Blog http://blog.9cbs.net/pankun/ of the sword god
Sometimes we need to intercept the network data sent and received by other applications, such as the HTTP header to send the IE, get the requested address, etc. This time we can use some WPE, Sniffer to reach Objective. But the tool function is limited. To achieve a more powerful function, we do it yourself to DIY.
There are three ways to intercept the network data packet. First, set the network card to a mixed mode. This time you can monitor all the packets on the LAN, and the second is the API function of the Hook target process, the third method is yourself. Implement a agent's DLL. Here we use the Hook API method, which is easy to implement, and no large amounts of useless data (if the first method will monitor all network data).
Here is a template for the API Hook as much as possible. The principle is to use the message hook to inject the code in the DLL into the target process, and use getProcAddress to get the API function entry address, change the function entry to its own defined function entry, so The corresponding parameters of the API function are obtained. After processing, change the real API function entry address and call it.
Hook.dll code: library hook;
Uses sysutils, windows, messages, apihook in 'ApiHOK.PAS';
Type pdata = ^ tdata; tdata = record hook: thandle; hooked: boolean; end; var dlldata: pdata;
{------------------------------------} {process name: hookproc {process function: hook process { Process Parameters: Ncode, WPARAM, LPARM message phase {Guan parameter {-------------------------------------------------------------------------------------------------------------------------- -} procedure HookProc (nCode, wParam, lParam: LongWORD); stdcall; begin if not DLLData ^ .Hooked then begin HookAPI; DLLData ^ .Hooked: = True; end; // call to a next Hook CallNextHookEx (DLLData ^ .Hook, NCODE, WPARAM, LPARAM; END;
{------------------------------------} {function name: installhook {function function: at the specified window Install hook {function parameters: Swindow: To install the window of the window {Return value: successfully returns true, failed to return false {-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------} function InstallHook (sWindow: LongWORD): Boolean; stdcall; var ThreadID: LongWORD; begin Result: = False; DLLData ^ .Hook: = 0; ThreadID: = GetWindowThreadProcessId (sWindow , nil); // Mount the hook to the designated window DLLDATA ^ .hook: = setwindowshookex (wh_getiment, threadid); if dlldata ^ .hook> 0 Then Result: = true // Successfully Hook else exit; END;
{------------------------------------} {process name: unhook {process function: uninstall hook { Procedure parameters: no {----------------------------------} procedure unhook; stdcall; begin unhookApi; // Uninstall hook unhat ^ .hook; end; {----------------------------------- -} {process name: DLL entry function {process function: DLL initialization, release, etc. {process parameters: DLL status {------------------------------------------------------------------------------------------------------------------------------ ------------} procedure mydllhandler (REASON: Integer); var fhandle: longword; begin case: begin // establishes file mapping to implement global variables in DLL Fhaandle: = CREATEFILEMAPPING ($ FFFFFFFF, nil, PAGE_READWRITE, 0, $ ffff, 'MYDLLDATA'); if FHandle = 0 then if GetLastError = ERROR_ALREADY_EXISTS then begin FHandle: = OpenFileMapping (FILE_MAP_ALL_ACCESS, False, 'MYDLLDATA'); if FHandle = 0 then Exit; end else Exit; DLLData: = MapViewOfFile (FHandle, FILE_MAP_ALL_ACCESS, 0, 0, 0); if DLLData = nil then CloseHandle (FHandle); end; DLL_PROCESS_DETACH: begin if Assigned (DLLData) then begin UnmapViewOfFile (DLLDATA); DLLDATA: = NIL; END; End;
{$ R * .res} exports installhook, unhook, hookproc;
Begin DllProc: = @MydllHandler; MyDLLHandler (DLL_PROCESS_ATTACH); DLLDATA ^ .hooked: = false; end.
