Intercepting the API is a very useful thing, such as what you want to analyze someone else's procedure. Here I introduce a method of my own test. First, we must try to put your code in the process space of the target program. Windows Hook can help us achieve this. SetWindowsHookEx the following statement: HHOOK SetWindowsHookEx (int idHook, // hook type HOOKPROC lpfn, // hook procedure HINSTANCE hMod, // handle to application instance DWORD dwThreadId // thread identifier); specific meaning of the parameters can be read msdn, can be described as no msdn Inch is difficult. The function of Hook itself is not important. We use its purpose just to allow Windows to put our code into other processes. Hook Type We can choose one, as long as the target program will definitely call it, here I use WH_CallWndProc. LPFN and HMOD points to our hook code, and their DLL, DWTHREADID is set to 0, indicating that there is such a hook on all systems so that we can put the code in other processes.
After that, our code has entered all the rules in the system. It must be noted that we only need to intercept the call of the target program we care, so we must also distinguish the process number. In our own hook function, the first run will make the most important API redirection work. That is, by changing a few bytes of the beginning of the API you want to change to a jump instruction, making it jump into our API. This is the most critical part. Here I want to cut three calls, WS2_32.DLL in Send and Recv, getMessagea in User32.dll.
DWORD dwcurrentpid = 0; hHOOK HOLDHOOK = NULL; DWORD PSEND = 0; DWORD PRECV = 0; getMessage PgetMessage = NULL;
Byte btnewbytes [8] = {0x0B8, 0x0, 0x0, 0x40, 0x0, 0x0FF, 0x0E0, 0}; DWORD DWOLDBYTES [3] [2];
Handle hdebug = invalid_handle_value;
LResult Callback CallWndProc (int Ncode, WPARAM WPARAM, LPARAM LPARAM) {DWORD DWSIZE; DWORD DWPIDWATCH; HMODULE HLIB;
if (dwCurrentPID == 0) {dwCurrentPID = GetCurrentProcessId (); HWND hwndMainHook; hwndMainHook = :: FindWindow (0, "MainHook"); dwPIDWatched = :: SendMessage (hwndMainHook, (WM_USER 100), 0, 0); hOldHook = (HHOOK) :: SendMessage (HWndmainhook, (WM_USER 101), 0, 0);
if (dwCurrentPID == dwPIDWatched) {hLib = LoadLibrary ( "ws2_32.dll"); pSend = (DWORD) GetProcAddress (hLib, "send"); pRecv = (DWORD) GetProcAddress (hLib, "recv"); :: ReadProcessMemory (INVALID_HANDLE_VALUE, (void *) pSend, (void *) dwOldBytes [0], sizeof (DWORD) * 2, & dwSize); * (DWORD *) (btNewBytes 1) = (DWORD) new_send; :: WriteProcessMemory (INVALID_HANDLE_VALUE, (void *) psend, (void *) btnewbytes, sizeof (dword) * 2, & dwsize);
:: ReadProcessMemory (INVALID_HANDLE_VALUE, (void *) pRecv, (void *) dwOldBytes [1], sizeof (DWORD) * 2, & dwSize); * (DWORD *) (btNewBytes 1) = (DWORD) new_recv; :: WriteProcessMemory (Invalid_Handle_Value, (void *) precv, (void *) btnewbytes, sizeof (dword) * 2, & dwsize);
hLib = LoadLibrary ( "user32.dll"); pGetMessage = (GETMESSAGE) GetProcAddress (hLib, "GetMessageA"); :: ReadProcessMemory (INVALID_HANDLE_VALUE, (void *) pGetMessage, (void *) dwOldBytes [2], sizeof (DWORD) * 2, & dwSize); * (DWORD *) (btNewBytes 1) = (DWORD) new_GetMessage; :: WriteProcessMemory (INVALID_HANDLE_VALUE, (void *) pGetMessage, (void *) btNewBytes, sizeof (DWORD) * 2, & dwSize);
HDebug = :: Createfile ("c: //trace.log", generic_write, 0, 0, create_always, file_attribute_normal, 0);}}
IF (Holdhook! = null) {Return CallNexthooKex (HoldHook, Ncode, WPARAM, LPARAM);
Return 0;}
The hook function above, only the first runtime is useful, that is, modify the first 8-byte of the three functions (actually only 7). The instructions in btnewbytes are actually MOV EAX, 0x400000JMP EAX here 0x400000 is the address of the new function, such as new_recv / new_send / new_getimentage, at this time, the stolen beam has been completed. Let's take a look at what we have done in our functions. Take GetMessagea as an Example: BOOL _STDCALL New_GETMESSAGE (lpmsg lpmsg, hwnd, uint wmsgfiltermin, uint wmsgfiltermax) {dWord dwsize; char sztemp [256]; bool r = false;
// Watch Here Before It's Executed. Sprintf (Sztemp, "Before getMessage: hwnd 0x% 8.8X, MSGMAX 0x% 8.8X, MSGMAX 0x% 8.8X / R / N", hwnd, wmsgfiltermin, wmsgfiltermax; :: Writefile HDebug, sztemp, strlen (sztemp), & dwsize, 0); // Watch over
// Restore It At First :: WriteProcessMemory (invalid_handle_value, (void *) PgetMessage, (void *) dwoldbytes [2], sizeof (dword) * 2, & dwsize
// Execute it r = PgetMESSAGE (LPMSG, HWND, WMSGFILTERMIN, WMSGFILTERMAX);
// hook it again * (DWORD *) (btNewBytes 1) = (DWORD) new_GetMessage; :: WriteProcessMemory (INVALID_HANDLE_VALUE, (void *) pGetMessage, (void *) btNewBytes, sizeof (DWORD) * 2, & dwSize);
// Watch Here After It's EXECUTED SPRINTF (Sztemp, "Result of getMessage IS% D. / R / N", R); :: Writefile (HDebug, Sztemp, Strlen (Sztemp), & DWSize, 0); if (r) {Sprintf (SzTemp, "MSG: HWND 0x% 8.8X, MSG 0x% 8.8X, WPARAM 0x% 8.8X, LPARAM 0x% 8.8X / R / NTIME 0X% 8.8X, X% D, Y% D / R / n ", lpmsg-> hwnd, lpmsg-> message, lpmsg-> wparam, lpmsg-> lparam, lpmsg-> time, lpmsg-> pt.x, lpmsg-> pt.y); :: Writefile (HDebug, sztemp Strlen (sztemp), & dwsize, 0);} strcpy (sztemp, "/ r / n"); :: Writefile (HDebug, sztemp, strlen (sztemp), & dwsize, 0);
// Watch over
Return R;
First, the intercepted parameters are written to a log file for analysis. Then restore the first 8-byte of the GetMessageA originally reserved, and then perform the real getMessageA call, then write the execution result to the log file, and then return the execution result of the GetMessage to the caller. This is like this through the entire intercepted process. You can change the write log section into your own you want. Where there is a place here is that the interception action is not possible, if the target process is multi-thread, there is a problem. The solution is that you can add a CriticalSection lock and unlocking in each new_getment, so that the call becomes serial, but I have not tried this. Code download, http://redspider.126.com/assault/apihook.zip.
