自己写的一段C语言HOOK汇编指令代码
本帖最后由 waym 于 2016-9-7 16:49 编辑测试环境 vs2013
注意如果自己测试的话请使用Rlease,因为DEBUG版会把函数名编译成跳转形式不支持覆盖跳转类指令,具体情况读了代码就知道了
同样玩C语言的朋友可以联系我一起讨论
需要的朋友拿走。
不同用途自行修改。上面是带有一些调试信息的版本
下面是包装的比较干净的版本
修改:自定义的处理函数原型void EditHook(const unsigned,const int,
void (*)(unsigned)); // 调用时传入hook_info_array 的当前下标 这样容易处理一些事情void func(unsigned index);
#include<Windows.h>
#include"F:\Projects\logbox\logbox\logBox.h"
#define MaxHookVec 2000 /*指定最大容器尺寸*/
#define HOOKINFOBUFFER 25
TCHAR buffer; // 调试输出缓冲
typedef void(*PF)();
typedef struct c_HookInfo{
unsigned m_HookAddress;
PF m_ownFunc;
char m_read_buffer; // 恢复时用
char m_write_buffer;
unsigned m_real_over;
}HookInfo, *PHookInfo;
/* memory func */
void Zero_hook_info(PHookInfo);
void Unhook_and_free_memory();
PHookInfo g_pHookInfo_array;
unsignedg_cntHook = 0;
void mod(){ // 中转代码块
__asm{
mov edi, edi
mov edi, edi
pushfd
pushad
mov edx,
mov eax,
mov,eax
mov eax,
mov, eax
mov eax,
mov, eax
mov eax,
mov, eax
mov eax,
mov, eax
mov eax,
mov, eax
mov eax,
mov, eax
mov eax,
mov, eax
mov eax,
mov,eax
pop eax
}
int rAddress = -5;
__asm add rAddress,edx
for (unsigned i = 0; i != g_cntHook;++i)
if (g_pHookInfo_array->m_HookAddress == rAddress){
rAddress = i;
break;
}
g_pHookInfo_array->m_ownFunc();
unsigned read_i = (unsigned)g_pHookInfo_array->m_read_buffer;
__asm{
popad
popfd
jmp read_i
}
}
void HookAddress(const unsigned addr, // 目标地址
const int length, // 实际覆盖的指令长度
PF pfunc) // 自己的函数地址
{
log_print(L"HookAddress() exec ..\n");
g_pHookInfo_array
= VirtualAlloc(NULL, sizeof(HookInfo), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
switch ((unsigned)g_pHookInfo_array){
case NULL:
/* 自定义处理 内存分配失败.. */
return;
default:
Zero_hook_info((PHookInfo)g_pHookInfo_array);
break;
}
#define hk (*g_pHookInfo_array)
hk.m_HookAddress = addr;
hk.m_real_over = length;
hk.m_ownFunc = pfunc;
HANDLE proc_hand = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetProcessId(GetCurrentProcess()));
ReadProcessMemory(proc_hand, (char*)addr, hk.m_read_buffer, length, NULL);
hk.m_read_buffer = 0xE9;
*(unsigned*)(hk.m_read_buffer + length + 1) = hk.m_HookAddress + hk.m_real_over
- (unsigned)(hk.m_read_buffer + length) - 5;
unsigned mod_offset = 0;
for (int i = 0; i < 50; ++i){
if ( *(unsigned*)(((char*)mod)+i) == 0xff8bff8b){
mod_offset = (unsigned)mod + i + 4 - addr - 5;
break;
}
/* 内存标记未找到 */
if (i == 49)MessageBox(NULL, L".49.", L"..", MB_OK);
}
hk.m_write_buffer = (char)0xE8;
((unsigned*)(hk.m_write_buffer + 1)) = mod_offset;
WriteProcessMemory(proc_hand, (char*)addr, hk.m_write_buffer, length, NULL);
CloseHandle(proc_hand);
#undef hk
++g_cntHook;
return;
}
void test(){
/*通信代码*/
log_print(L"test() 我们的处理函数\n");
}
BOOLEAN WINAPI DllMain(
IN HINSTANCE hDllHandle,
IN DWORD nReason,
IN LPVOID Reserved
)
{
//Perform global initialization.
switch (nReason)
{
case DLL_PROCESS_ATTACH:
LogBoxInit();
log_print(L"DLL_PROCESS_ATTACH exec..\n");
//For optimization.
