Still nothing, even the diary has not been written, and I read the article of PE, << Proverbs >> The procedures in the << Proverbs >> are not commented. Isn't Liang be playing your mouth? Nonely Considering the consideration, write a book, do you know that these are you tease ?? Hey, happened, after all, I have learned a lot from Liang Big Brother :) Today Hook still did not succeed , It is already the second China method, and his procedure has been annotated, and the program is understood, and the reason for unsuccessful is not found. It is estimated that he is still not understood :(
#include "stdio.h" #include "windows.h" #include "imagehlp.h" #include "tlhelp32.h"
#pragma comment (lib, "imagehlp.lib") # Pragma Comment (Lib, "Kernel32.lib")
typedef struct _APIHOOK32_ENTRY {LPCTSTR pszAPINAme; LPCTSTR pszCAllerModuleNAme; PROC pfnOriginApiAddress; PROC pfnDummyFuncAddress; HMODULE hModCAllerModule;} APIHOOK32_ENTRY, * PAPIHOOK32_ENTRY;
BOOL _SetApiHookUp (PAPIHOOK32_ENTRY phk) {PIMAGE_THUNK_DATA pThunk; ULONG size; // IMAGE_IMPORT_DESCRIPTOR each represents a DLL, pImportDesc where a NULL is traversed DLL PIMAGE_IMPORT_DESCRIPTOR pImportDesc all incoming = (PIMAGE_IMPORT_DESCRIPTOR) ImageDirectoryEntryToData (phk-> hModCAllerModule, TRUE , Image_directory_entry_import, & size);
IF (PimportDesc == Null) {Return False;}
// Traverse the DLL, the first layer cycle for (; pimportdesc-> name; pimportDesc ) {// Here you don't understand, why do you want to add pimportdesc-> name and phk-> hmodcallermodule Add up // image_descriptor Name in Image_Descriptor is a RVA points to an ASCII string, which is the name of the DLL, then the following sentence does not understand PSTR pszdllname = (lpstr) ((pbyte) phk-> hmodcallermodule pimportdesc-> name); haha, single step here Sure enough, the same as I think, add the base address to the virtual address, then,, for example, this time is 0x77ebcd79 "ntdll.dll" // This is certainly not equal, then it is, it is, after finding equal :( if (pszdllname, phk-> pszcallermodulename) == 0) Break;} // See if I really found IF (PimportDesc-> Name == Null) {Return False;} // image_import_descriptor Structure of Firstthunk Point to a DWORD array, each DWORD is a RVA, which is the entry address of the input function. This array can be called the input address table // Now the key is to figure out the phk-> HMODCALLERMODULE ?????????? ??????????????????????????????????????? 大 大 是, phk-> hmodcallermodule is a hModule type, maybe it passes the RVA to the real virtual address, It got a load of the base address, // I don't know if it is right, look at its value knows pthunk = (pimage_thunk_data) ((pbyte) phk-> hmodcallermodule pimportDesc-> firstthunk); // Iat // Now is the Layer 2 cycle image_thunk_data structure is as follows // * typef struct _image_thunk_data32 {// * union {// * pbyte forwarderstring; // * pdword function; // * dword order; // * PIMAGE_IMPORT_BY_NAME AddressOfData; // *} u1; // *} IMAGE_THUNK_DATA32; // * typedef IMAGE_THUNK_DATA32 * PIMAGE_THUNK_DATA32;? // here do not understand ,, PThunk points to a DWORD array, while traversing should pThunk it also seems possible ,, But you are unclear, // because there is a U1, Pthunk-> U1.FUNCTION is equal to PTHUNK ?????????? for (; pthunk ) {
Proc * PPFN = (Proc *) & pthunk-> u1 .function; // Do comparison, see if it is a function you want, if, then rewrite the address if (* ppfn == phk-> pfnoriginapiaddress) { WriteProcessMemory (GetCurrentProcess (), PPFN, & (PhK-> PfndumMyfuncaddress), SizeOf (phk-> pfndummyfuncaddress, null); return true;}}} return true;}}} return true;} // ------------ -------------------------------------------------- ---------------- BOOL SetWindowsAPIHook (PAPIHOOK32_ENTRY phk) {// The MEMORY_BASIC_INFORMATION structure contains information about a range of pages // in the virtual address space of a process. The VirtualQuery and VirtualQueryEx // functions use this structure:) // * typedef struct _MEMORY_BASIC_INFORMATION {// mbi // * PVOID BaseAddress; // base address of region // * PVOID AllocationBase; // allocation base address // * DWORD AllocationProtect; // initial Access protion // * dword regionsize; // size, in bytes, of region // * dword stat; // committed, reserved, free / / * DWORD Protect; // current access protection // * DWORD Type; // type of pages // *} MEMORY_BASIC_INFORMATION; // * typedef MEMORY_BASIC_INFORMATION * PMEMORY_BASIC_INFORMATION; MEMORY_BASIC_INFORMATION mInfo;
