好友
阅读权限10
听众
最后登录1970-1-1
|
waym
发表于 2016-9-7 14:39
本帖最后由 waym 于 2016-9-7 16:49 编辑
测试环境 vs2013
注意如果自己测试的话请使用Rlease,因为DEBUG版会把函数名编译成跳转形式 不支持覆盖跳转类指令,具体情况读了代码就知道了
同样玩C语言的朋友可以联系我一起讨论
需要的朋友拿走。
不同用途自行修改。上面是带有一些调试信息的版本
下面是包装的比较干净的版本
修改:自定义的处理函数原型 void EditHook(const unsigned,const int,
void (*)(unsigned)); // 调用时传入hook_info_array[2000] 的当前下标 这样容易处理一些事情 void func(unsigned index);
[C] 纯文本查看 复制代码 #include<Windows.h>
#include"F:\Projects\logbox\logbox\logBox.h"
#define MaxHookVec 2000 /*指定最大容器尺寸*/
#define HOOKINFOBUFFER 25
TCHAR buffer[1000]; // 调试输出缓冲
typedef void(*PF)();
typedef struct c_HookInfo{
unsigned m_HookAddress;
PF m_ownFunc;
char m_read_buffer[HOOKINFOBUFFER]; // 恢复时用
char m_write_buffer[HOOKINFOBUFFER];
unsigned m_real_over;
}HookInfo, *PHookInfo;
/* memory func */
void Zero_hook_info(PHookInfo);
void Unhook_and_free_memory();
PHookInfo g_pHookInfo_array[MaxHookVec];
unsigned g_cntHook = 0;
void mod(){ // 中转代码块
__asm{
mov edi, edi
mov edi, edi
pushfd
pushad
mov edx,[esp+0x24]
mov eax, [esp+0x20]
mov[esp+ 0x24],eax
mov eax, [esp + 0x1C]
mov[esp + 0x20], eax
mov eax, [esp + 0x18]
mov[esp + 0x1C], eax
mov eax, [esp + 0x14]
mov[esp + 0x18], eax
mov eax, [esp + 0x10]
mov[esp + 0x14], eax
mov eax, [esp + 0xC]
mov[esp + 0x10], eax
mov eax, [esp + 0x8]
mov[esp + 0xC], eax
mov eax, [esp + 0x4]
mov[esp + 0x8], eax
mov eax, [esp]
mov[esp + 0x4],eax
pop eax
}
int rAddress = -5;
__asm add rAddress,edx
for (unsigned i = 0; i != g_cntHook;++i)
if (g_pHookInfo_array[i]->m_HookAddress == rAddress){
rAddress = i;
break;
}
g_pHookInfo_array[rAddress]->m_ownFunc();
unsigned read_i = (unsigned)g_pHookInfo_array[rAddress]->m_read_buffer;
__asm{
popad
popfd
jmp read_i
}
}
void HookAddress(const unsigned addr, // 目标地址
const int length, // 实际覆盖的指令长度
PF pfunc) // 自己的函数地址
{
log_print(L"HookAddress() exec ..\n");
g_pHookInfo_array[g_cntHook]
= VirtualAlloc(NULL, sizeof(HookInfo), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
switch ((unsigned)g_pHookInfo_array[g_cntHook]){
case NULL:
/* 自定义处理 内存分配失败.. */
return;
default:
Zero_hook_info((PHookInfo)g_pHookInfo_array[g_cntHook]);
break;
}
#define hk (*g_pHookInfo_array[g_cntHook])
hk.m_HookAddress = addr;
hk.m_real_over = length;
hk.m_ownFunc = pfunc;
HANDLE proc_hand = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetProcessId(GetCurrentProcess()));
ReadProcessMemory(proc_hand, (char*)addr, hk.m_read_buffer, length, NULL);
hk.m_read_buffer[length] = 0xE9;
*(unsigned*)(hk.m_read_buffer + length + 1) = hk.m_HookAddress + hk.m_real_over
- (unsigned)(hk.m_read_buffer + length) - 5;
unsigned mod_offset = 0;
for (int i = 0; i < 50; ++i){
if ( *(unsigned*)(((char*)mod)+i) == 0xff8bff8b){
mod_offset = (unsigned)mod + i + 4 - addr - 5;
break;
}
/* 内存标记未找到 */
if (i == 49)MessageBox(NULL, L".49.", L"..", MB_OK);
}
hk.m_write_buffer[0] = (char)0xE8;
((unsigned*)(hk.m_write_buffer + 1))[0] = mod_offset;
WriteProcessMemory(proc_hand, (char*)addr, hk.m_write_buffer, length, NULL);
CloseHandle(proc_hand);
#undef hk
++g_cntHook;
return;
}
void test(){
/*通信代码*/
log_print(L"test() 我们的处理函数\n");
}
BOOLEAN WINAPI DllMain(
IN HINSTANCE hDllHandle,
IN DWORD nReason,
IN LPVOID Reserved
)
{
// Perform global initialization.
switch (nReason)
{
case DLL_PROCESS_ATTACH:
LogBoxInit();
log_print(L"DLL_PROCESS_ATTACH exec..\n");
// For optimization.
