Today, I have a birthday, go out to eat mutton, almost dying, a total of 4 people, lamb * 6, beef * 2, gold mushroom * 5 (), small cabbage * 2, lamb meatball * 2, seaweed * 2, sweet potato * 1, people don't give back, I still have meals at noon, from 2:30 to 4:30
Undocument Windw .... The example of the Hook Native API did not understand, mainly the spyhookInitializeex,
/ / -------------------------------------------------------------------------------------------- ----------------- // The Spyhook Macro Defines A hook entry point in inline assembly // Language. The Common Entry Point Spyhook2 is entered by a call // instruction, allowing the Hook to be identified by its return // address on the stack. The call is executed through a register to // remove any degrees of freedom from the encoding of the call.
#define spyhook / __asm push eax / __asm Mov Eax, Offset Spyhook2 / __ASM Call EAX
/ / -------------------------------------------------------------------------------------------- ----------------- // The spyhookitializeex () Function Initializes the aspyhook [] // array with the hook entry point page of format strings. It also // Hosts The Hook Entry Points And the hook dispatcher.
Void SpyHookInitializeEx (PPByte PPBSymbols, Ppbyte PPBFORMATS) {DWORD DHOOKS1, DHOOKS2, I, J, N;
__ASM {JMP spyhook9 align 8sspyhook1:; start of hook entry point section}
// the number of entry points defined in this section // must be equal to sdt_symbols_max (i.e. 0xf8)
SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // 08SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // 10SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // 18SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // 20SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // 28SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // 30SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // 38SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // 40SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // 48SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // 50SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // 58SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // 60SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // 68SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // 70SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // 78SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // 80SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // 88SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // 90SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // 98SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // A0SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // A8SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // B0SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // B8SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // C0SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook Spyhook Spyhook // C8SpyHOOK SPYHOOK SPYHOOK SPYHOOK SPYHOOK SPYHOOK SP
yHook SpyHook // D0SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // D8SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // E0SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // E8SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // F0SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook SpyHook // F8__asm {SpyHook2:; end of hook entry point section pop eax; get stub return address pushfd push ebx push ecx push edx push ebp push esi push edi sub eax, offset SpyHook1; compute entry point index mov ecx, SDT_SYMBOLS_MAX mul ECX MOV ECX, OFFSET SPYHOK2 SUB ECX, OFFSET SPYHOOK1 DIV ECX DEC EAX MOV ECX, GFSPYHOOKPAUSE; TEST PAUSE FLAG ADD ECX, -1 // SBB ECX, ECX // These three sentences don't know how Test Pause Flag NOT ECX // Lea EDX, [AspyHooks Eax * Size SPY_HOK_ENTRY] // EAX is Index, EDX is stored in the address of the corresponding index in AspyHook, this time aspyhook should have been exchanged with SystemTable, but do not exchange format interlocKedexchange. (Plong) ServiceTable i, (long) aspyhook [i] .handler); only exchange HANDLER
Test ECX, [edx.pbformat]; format string == NULL? JZ Spyhook5 // Spyhook5 is a process of exiting the recovery register Push Eax Push Edx Call PsgetCurrentThreadId; Get Thread ID Mov EBX, EAX // u EBX = Thread ID Pop Edx POP EAX CMP EBX, GHSPYHOKTHREAD; IGNORE HOOK Installer JZ Spyhook5 // Not Hook Program, in Spyhook5, turn it back to the original system systemTable Handler address is the original API MOV Eax, [Edx.Handler]. . . .
