Use hook interception package principle
Intercepting the API is a very useful thing, such as what you want to analyze someone else's procedure. Here I introduce a method of my own test. First, we must try to put your code in the process space of the target program. Windows Hook can help us achieve this. SetWindowsHookEx the following statement: HHOOK SetWindowsHookEx (int idHook, // hook type HOOKPROC lpfn, // hook procedure HINSTANCE hMod, // handle to application instance DWORD dwThreadId // thread identifier); specific meaning of the parameters can be read msdn, can be described as no msdn Inch is difficult. The function of Hook itself is not important. We use its purpose just to allow Windows to put our code into other processes. Hook Type We can choose one, as long as the target program will definitely call it, here I use WH_CallWndProc. LPFN and HMOD points to our hook code, and their DLL, DWTHREADID is set to 0, indicating that there is such a hook on all systems so that we can put the code in other processes.
After that, our code has entered all the rules in the system. It must be noted that we only need to intercept the call of the target program we care, so we must also distinguish the process number. In our own hook function, the first run will make the most important API redirection work. That is, by changing a few bytes of the beginning of the API you want to change to a jump instruction, making it jump into our API. This is the most critical part. Here I want to cut three calls, WS2_32.DLL in Send and Recv, getMessagea in User32.dll.
DWORD dwcurrentpid = 0; hHOOK HOLDHOOK = NULL; DWORD PSEND = 0; DWORD PRECV = 0; getMessage PgetMessage = NULL;
Byte btnewbytes [8] = {0x0B8, 0x0, 0x0, 0x40, 0x0, 0x0FF, 0x0E0, 0}; DWORD DWOLDBYTES [3] [2];
Handle hdebug = invalid_handle_value;
LResult Callback CallWndProc (int Ncode, WPARAM WPARAM, LPARAM LPARAM) {DWORD DWSIZE; DWORD DWPIDWATCH; HMODULE HLIB;
if (dwCurrentPID == 0) {dwCurrentPID = GetCurrentProcessId (); HWND hwndMainHook; hwndMainHook = :: FindWindow (0, "MainHook"); dwPIDWatched = :: SendMessage (hwndMainHook, (WM_USER 100), 0, 0); hOldHook = (HHOOK) :: SendMessage (HWndmainhook, (WM_USER 101), 0, 0);
if (dwCurrentPID == dwPIDWatched) {hLib = LoadLibrary ( "ws2_32.dll"); pSend = (DWORD) GetProcAddress (hLib, "send"); pRecv = (DWORD) GetProcAddress (hLib, "recv"); :: ReadProcessMemory (INVALID_HANDLE_value, (void *) pSend, (void *) dwOldBytes [0], sizeof (DWORD) * 2, & dwSize); * (DWORD *) (btNewBytes 1) = (DWORD) new_send; :: WriteProcessMemory (INVALID_HANDLE_value, (void *) psend, (void *) btnewbytes, sizeof (dword) * 2, & dwsize);
:: ReadProcessMemory (INVALID_HANDLE_value, (void *) pRecv, (void *) dwOldBytes [1], sizeof (DWORD) * 2, & dwSize); * (DWORD *) (btNewBytes 1) = (DWORD) new_recv; :: WriteProcessMemory (Invalid_Handle_Value, (void *) precv, (void *) btnewbytes, sizeof (dword) * 2, & dwsize);
hLib = LoadLibrary ( "user32.dll"); pGetMessage = (GETMESSAGE) GetProcAddress (hLib, "GetMessageA"); :: ReadProcessMemory (INVALID_HANDLE_value, (void *) pGetMessage, (void *) dwOldBytes [2], sizeof (DWORD) * 2, & dwSize); * (DWORD *) (btNewBytes 1) = (DWORD) new_GetMessage; :: WriteProcessMemory (INVALID_HANDLE_value, (void *) pGetMessage, (void *) btNewBytes, sizeof (DWORD) * 2, & dwSize);
HDebug = :: Createfile ("c: //trace.log", generic_write, 0, 0, create_always, file_attribute_normal, 0);}}
IF (Holdhook! = null) {Return CallNexthooKex (HoldHook, Ncode, WPARAM, LPARAM);
Return 0;}
The hook function above, only the first runtime is useful, that is, modify the first 8-byte of the three functions (actually only 7). The instructions in btnewbytes are actually MOV Eax, 0x400000 JMP EAX 0x400000 is the address of the new function, such as new_recv / new_send / new_getimentage, at this time, the stolen beam is completed. Let's take a look at what we have done in our functions. Take GetMessagea as an Example:
BOOL _stdcall new_GetMessage (LPMSG lpMsg, HWND hWnd, UINT wMsgFilterMin, UINT wMsgFilterMax) {DWORD dwSize; char szTemp [256]; BOOL r = false; // Watch here before it's executed sprintf (szTemp, "Before GetMessage:. HWND 0x% 8.8X, MSGMIN 0x% 8.8X, MSGMAX 0x% 8.8X / R / N ", HWND, WMSGFILTERMIN, WMSGFILTERMAX); :: Writefile (HDebug, Sztemp, Strlen (Sztemp), & DWSize, 0); // Watch Over
// Restore It At First :: WriteProcessMemory (invalid_handle_value, (void *) PgetMessage, (void *) dwoldbytes [2], sizeof (dword) * 2, & dwsize
// Execute it r = PgetMESSAGE (LPMSG, HWND, WMSGFILTERMIN, WMSGFILTERMAX);
// hook it again * (DWORD *) (btNewBytes 1) = (DWORD) new_GetMessage; :: WriteProcessMemory (INVALID_HANDLE_value, (void *) pGetMessage, (void *) btNewBytes, sizeof (DWORD) * 2, & dwSize);
// Watch Here After It's EXECUTED SPRINTF (Sztemp, "Result of getMessage IS% D. / R / N", R); :: Writefile (HDebug, Sztemp, Strlen (Sztemp), & DWSize, 0); if (r) {Sprintf (SzTemp, "MSG: HWND 0x% 8.8X, MSG 0x% 8.8X, WPARAM 0x% 8.8X, LPARAM 0x% 8.8X / R / NTIME 0X% 8.8X, X% D, Y% D / R / n ", lpmsg-> hwnd, lpmsg-> message, lpmsg-> wparam, lpmsg-> lparam, lpmsg-> time, lpmsg-> pt.x, lpmsg-> pt.y); :: Writefile (HDebug, sztemp Strlen (sztemp), & dwsize, 0);} strcpy (sztemp, "/ r / n"); :: Writefile (HDebug, sztemp, strlen (sztemp), & dwsize, 0);
// Watch over
Return R;
