This article describes the use of the five bytes of the API head in Win2k with the modification of the first five bytes of the API. With Win2K, we provide us with a powerful memory API operation function --- VirtualProtectex, WriteProcessmeory, ReadProcessmeMe, with them, we can dynamically modify code in memory, whose prototype is: BOOL VirtualProtectex (Handle HProcess, // To modify Memory process handle LPVOID LPADDRESS, / / To modify the start address dword dword dword dwsize, // modify the memory byte DWORD flnewprotect, // Modified memory properties PDWORD LPFLOLDPROTECT / / The address of the previous memory properties); bool WriteProcessMemory (Handle HProcess, // To write the process of the handle lpvoid lpbaseaddress, // write memory start address lpvoid lpbuffer, // Write data DWord nsize, // To write the number of bytes LPDWORD LPNUMBEROFBYTESWRITEN // actually Write The number of sub-sessions); BOOL ReadProcessMemory (Handle HProcess, // To read the handle of the process LPCVOID LPBASEADDRESS, // read the start address of the memory LPVOID LPBUFFER, // Read the address of the data dword nsize, // To read The number of bytes lpdword lpnumberofBytesRead // actually read the number of children); for specific parameters, see MSDN Help. In Win2k, because of the same address space due to the DLL and the process, this and Win9X / ME have existence of shared address space, so it is necessary to hook all through hook functions and remote injection process, so The API of the process.
Now a simple use of hook function MessageBoxA intercept example to illustrate: wherein Dll files: HHOOK g_hHook; HINSTANCE g_hinstDll; FARPROC pfMessageBoxA; int WINAPI MyMessageBoxA (HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType); BYTE OldMessageBoxACode [5 ], NewMessageBoxACode [5]; HMODULE hModule; DWORD dwIdOld, dwIdNew; BOOL bHook = false; void HookOn (); void hookOff (); BOOL init (); LRESULT WINAPI MousHook (int nCode, WPARAM wParam, LPARAM lParam); BOOL APIENTRY DllMain (HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {switch (ul_reason_for_call) {case DLL_PROCESS_ATTACH: if {MessageBoxA (NULL, "Init", "ERROR", MB_OK); return (false);} (init ()!) case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: if (bHook) UnintallHook (); break;} return TRUE;} LRESULT WINAPI hook (int nCode, WPARAM wParam, LPARAM lParam) // empty hook function {return (CallNextHookEx (g_hHook, Ncode, wparam, lparam);} hookapi2_api bool installhook () // Output installation empty hook functions {g_hinstdll = loadingLibrary ("hookapi2.dll"); g_hook = setWindowshookex (wh_getMessage, (hookproc) h OOK, G_HINSTDLL, 0); if (! g_hhook) {MessageBoxa (Null, "SET ERROR", "Error", MB_OK); Return (false);}} hookapi2_api bool uninstallhook () // Output Royal hook function {return (UnhookWindowsHookEx (g_hHook));} BOOL init () // initialize MessageBoxA obtained address, and generates a Jmp XXX (MyMessageBoxA) jump instruction {hModule = LoadLibrary ( "user32.dll"); pfMessageBoxA = GetProcAddress (hModule, "MessageBoxA"); if (pfMessageBoxA == NULL) return false; _asm {lea edi, OldMessageBoxACode mov esi, pfMessageBoxA cld movsd movsb} NewMessageBoxACode [0] = 0xe9; instruction a relative address of _ // jmp MyMessageBoxA ASM {Lea Eax, MyMessageBoxa Mov EBX, PfMessageBoxa Sub EAX, EBX SUB EAX, 5 MOV DWORD PTR [NewMessageBoxAcode
1], eax} dwIdNew = GetCurrentProcessId (); // get relevant process ID dwIdOld = dwIdNew; HookOn (); // start blocking return (true);} int WINAPI MyMessageBoxA (HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT UTYPE) // First turn off the interception before calling the intercepted API function {int nreturn = 0; hookoff (); nreturn = MessageBoxa (hwnd, "MessageBox has been intercepted, huh!", lpcaption, utype; hookon () ; return (nReturn);} void HookOn () {hANDLE hProc; dwIdOld = dwIdNew; hProc = OpenProcess (PROCESS_ALL_ACCESS, 0, dwIdOld); // get your process handle VirtualProtectEx (hProc, pfMessageBoxA, 5, PAGE_READWRITE, & dwIdOld); / / Modify the properties of the top 5 bytes of Messageboxa in the process to write WriteProcessMemory (HProc, pfMessageboxa, newMessageBoxAcode, 5, 0); // change the top 5 bytes of Messageboxa in the process to JMP to MyMessageBoxa VirtualProtectex (HProc, PfMessageBoxa, 5, DWIDOLD, & DWIDOLD); / / Modify the top 5 bytes of Messageboxa in the process for the original attribute BHOOK = true;} void hookoff () // Code of JMP mymessageboxa in the process to Jmp MessageBoxA {HANDLE hProc; dwIdOld = dwIdNew; hProc = OpenProcess (PROCESS_ALL_ACCESS, 0, dwIdOld); VirtualProtectEx (hProc, pfMessageBoxA, 5, PAGE_READWRITE, & dwIdOld); WriteProcessMemory (hProc, pfMessageBoxA, Old MessageBoxACode, 5,0); VirtualProtectEx (hProc, pfMessageBoxA, 5, dwIdOld, & dwIdOld); bHook = false;} // test file: int APIENTRY WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {if (! Installhook ()) {MessageBoxa (NULL, "Hook Error!", "HOOK", MB_OK); Return 1;} MessageBoxa (Null, "Test", "Test", MB_OK; // You can see Test to become intercepted The latter string is. And all processes are intercepted. IF (! uninstallhook ()) {MessageBoxa (Null, "Uninstall Error!", "HOOK", MB_OK); RETURN 1;} return 0;} The above program is debugged under Win2K, VC7.0 and pass
image:
The Messagebox function is called directly before the pickup, the effect is as follows:
APIHOK Mount Interface:
MessageBox is intercepted: (implementation in different processes)
Here, I re-edited a simple program for testing, calling the MessageBox function directly, showing the screen, indicating that all the MessageBox of all systems is successful.
The promotion of the software model: This only showing the API Hook's iceberg, smart, you may have already thought that the DELETEFILE can have implemented the file protection function, hook the FindFirstFile function, can implement the file hidden, hook The Winsock class function can implement some firewall functions.
Continue research ...