HModule HmodHOKDLL; Handle Hsnapshot; Bool Bok;
// Describes an entry from a list that enumerates the modules used by a specified process.//*typedef struct tagMODULEENTRY32 {// * DWORD dwSize; // * DWORD th32ModuleID; // * DWORD th32ProcessID; // * DWORD GlblcntUsage; / / * DWORD ProccntUsage; // * BYTE * modBaseAddr; // * DWORD modBaseSize; // * HMODULE hModule; // * char szModule [MAX_MODULE_NAME32 1]; // * char szExePath [MAX_PATH]; // *} MODULEENTRY32; // * typedef MODULEENTRY32 * PMODULEENTRY32; // * typedef MODULEENTRY32 * LPMODULEENTRY32; MODULEENTRY32 me = {sizeof (MODULEENTRY32)}; if (phk-> pszAPINAme == NULL || phk-> pszCAllerModuleNAme == NULL || phk-> pfnOriginApiAddress == NULL) {RETURN FALSE;} // If phk-> hmodcallermodule is null, indicating hook yourself. I have to look down to know :) if (phk-> hmodcallermodule == null) {
// Get information from the _SetApiHookup address VirtualQuery (_SetApiHookup, & Minfo, Sizeof (minfo)); // Get the address of the function _SetApiHookup hmodhookdll = (hmodule) minfo.allocationbase; /// I rely! Yes , When you see this is a single step, you see this is 0x00400000 // Snapshot, before use in pslist :) // TH32CS_SNAPMODULE INCLUDES The module list of the specified process in the snapshot. // is ok, :) is hsnapshot = createtoolhelp32snapshot (TH32CS_SNAPMODULE, 0) in the specified process (TH32CS_SNAPMODULE, 0); // Find one :) // This loop looks crazy, // is not your module, all give _Setapihookup, but All of this process //me.hmodule is Handle to the module in the context of the owning process. // Is it the address ??????? If not, then the problem on the last side solves ??? // (pthunk = (pimage_thunk_data) ((pbyte) phk-> hmodcallermodule pimportDesc-> firstthunk);) BOK = Module32First (hsnapshot, & me); Single step, me.hmodule is 0x00400000 Well, Site, true while (me.hmodule! = Hmodhookdll) {Single step, first me.hmodule and hmodhookdll are 0x00400000 may be the same Module, the second is different, Beginning to other modules in this process :) phk-> hmodcallermodule = me.hmodule; _Setapihookup (phk);} BOK = Module32Next (hsnapshot, & me);} phk-> hmodcallermodule = NULL; RETURN FALSE;} else {// If the phk-> hmodcallermodule is specified, it will not be casually _SetapihookUp Return_SetApiHookup (phk);} Return False;} // ----------- -------------------------------------------------- ----------------- BOOL UnhookWindowsAPIHooks (PAPIHOOK32_ENTRY lpHk) {// :) pfnOriginApiAddress whole process and an inverse transfer pfnDummyFuncAddress full circle PROC temp; temp = lpHk-> pfnOriginApiAddress; lpHk- > Pfnoriginapiaddress = lphk-> pfndummyfuncaddress; lphk-> pfndummyfuncaddress = temp; return setWindowsapihook (lphk);} // -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- - // Preserve the original address proc lpadder = messageboxa;
INT WinAPI MyMessageBoxa (HWND HWND, LPCTSTR LPTEXT, LPCTSTR LPCAPTION, UINT UTYPE) {Return LPadder (NULL, "New", "New", MB_OK);} // ------------ -------------------------------------------------- -------------- int main (void) {// haha finally started APIHOK32_ENTRY PE; pe.pszapiname = "MessageBoxa"; pe.pszcallermodulenAme = "user32.dll"; // distinguish Size PE.PFNORIGINAPIADDRESS = MessageBoxa; pe.pfndummyfuncaddress = mymessageboxa; pe.hmodcallermodule = null; // lpadder = messageboxa; // LPADder = MessageBoxa;
Setwindowsapihook (& PE); MessageBox (NULL, "OLD", "OLD", MB_OK;
UnhookWindowsapihooks (& PE); MessageBox (NULL, "OLD", "OLD", MB_OK);} //--------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- -