-------------------------------------------------- -------------------------------------- APIHOOK.PAS code:
Unit ApiHook;
Interface
Uses sysutils, windows, winsock;
TYPE / / API function to Hook TsockProc = Function (s: Tsocket; Var Buf; Len, Flags: Integer): integer; stdcall;
PJMPCODE = ^ TJMPCode; tjmpcode = Packed Record Jmpcode: Byte; address: tsockproc; moveax: array [0..2] of byte; end;
// -------------------- function statement -------------------------- - procedure HookAPI; procedure UnHookAPI; var OldSend, OldRecv: TSockProc; // address of the original API JmpCode: TJmpCode; OldProc: array [0..1] of TJmpCode; AddSend, AddRecv: pointer; // API address TmpJmp: TJmpCode; ProcessHandle: Thandle; Implementation
{-------------------------------------} {Function Function: Hook {SEND function Function parameters: Return to send {function: integer {------------------------------------------------------------------------------------------------------------------------------ -} function mysend (s: tsocket; var buf; len, flags: integer): integer; stdcall; var dwsize: cardinal; begin // This is transmitted data processing MessageBeep (1000); // Simple sound //// Send function call direct positive WriteProcessMemory (ProcessHandle, AddSend, @OldProc [0], 8, dwSize); Result: = OldSend (S, Buf, len, flags); JmpCode.Address: = @MySend; WriteProcessMemory (ProcessHandle, AddSend, @JMPCode, 8, dwsize); end;
{-------------------------------------} {Function function: RECV function hook { Function parameters: Return values with RECV {Functions: Integer {---------------------------------------------------------------------------------------------------------------------- -} Function MyRecv (S: Tsocket; Var Buf; Len, Flags: Integer: Integer; stdcall; var dwsize: cardinal; begin // This data processing MessageBeep (1000); // Simple sound // direct positive Recv function call WriteProcessMemory (ProcessHandle, AddRecv, @OldProc [1], 8, dwSize); Result: = OldRecv (S, Buf, len, flags); JmpCode.Address: = @MyRecv; WriteProcessMemory (ProcessHandle, AddRecv, @JMPCode, 8, dwsize); end;
{------------------------------------} {process function: hookapi {process parameters: no { -----------------------------------} procedure hookapi; var dllmodule: thandle; dwsize: cardinal; Begin ProcessHandle : = GetCurrentProcess; DLLModule: = LoadLibrary ( 'ws2_32.dll'); AddSend: = GetProcAddress (DLLModule, 'send'); // address of an API AddRecv: = GetProcAddress (DLLModule, 'recv'); JmpCode.JmpCode: = $ B8; JMPCode.Moveax [0]: = $ ff; jmpcode.moveax [1]: = $ E0; jmpcode.moveax [2]: = 0; ReadProcessMemory (ProcessHandle, Addsend, @oldproc [0], 8, dwsize ); JmpCode.Address: = @MySend; WriteProcessMemory (ProcessHandle, AddSend, @JmpCode, 8, dwSize); // Send modified inlet ReadProcessMemory (ProcessHandle, AddRecv, @OldProc [1], 8, dwSize); JmpCode.Address: @ @MyRecv; WriteProcessMemory (ProcessHandle, AddRecv, @jmpcode, 8, dwsize); // Modify the RECV Entry Oldsend: = addsend; OldRecv: = AddRecv; End; {-------------- ----------------------} {process function: cancel hookapi {process parameters: no {--------------- ---------------------} procedure unhookapi; var dwsize: cardinal; begin WriteProcessMemory (ProcessHandle, Addsend, @oldproc [0], 8, dwsize); WriteProcessMemory (ProcessHandle, AddRecv, @oldproc [1], 8, dwsize;
End.
-------------------------------------------------- ------------------------------------------- Reputation after compiling this DLL A program calls this DLL of installhook and incoming the main window handle of the target process: unit fmmain;
Interface
Uses Windows, Messages, Sysutils, Variants, Classes, Graphics, Controls, Forms, Dialogs, Stdctrls;
type TForm1 = class (TForm) Button1: TButton; Button2: TButton; Edit1: TEdit; procedure Button1Click (Sender: TObject); procedure Button2Click (Sender: TObject); private {Private declarations} public {Public declarations} end; var Form1: TForm1; INSTALLHOOK: FUNCTION (SWindow: Thandle): boolean; stdcall; unhook: procedure; stdcall; importation {$ r * .dfm}
procedure TForm1.Button1Click (Sender: TObject); var ModuleHandle: THandle; TmpWndHandle: THandle; begin TmpWndHandle: = 0; TmpWndHandle: = FindWindow (nil, 'target window title'); if not isWindow (TmpWndHandle) then begin MessageBox ( Self.handle, 'Didn't find window', '!!!', mb_ok; exit; end; modulehandle: = loadingLibrary ('hook.dll'); @installhook: = getProcadDress (ModuleHandle, 'installhook); @unhook : = GetProcadDress (ModuleHandle, 'Unhook'); if Installhook (FindWindow (Nil, 'Untitled') The showMessage ('hook ok'); END;
Procedure TFORM1.BUTTON2CLICK (Sender: TOBJECT); Begin UnHookend;
End.
