The Windows Message Hook is generally very familiar. It is a lot of useful, and it is very familiar with - use the keyboard hook to get the keyboard input of the target process, thereby obtaining a variety of passwords to achieve non-marketed purposes. Friends want his software to be monitored by other people's global hooks, is there a way to achieve? The answer is affirmative, but the defect is also there.
First make a brief look at how the global hook is injecting other processes.
The message hook is provided by the Win32 subsystem, and its core part provides the user with a system service that sets the message hook through NTUSERSETWINDOWSHOKEX, and the user registers the global hook. When the system gets some events, such as the user button, the keyboard Driver will pass the codes such as Win32K to the KEYEVENT processing function, and the process function determines that there is no corresponding HOOK, there is a Callhook. At this time, the system obtains the HOOK object information. If the target process does not load the corresponding DLL, load it (using the KeuserModecallback "user routine, it is different from the APC call, it is the imitation interrupt return environment, its call is" immediate " Nature).
After entering the user-based KiuserCallbackDispatcher, KiuserCallbackDispatcher obtains the function, parameters, etc. of the required call according to the passed data, and then calls. For the above example, to load the hook dll, get the calllibraryexw, then enter the ldrloaddll, return after loading, the back steps are not described.
From the above discussion we can draw a simplest anti-exploitation program: Hook corresponding API before loading Hook DLL makes the loading fail, but there is a defect: the system does not give up because of the failure, every time there is a message When the Call Hook, the system will try to load the DLL in your process, which has some micro impact on performance, but it should not feel. The rest is that all LoadLibraryExw should be intercepted, which is easy to resolve, such as judging the return address. An example piece is given below, which can add some judgment to make some allowed load HOOK DLLs to be loaded.
Here Hook API uses Microsoft's DETOURS libraries to modify themselves.
The following is program code:
Typedef hmodule (__stdcall * loadinglib)
LPCWSTR LPWLIBFILENAME,
Handle Hfile,
DWORD DWFLAGS;
Extern "C" {
DETOUR_TRAMPOLINE (HModule __stdcall real_loadlibraryexw
LPCWSTR LPWLIBFILENAME,
Handle Hfile,
DWORD DWFLAGS,
LoadLibraryExw);
}
Ulong user32 = 0;
HModule __stdcall mine_loadlibraryexw
LPCWSTR LPWLIBFILENAME,
Handle Hfile,
DWORD DWFLAGS)
{
Ulong addr;
_ASM MOV EAX, [EBP 4]
_ASM MOV Addr, EAX
IF ((USER32 & 0xFFFF0000) == (AddR & 0xffff00))
{
Return 0;
}
HModule res = (loadlib (real_loadlibraryexw))
LPwlibFileName,
Hfile,
DWFLAGS);
Return res;
}
Bool processattach ()
{
DetourFunctionwithTrampoline (PBYTE) Real_loadLibraryExw, (pbyte) mine_loadlibraryexwwW);
Return True;
}
Bool processdetach ()
{
DetourRemove ((Pbyte) Real_loadLibraryExw,
(Pbyte) mine_loadlibraryexw;
Return True;
}
Canti_hookapp :: canti_hookapp () // Call Processattach before using the user interface service
{
User32 = (ulong) getModuleHandle ("User32.dll");
PROCESSATTACH ();
}