DisableThreadLibraryCalls(hDllHandle);
HookAddress(0x401245, 7, test);
// Unhook_and_free_memory();
break;
case DLL_PROCESS_DETACH:
log_print(L"DLL_PROCESS_DETACH exec..\n");
break;
}
return TRUE;
}
void Zero_hook_info(PHookInfo hk_info)
{
#define hk hk_info
hk->m_HookAddress = 0;
hk->m_ownFunc = NULL;
int i = 0;
for (; i < HOOKINFOBUFFER; ++i)
hk->m_read_buffer = hk->m_write_buffer = 0x90;
hk->m_real_over = 0;
#undef hk
return;
}
void Unhook_and_free_memory()
{
HANDLE proc_hand = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetProcessId(GetCurrentProcess()));
for (unsigned i = 0; i != g_cntHook; ++i){
WriteProcessMemory(proc_hand, (void*)g_pHookInfo_array->m_HookAddress,
g_pHookInfo_array->m_read_buffer,
g_pHookInfo_array->m_real_over, NULL);
VirtualFree(g_pHookInfo_array, 0, MEM_RELEASE);
}
return;
}
#include<Windows.h>
typedef struct c_HookInfo{
unsigned m_HookAddress;
void (*m_ownFunc)(unsigned);
char m_read_buffer; // 恢复时用
char m_write_buffer;
unsigned m_real_over;
}HookInfo, *PHookInfo;
/* memory func */
///>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
void mod(); //// 中转代码块
void Unhook_and_free_memory();
void Zero_hook_info(PHookInfo hk_info);
void EditHook(const unsigned,const int,void (*)(unsigned));
///<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
struct CHook_Member{
void (*Unhook_and_free_memory)(); // 恢复代码和释放内存
void (*Edit_hook)(const unsigned, // HOOK 地址
const int, // 实际损坏的指令长度
void(*)(unsigned)); // 自定义的处理函数
PHookInfo hook_info_array; //hook信息结构容器
unsignedcnt_hook; // 存在的hook数量
}h_m ={ Unhook_and_free_memory ,EditHook,0,0,};
void mod(){
__asm{
mov edi, edi
mov edi, edi
pushfd
pushad
mov edx,
mov eax,
mov, eax
mov eax,
mov, eax
mov eax,
mov, eax
mov eax,
mov, eax
mov eax,
mov, eax
mov eax,
mov, eax
mov eax,
mov, eax
mov eax,
mov, eax
mov eax,
mov, eax
pop eax
}
int rAddress = -5;
__asm add rAddress, edx
for (unsigned i = 0; i != h_m.cnt_hook; ++i)
if (h_m.hook_info_array->m_HookAddress == rAddress){
rAddress = i;
break;
}
h_m.hook_info_array->m_ownFunc(rAddress);
unsigned read_i = (unsigned)h_m.hook_info_array->m_read_buffer;
__asm{
popad
popfd
jmp read_i
}
}
void Zero_hook_info(PHookInfo hk_info)
{
#define hk hk_info
hk->m_HookAddress = 0;
hk->m_ownFunc = NULL;
int i = 0;
for (; i < 25; ++i)
hk->m_read_buffer = hk->m_write_buffer = 0x90;
hk->m_real_over = 0;
#undef hk
return;
}
void Unhook_and_free_memory()
{
HANDLE proc_hand = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetProcessId(GetCurrentProcess()));
for (unsigned i = 0; i != h_m.cnt_hook; ++i){
WriteProcessMemory(proc_hand, (void*)h_m.hook_info_array->m_HookAddress,
h_m.hook_info_array->m_read_buffer,
h_m.hook_info_array->m_real_over, NULL);
VirtualFree(h_m.hook_info_array, 0, MEM_RELEASE);
}
return;
}
void EditHook(const unsigned addr,const int length,void (*pfunc)(unsigned))
{
h_m.hook_info_array
= VirtualAlloc(NULL, sizeof(HookInfo), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
switch ((unsigned)h_m.hook_info_array){
case NULL:
/* 自定义处理 内存分配失败.. */
return;
default:
Zero_hook_info((PHookInfo)h_m.hook_info_array);
break;
}
#define hk (*h_m.hook_info_array)
hk.m_HookAddress = addr;
hk.m_real_over = length;
hk.m_ownFunc = pfunc;
HANDLE proc_hand = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetProcessId(GetCurrentProcess()));
ReadProcessMemory(proc_hand, (char*)addr, hk.m_read_buffer, length, NULL);
hk.m_read_buffer = 0xE9;
*(unsigned*)(hk.m_read_buffer + length + 1) = hk.m_HookAddress + hk.m_real_over
- (unsigned)(hk.m_read_buffer + length) - 5;
unsigned mod_offset = 0;
for (int i = 0; i < 50; ++i){
if (*(unsigned*)(((char*)mod) + i) == 0xff8bff8b){
mod_offset = (unsigned)mod + i + 4 - addr - 5;
break;
}
/* 内存标记未找到 */
if (i == 49)MessageBox(NULL, L".49.", L"..", MB_OK);
}
hk.m_write_buffer = (char)0xE8;
((unsigned*)(hk.m_write_buffer + 1)) = mod_offset;
WriteProcessMemory(proc_hand, (char*)addr, hk.m_write_buffer, length, NULL);
#undef hk
CloseHandle(proc_hand);
++h_m.cnt_hook;
return;
}
寒枫雨雪 发表于 2016-9-7 16:56
数组中的是怎么写啊?能不能给个范例
char ia[] = { 0xE9, 0x00, 0x10, 0x40, 0x00 };
反汇编 : 013C4018 >- E9 00104000 jmp 017C501D
waym 发表于 2016-9-7 16:44
用那样的形式嵌入代码中的方法我不清楚, 只会写到数组中
数组中的是怎么写啊?能不能给个范例 不觉明历,看见楼主这么辛苦的份上给个好评! 。。。。。。。。。
谢谢分享,代码看的不是很明白,好吧!基本上都是不懂的。 LeiSir 发表于 2016-9-7 15:11
谢谢分享,代码看的不是很明白,好吧!基本上都是不懂的。
没怎么注释。。{:301_998:} 有没有另一种写法啊? 类似易语言的置入代码 {0xE9 ,0x00 ,0x10 ,0x40 ,0x00}; 寒枫雨雪 发表于 2016-9-7 16:00
有没有另一种写法啊? 类似易语言的置入代码 {0xE9 ,0x00 ,0x10 ,0x40 ,0x00};
你指的是? 支持一下 楼主厉害{:301_997:} waym 发表于 2016-9-7 16:06
你指的是?
C语言的汇编写法
页:
[1]
2