Use hook interception package principle

zhaozj2021-02-16  50

Intercepting the API is a very useful thing, such as what you want to analyze someone else's procedure. Here I introduce a method of my own test.

First, we must try to put your code in the process space of the target program. Windows Hook can help us achieve this. The declaration of SETWINDOWSHOKEX is as follows:

HHOOK SETWINDOWSHOKEX

Int IDHOOK, / / ​​HOOK TYPE

HookProc lpfn, // hook procedure

Hinstance Hmod, // Handle To Application INSTANCE

DWORD DWTHREADID // Thread Identifier

);

The specific parameter meanings can be read through the MSDN, and there is no MSDN to be embarrassed.

The function of Hook itself is not important. We use its purpose just to allow Windows to put our code into other processes. Hook Type We can choose one, as long as the target program will definitely call it, here I use WH_CallWndProc. LPFN and HMOD points to our hook code, and their DLL, DWTHREADID is set to 0, indicating that there is such a hook on all systems so that we can put the code in other processes.

After that, our code has entered all the rules in the system. It must be noted that we only need to intercept the call of the target program we care, so we must also distinguish the process number. In our own hook function, the first run will make the most important API redirection work. That is, by changing a few bytes of the beginning of the API you want to change to a jump instruction, making it jump into our API. This is the most critical part. Here I want to cut three calls, WS2_32.DLL in Send and Recv, getMessagea in User32.dll.

DWORD dwcurrentpid = 0;

HHOOK HOLDHOOK = NULL;

DWORD PSEND = 0;

DWORD PRECV = 0;

GetMessage PgetMessage = NULL;

Byte btnewbytes [8] = {0x0B8, 0x0, 0x0, 0x40, 0x0, 0x0FF, 0x0E0, 0};

DWORD DWOLDBYTES [3] [2];

Handle hdebug = invalid_handle_value;

LResult Callback CallWndProc (int Ncode, WPARAM WPARAM, LPARAM LPARAM)

{

DWORD DWSIZE;

DWORD dwpidwatched;

HModule HLIB;

IF (dwcurrentpid == 0)

{

DWCurrentPid = getCurrentProcessId ();

HWND HWNDMAINHOK;

HWndMainHook = :: FindWindow (0, "mainhook");

DWPIDWATCHED = :: SendMessage (HWndMainHook, (WM_USER 100), 0, 0);

Holdhook = (hHOOK) :: SendMessage (hwndmainhook, (WM_USER 101), 0, 0);

IF (dwcurrentpid == dwpidwatch)

{

HLIB = LoadLibrary ("WS2_32.dll");

psend = (dword) getProcaddress (HLIB, "Send");

PRECV = (DWORD) GETPROCADDRESS (HLIB, "RECV"); :: readProcessMemory (invalid_handle_value, (void *) psend, (void *) dwoldbytes [0], sizeof (dword) * 2, & dwsize);

* (DWORD *) (btnewbytes 1) = (dword) new_send;

:: WriteProcessMemory (invalid_handle_value, (void *) psend, (void *) Btnewbytes, Sizeof (DWORD) * 2, & DWSIZE

:: ReadProcessMemory (Invalid_Handle_Value, (Void *) precv, (void *) dwoldbytes [1], sizeof (dWord) * 2, & dwsize

* (Dword *) (btnewbytes 1) = (dword) New_RECV;

:: WriteProcessMemory (invalid_handle_value, (void *) precv, (void *) btnewbytes, sizeof (dword) * 2, & dwsize

HLIB = LoadLibrary ("user32.dll");

PgetMessage = (GetMessage) GetProcaddress (Hlib, "GetMessagea");

:: readProcessMemory (invalid_handle_value, (void *) PgetMessage, (void *) dwoldbytes [2], sizeof (dWord) * 2, & dwsize);

* (Dword *) (btnewbytes 1) = (dword) new_getimentage;

:: WriteProcessMemory (invalid_handle_value, (void *) PgetMessage, (void *) btnewbytes, sizeof (dword) * 2, & dwsize

HDebug = :: CreateFile ("c: //trace.log", generic_write, 0, 0, create_always, file_attribute_normal, 0);

}

}

IF (Holdhook! = NULL)

{

Return CallNexthookex (Holdhook, Ncode, WPARAM, LPARAM);

}

Return 0;

}

The hook function above, only the first runtime is useful, that is, modify the first 8-byte of the three functions (actually only 7). The instructions in btnewbytes are actually

Mov Eax, 0x400000

JMP EAX

The 0x400000 here is the address of the new function, such as new_recv / new_send / new_getimentage, at this time, the stolen beam has been completed. Let's take a look at what we have done in our functions. Take GetMessagea as an Example:

Bool _stdcall new_getimentage (lpmsg lpmsg, hwnd hwnd, uint WMSGFILTERMIN, UINT WMSGFILTERMAX)

{

DWORD DWSIZE;

Char sztemp [256];

BOOL R = FALSE;

// Watch Here Before It's Executed.

Sprintf (Sztemp, "Before getMessage: hWnd 0x% 8.8X, MSGMIN 0x% 8.8X, MSGMAX 0x% 8.8X / R / N", HWND, WMSGFILTERMIN, WMSGFILTERMAX); :: Writefile (HDebug, Sztemp, Strlen (SzTemp) & dwsize, 0);

// Watch over

// Restore It At First

:: WriteProcessMemory (invalid_handle_value, (void *) PgetMessage, (void *) dwoldbytes [2], sizeof (dword) * 2, & dwsize);

// Execute IT

R = PgetMessage (LPMSG, HWND, WMSGFILTERMIN, WMSGFILTERMAX);

// hook it again

* (Dword *) (btnewbytes 1) = (dword) new_getimentage;

:: WriteProcessMemory (invalid_handle_value, (void *) PgetMessage, (void *) btnewbytes, sizeof (dword) * 2, & dwsize

// Watch Here After It's EXECUTED

Sprintf (SzTemp, "Result of getMessage IS% D. / R / N", R);

:: Writefile (HDebug, Sztemp, Strlen (Sztemp), & DWSize, 0);

IF (r)

{

Sprintf (SzTemp, "MSG: hwnd 0x% 8.8X, MSG 0x% 8.8X, WPARAM 0x% 8.8X, LPARAM 0X% 8.8X / R / NTIME 0X% 8.8X, X% D, Y% D / R / N "

LPMSG-> HWND, LPMSG-> Message,

LPMSG-> WPARAM, LPMSG-> LPARAM, LPMSG-> TIME,

LPMSG-> pt.x, lpmsg-> pt.y);

:: Writefile (HDebug, Sztemp, Strlen (Sztemp), & DWSize, 0);

}

STRCPY (SZTEMP, "/ R / N");

:: Writefile (HDebug, Sztemp, Strlen (Sztemp), & DWSize, 0);

// Watch over

Return R;

}

First, the intercepted parameters are written to a log file for analysis. Then restore the first 8-byte of the GetMessageA originally reserved, and then perform the real getMessageA call, then write the execution result to the log file, and then return the execution result of the GetMessage to the caller.

This is like this through the entire intercepted process. You can change the write log section into your own you want. Where there is a place here is that the interception action is not possible, if the target process is multi-thread, there is a problem. The solution is that you can add a CriticalSection lock and unlocking in each new_getment, so that the call becomes serial, but I have not tried this.

转载请注明原文地址:https://www.9cbs.com/read-26778.html

New Post(0)