xe9};
pMessageBoxDef pMessageBox = NULL;
int WINAPI MyMessageBox(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType)
WriteProcessMemory((void*)-1, pMessageBox, szOldMessageBox, 5, NULL);
MessageBoxW(hWnd, lpText, lpCaption, uType);
WriteProcessMemory((void*)-1, pMessageBox, szJmpMyMessageBox, 5, NULL);
typedef struct _CLIENT_ID
{
HANDLE UniqueProcess;
HANDLE UniqueThread;
}CLIENT_ID;
typedef enum _THREAD_STATE
{
StateInitialized,
StateReady,
ULONG SystemInformationLength,
HOOK MessageBoxW 这个,让它跳到我们自己的函数处理之后再调用原来的MessageBoxW,这种本地的HOOK API应该是最简单的HOOK API而且它的作用也不是很明显,但是可以了解什么是HOOK API.
#include <windows.h>
#include <iostream>
StateRunning,
StateStandby,
StateTerminated,
StateWait,
StateTransition,
StateUnknown
}THREAD_STATE;
typedef enum _KWAIT_REASON
{
Executive,
using namespace std;
typedef int (WINAPI *pMessageBoxDef)(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType);
char szOldMessageBox[5] = {0};
LONG BasePriority; //基本优先级;
ULONG ContextSwitchCount; //环境切换数目;
THREAD_STATE State; //当前状态;
KWAIT_REASON WaitReason; //等待原因;
}SYSTEM_THREADS,*PSYSTEM_THREADS;
typedef const UNICODE_STRING *PCUNICODE_STRING;
typedef struct _VM_COUNTERS
{
ULONG PeakVirtualSize;
ULONG VirtualSize;
ULONG PageFaultCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
}IO_COUNTERS,*PIO_COUNTERS;
PROC pfnCurrent, PROC pfnNew, HMODULE hmodCaller);
LONG WINAPI InvalidReadExceptionFilter(PEXCEPTION_POINTERS pep);
#define NTSTATUS DWORD
#define NT_SUCCESS(Status) ((NTSTATUS)(Status)>=0)
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters; //windows 2000 only
struct _SYSTEM_THREADS Threads[1];
};
BOOL WINAPI DllMain(
HANDLE hinstDLL,
DWORD dwReason,
LPVOID lpvReserved
)
{
if( DLL_PROCESS_ATTACH == dwReason )
{
CreateThread(NULL, NULL, ThreadProc, NULL, NULL, NULL);
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
LONG BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
}
return TRUE;
}
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;
FreePage,
PageIn,
PoolAllocation,
DelayExecution,
Suspended,
UserRequest,
WrExecutive,
WrFreePage,
WrPageIn,
WrPoolAllocation,
WrDelayExecution,
1楼
1.本地HOOK API(Inline HOOK)
2.Ring3 下 HOOK API(IAT HOOK)
3.Ring0 下 HOOK API(SSDT HOOK)
2009-1-14 15:57 回复
CIW_BLUE
203位粉丝
2楼
1.本地HOOK API(Inline HOOK):
ULONG PeakWorkingSetSize;
ULONG WorkingSetSize;
ULONG QuotaPeakPagedPoolUsage;
ULONG QuotaPagedPoolUsage;
ULONG QuotaPeakNonPagedPoolUsage;
ULONG QuotaNonPagedPoolUsage;
Spare5,
Spare6, WrKerne Nhomakorabea }KWAIT_REASON;
typedef struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime; //CPU内核模式使用时间;
LARGE_INTEGER UserTime; //CPU用户模式使用时间;
2009-1-14 16:23 回复
CIW_BLUE
203位粉丝
4楼
struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved[6];
LARGE_INTEGER CreateTime;
dwJmpAddr = (DWORD)MyMessageBox - (DWORD)pMessageBox - 5;
memcpy(szJmpMyMessageBox + 1, &dwJmpAddr, 4);
FreeLibrary(hModule);
ReadProcessMemory((void*)-1, pMessageBox, szOldMessageBox, 5, NULL);//读出原来的前5个字节
WrSuspended,
WrUserRequest,
WrEventPair,
WrQueue,
WrLpcReceive,
WrLpcReply,
WrVertualMemory,
WrPageOut,
WrRendezvous,
Spare2,
Spare3,
Spare4,
LARGE_INTEGER CreateTime; //线程创建时间;
ULONG WaitTime; //等待时间;
PVOID StartAddress; //线程开始的虚拟地址;
CLIENT_ID ClientId; //线程标识符;
LONG Priority; //线程优先级;
MessageBoxW(GetForegroundWindow(), L"Hello World", L"Win32", MB_OK);
return 0;
}
2009-1-14 16:01 回复
CIW_BLUE
203位粉丝
3楼
2.Ring3 下 HOOK API(IAT HOOK)
#include <ImageHlp.h>
#include <Tlhelp32.h>
#include <commctrl.h>
DWORD WINAPI ThreadProc(LPVOID lpParameter);
void ReplaceIATEntryInOneMod(PSTR pszCalleeModName,