Ring3层 InlineHook 没啥技术含量分享给初学者

古月不傲 · 发表于 2019-11-20 07:58

本帖最后由古月不傲于 2019-11-28 03:35 编辑

[C] 纯文本查看 复制代码

#include <Windows.h>
#include <stdio.h>


enum InLineHook
{
        E8 = 0xE8,
        NOP = 0x90
};

DWORD g_dwJmpFunctionAddress = 0;
DWORD g_dwOldFunctionAddress = 0;
DWORD g_dwOrgFunctionAddress = 0;
DWORD g_dwOldProtect = 0;


VOID WINAPI print()
{
        printf("Hook测试!\n");
}

__declspec(naked) VOID OnHookAAA()
{
        __asm
        {
                pushad
                pushfd
        
                call print
                
                popfd
                popad
                
                pop eax                //压入的EIP要恢复 不然直接崩溃
                xor eax, eax

                push 0x0FFFFFFFF
                push 0                
                push dword ptr [ebp + 0x14]

                jmp g_dwOrgFunctionAddress
        }
}

//获取原来的函数地址
DWORD GetOldFunctionAddress()
{
        HMODULE hModule = NULL;
        DWORD dwOldFunctionAddress = 0;
        hModule = LoadLibrary(TEXT("user32.dll"));
        if (hModule == NULL)
        {
                return -1;
        }
        dwOldFunctionAddress = (DWORD)GetProcAddress(hModule, "MessageBoxW");
        if (dwOldFunctionAddress == 0)
        {
                return -2;
        }
        return dwOldFunctionAddress;
}

VOID InlineHook()
{
        UCHAR uCall[5] = { 0 };
        UCHAR uNop[2] = { NOP, NOP };
        DWORD dwOldProtect = 0;

        g_dwOrgFunctionAddress = g_dwOldFunctionAddress + 7;
        uCall[0] = E8;
        g_dwJmpFunctionAddress = (DWORD)OnHookAAA - g_dwOldFunctionAddress - 5;
        *((DWORD *)&uCall[1]) = g_dwJmpFunctionAddress;
        VirtualProtect((LPVOID)g_dwOldFunctionAddress, 4096, PAGE_EXECUTE_READWRITE, &g_dwOldProtect);
        CopyMemory((LPVOID)g_dwOldFunctionAddress, uCall, 5);
        CopyMemory((LPVOID)((DWORD)g_dwOldFunctionAddress + 5), uNop, 2);
        VirtualProtect((LPVOID)g_dwOldFunctionAddress, 4096, g_dwOldProtect, &dwOldProtect);
}

VOID UnloadInlineHook()
{
        UCHAR uUnload[7] = { 0x6A, 0xFF, 0x6A, 0x00, 0xFF, 0x75, 0x14 };
        DWORD dwOldProtect = 0;

        VirtualProtect((LPVOID)g_dwOldFunctionAddress, 4096, PAGE_EXECUTE_READWRITE, &g_dwOldProtect);
        CopyMemory((LPVOID)g_dwOldFunctionAddress, uUnload, 7);
        VirtualProtect((LPVOID)g_dwOldFunctionAddress, 4096, g_dwOldProtect, &dwOldProtect);
}

int main(void)
{
        DWORD dwOldFunctionAddress = 0;
        DWORD dwOldProtect = 0;
        dwOldFunctionAddress = GetOldFunctionAddress();
        g_dwOldFunctionAddress = dwOldFunctionAddress + 5;
        InlineHook();
        MessageBox(NULL, TEXT("测试"), TEXT("IATHOOK"), MB_YESNOCANCEL);
        UnloadInlineHook();
        MessageBox(NULL, TEXT("测试"), TEXT("IATHOOK"), MB_YESNOCANCEL);

        system("pause");
        return 0;
}

帐号		自动登录	找回密码
密码			注册[Register]

[C&C++ 转载] Ring3层 InlineHook 没啥技术含量 分享给初学者

[C&C++ 转载] Ring3层 InlineHook 没啥技术含量分享给初学者