Prevent the invasion of global hooks
Author: pjf (JFPAN20000@sina.com) Windows message hook is generally familiar. It is a lot of useful, and it is very familiar with - use the keyboard hook to get the keyboard input of the target process, thereby obtaining a variety of passwords to achieve non-marketed purposes. Friends want his software to be monitored by other people's global hooks, is there a way to achieve? The answer is affirmative, but the defect is also :). First make a brief look at how the global hook is injecting other processes. The message hook is provided by the Win32 subsystem, and its core part provides the user with a system service that sets the message hook through NTUSERSETWINDOWSHOKEX, and the user registers the global hook. When the system gets some events, such as the user button, the keyboard Driver will pass the codes such as Win32K to the KEYEVENT processing function, and the process function determines that there is no corresponding HOOK, there is a Callhook. At this time, the system obtains the HOOK object information. If the target process does not load the corresponding DLL, load it (using the KeuserModecallback "user routine, it is different from the APC call, it is the imitation interrupt return environment, its call is" immediate " Nature). After entering the user-based KiuserCallbackDispatcher, KiuserCallbackDispatcher obtains the function, parameters, etc. of the required call according to the passed data, and then calls. For the above example, to load the hook dll, get the calllibraryexw, then enter the ldrloaddll, return after loading, the back steps are not described. From the above discussion we can draw a simplest anti-invasion program: hook API makes the loading failed, but there is a defect: the system does not give up because of the failure, each time there is a message to Call Hook, the system will try Loading the DLL in your process, this is some micro impact on performance, but you should not feel. The rest is that all LoadLibraryExw should be intercepted, which is easy to resolve, such as judging the return address. An example piece is given below, which can add some judgment to make some allowed load HOOK DLLs to be loaded. Here the Hook API uses Microsoft's DETOURS libraries and needs to be modified.
Typedef hmodule (LPCWSTDCALL * LOADLIB) (LPCWSTDCALL * LOADLIB) (Handle Hfile, DWORD DWFLAGS);
Extern "C" {DETOUR_TRAMPOLINE (HMODULE __STDCALL REAL_LOADLIBRARYEXW (LPCWSTR LPWLIBFILENAME, HANDLE HFILE, DWORD DWFLAGS), LOADLIBRARYEXW);}
Ulong user32 = 0;
HMODULE __STDCALL MINE_LOADLIBRARYEXW (LPCWSTR LPWLIBFILENAME, HANDLE HFILE, DWORD DWFLAGS) {Ulong Addr;
_ASM MOV EAX, [EBP 4] _asm Mov Addr, EAX
IF ((USER32 & 0xFFFFF0000) == (AddR & 0xFFFF0000)) {Return 0;}
HModule Res = (LPWLIBFILENAME, HFILILENAME, HFILE, DWFLAGS);
Return res;}
BOOL ProcessAttach () {DetourFunctionWithTrampoline ((PBYTE) Real_LoadLibraryExW, (PBYTE) Mine_LoadLibraryExW); return TRUE;} BOOL ProcessDetach () {DetourRemove ((PBYTE) Real_LoadLibraryExW, (PBYTE) Mine_LoadLibraryExW); return TRUE;}
Canti_hookapp :: Canti_HookApp () // Call processattach {user32 = ("ULONG) getModuleHandle (" ULONG) GetModuleHandle ("user32.dll") before using the user interface service;
Posted by pjf at october 25, 2004 01:51 PM