Xchg Eax, [ESP] Ret; ... Jump to Handler Mov Edi, GPDeviceContext Lea EDI, [EDI.SPYCALLS]; Get Call Context Array // U EDI = GPDeviceContext.spyCalls Mov ESI, SPY_CALLS; Get Number of Entries // u ESI = SPY_CALLSSPYHOK3: MOV ECX, 1; SET in-use flag xchg ECX, [edi.finuse] //gpdeviceContext.spyCalls is an array, from the first beginning, find a unused Jecxz Spyhook4; unused Entry Found // When ECX is 0, it is 0 to get spyhook4 add edi, size spy spy_call; try next entry dec ESI JNZ Spyhook3 MOV EDI, GPDeviceContext Inc [edi.dmisses]; count misses // This piece is if Put SpyCalls If you are looking for it, you haven't yet empty, you will take the gpDeviceContext.dmisses, JMP Spyhook5; Array OverflowSpyhook4: Mov ESI, GPDeviceContext Inc [ESI.DLEVEL]; SET Nesting Level // may be represented in a function of hook by HOOK Calling the Hook function, nested Level Mov [edi.hthread], EBX ; Save Thread ID MOV [EDI.PSHE], EDX; SAVE PSPY_HOOK_ENTRY MOV ECX, Offset Spyhook6; Set New Return Address Xchg ECX, [ESP 20H] // Sample [ESP 20h] is Old Return Address, 20h is 32 Byte, from the previous look, this return address is pressing the stack of MOV [edi.pcaller], Ecx, KeserviceDescriptable Mov ECX, [ECX] .ntoskrnl.ArgumentTable Movzx ECX, Byte PTR [ECX EAX]; Get Argument Stack Size // Movzx Extension Symbol Bit Data Transfer SHR ECX, 2 Inc ECX; Add 1 for Result Slot Mov [Edi.dparameters], ECX;
Save Number of Parameters Lea Edi, [Edi.adparameters] XOR EAX, EAX; Initialize Result Slot Stosd // To the EDI, the value is 0 DEC ECX JZ Spyhook5; No Arguments LEA ESI, [ESP 24h]; SAVE Argument Stack Rep MOVSD // Transmits the ESI to EDI, is not gpDeviceContext in ESI? Spyhook5: Mov Eax, [Edx.Handler]; Get Original Handler Pop EDI POP EBX POP EDX POP ECX POP EBX POPFD XCHG EX, [ESP]; restore eax and ... return; ... jump to handlersspyhook6: // spyhook6 is the return address after calling the Native API, which is to go to Spyhook6 after the SPYHOK5 execution will be transferred to the spyhook. Push Eax Pushfd Push EBX PUSH ECX PUSH EDX PUSH EBP PUSH ESI PUSH EDI PUSH EAX / / This push is the Call PsgetCurrentThreadIDIDIDIDIDIDIDIDIDIT together with the POP EAX; Get Thread ID mov ebx, eax pop eax mov edi, gpDeviceContext lea edi, [edi.SpyCalls]; get call context array mov esi, SPY_CALLS; get number of entriesSpyHook7: cmp ebx, [edi.hThread]; find matching thread id jz SpyHook8 add edi , Size SPY_CALL; TRY NEXT Entry Dec ESI JNZ Spyhook7 Push Ebx; Entry Not Found?!? // FUK! You write the program you asko, call kebugcheckspyhook8: Push Edi; Save spy_call pointer mous [edi.adparameters], EAX Store NTSTATUS PUSH EDI // Two Push EDI, what parameters need SPYHOOKPROTOCOL do you need?
I only need one, the first Push EDI is not the parameter depends on a strange call spyhookProtocol / / no return value Pop Edi; restore spy_call pointer //, the previous PUSH protected EDI, I don't know why do Mov Eax, [edi.pcaller ] MOV [EDI.HTHREAD], 0; Clear Thread ID MOV ESI, GPDeviceContext Dec [ESI.DLEVEL]; Reset Nesting Level Dec [EDI.FINUSE]; Clear In-Use Flag Pop EDI POP ESI POP EBP POP EDX POP ECX POP EBX POPFD XCHG EAX, [ESP]; Restore Eax and ... // [ESP] is the EAX in the start of Push, the key wants to see, now EAX resembles something, so that one behind the ESP There is no stack, it should have been the one in SpYhook2, and when I entered Spyhook6, I also had RET in advance, and garbage did not leave in the stack. . EAX is [edi.pcaller], which is a function (Caller) of the API, so that a Native API is over, it seems that there is no place to call the real native API, it is estimated to be in SpyhookProtocol, ret; ... return to callerSpyHook9: mov dHooks1, offset SpyHook1 mov dHooks2, offset SpyHook2} n = (dHooks2 - dHooks1) / SDT_SYMBOLS_MAX; for (i = j = 0; i / / -------------------------------------------------------------------------------------------- ----------------- I didn't know when I didn't know when I didn't know what it means when I used S-ICE. I really stupid, I'm really stupid. Each spyhook macro corresponds to an address, and executes the program of Spyhook2 in the macro from this address, and due to the first Pop Eax, it will not return to perform the next spyhook, the function spyhookInitializeex jumps at the beginning. Go to Spyhook9, put an element in each label Spyhook, and a element in PPBSymbols [] in AspyHooks [], this array will be exchanged with the content in the SDT. In the DriveREntry, it is not performed, and the execution of these assembly statements is that when the Native API is called, it should be the address of the API, but it is replaced with a number of reference numeral Spyhook, so the program will go to Here is performed, complete the following things Spyhook2 calculation is currently the first few spyhoook, formula is Index = (returnaddress-spyhook1) * SDT_SYMBOLS_MAX / (Spyhook2-Spyhook1) -1 Spyhook2-spyhook1 = sizeof (spyhook) * SDT_SYMBOLS ReturnAddress is POP EAX at the beginning . MOVZX - Move with Zero Extend (386 ) Usage: MOVZX dest, src Modifies flags: None Copies the value of the source operand to the destination register with the zeroes extended Clocks Size Operands 808x 286 386 486 Bytes reg, reg - - 3 3 3 Reg, MEM - - 6 3 3-7 Stosd Save the data in eax to memory ES: [EDI] and increase EDI by 4 and decrease ecx by 1.and you can use rep stosd to initialize an integer array to the same value, such asxor eax, eaxmov ecx, 10push espush dspop esmov EDI, Pointer of an Arrayrep Stosdpop ES