DisableThreadLibraryCalls(hDllHandle);
HookAddress(0x401245, 7, test);
// Unhook_and_free_memory();
break;
case DLL_PROCESS_DETACH:
log_print(L"DLL_PROCESS_DETACH exec..\n");
break;
}
return TRUE;
}
void Zero_hook_info(PHookInfo hk_info)
{
#define hk hk_info
hk->m_HookAddress = 0;
hk->m_ownFunc = NULL;
int i = 0;
for (; i < HOOKINFOBUFFER; ++i)
hk->m_read_buffer[i] = hk->m_write_buffer[i] = 0x90;
hk->m_real_over = 0;
#undef hk
return;
}
void Unhook_and_free_memory()
{
HANDLE proc_hand = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetProcessId(GetCurrentProcess()));
for (unsigned i = 0; i != g_cntHook; ++i){
WriteProcessMemory(proc_hand, (void*)g_pHookInfo_array[i]->m_HookAddress,
g_pHookInfo_array[i]->m_read_buffer,
g_pHookInfo_array[i]->m_real_over, NULL);
VirtualFree(g_pHookInfo_array[i], 0, MEM_RELEASE);
}
return;
}
[C] 纯文本查看 复制代码 [/i][/i][/i][/i][/i][/i][/i][i][i][i][i][i][i][i][i][i][i][i][i][i][i]#include<Windows.h>
[/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][i][i][i][i][i][i][i][i][i][i][i][i][i][i]typedef struct c_HookInfo{
unsigned m_HookAddress;
void (*m_ownFunc)(unsigned);
char m_read_buffer[25]; // 恢复时用
char m_write_buffer[25];
unsigned m_real_over;
}HookInfo, *PHookInfo;
/* memory func */
///>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
void mod(); //// 中转代码块
void Unhook_and_free_memory();
void Zero_hook_info(PHookInfo hk_info);
void EditHook(const unsigned,const int,void (*)(unsigned));
///<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
struct CHook_Member{
void (*Unhook_and_free_memory)(); // 恢复代码和释放内存
void (*Edit_hook)(const unsigned, // HOOK 地址
const int, // 实际损坏的指令长度
void(*)(unsigned)); // 自定义的处理函数
PHookInfo hook_info_array[2000]; //hook信息结构容器
unsigned cnt_hook; // 存在的hook数量
}h_m ={ Unhook_and_free_memory ,EditHook,0,0,};
void mod(){
__asm{
mov edi, edi
mov edi, edi
pushfd
pushad
mov edx, [esp + 0x24]
mov eax, [esp + 0x20]
mov[esp + 0x24], eax
mov eax, [esp + 0x1C]
mov[esp + 0x20], eax
mov eax, [esp + 0x18]
mov[esp + 0x1C], eax
mov eax, [esp + 0x14]
mov[esp + 0x18], eax
mov eax, [esp + 0x10]
mov[esp + 0x14], eax
mov eax, [esp + 0xC]
mov[esp + 0x10], eax
mov eax, [esp + 0x8]
mov[esp + 0xC], eax
mov eax, [esp + 0x4]
mov[esp + 0x8], eax
mov eax, [esp]
mov[esp + 0x4], eax
pop eax
}
int rAddress = -5;
__asm add rAddress, edx
for (unsigned i = 0; i != h_m.cnt_hook; ++i)
if (h_m.hook_info_array[i]->m_HookAddress == rAddress){
rAddress = i;
break;
}
h_m.hook_info_array[rAddress]->m_ownFunc(rAddress);
unsigned read_i = (unsigned)h_m.hook_info_array[rAddress]->m_read_buffer;
__asm{
popad
popfd
jmp read_i
}
}
void Zero_hook_info(PHookInfo hk_info)
{
#define hk hk_info
hk->m_HookAddress = 0;
hk->m_ownFunc = NULL;
int i = 0;
for (; i < 25; ++i)
hk->m_read_buffer[i] = hk->m_write_buffer[i] = 0x90;
hk->m_real_over = 0;
#undef hk
return;
}
void Unhook_and_free_memory()
{
HANDLE proc_hand = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetProcessId(GetCurrentProcess()));
for (unsigned i = 0; i != h_m.cnt_hook; ++i){
WriteProcessMemory(proc_hand, (void*)h_m.hook_info_array[i]->m_HookAddress,
h_m.hook_info_array[i]->m_read_buffer,
h_m.hook_info_array[i]->m_real_over, NULL);
VirtualFree(h_m.hook_info_array[i], 0, MEM_RELEASE);
}
return;
}
void EditHook(const unsigned addr,const int length,void (*pfunc)(unsigned))
{
h_m.hook_info_array[h_m.cnt_hook]
= VirtualAlloc(NULL, sizeof(HookInfo), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
switch ((unsigned)h_m.hook_info_array[h_m.cnt_hook]){
case NULL:
/* 自定义处理 内存分配失败.. */
return;
default:
Zero_hook_info((PHookInfo)h_m.hook_info_array[h_m.cnt_hook]);
break;
}
#define hk (*h_m.hook_info_array[h_m.cnt_hook])
hk.m_HookAddress = addr;
hk.m_real_over = length;
hk.m_ownFunc = pfunc;
HANDLE proc_hand = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetProcessId(GetCurrentProcess()));
ReadProcessMemory(proc_hand, (char*)addr, hk.m_read_buffer, length, NULL);
hk.m_read_buffer[length] = 0xE9;
*(unsigned*)(hk.m_read_buffer + length + 1) = hk.m_HookAddress + hk.m_real_over
- (unsigned)(hk.m_read_buffer + length) - 5;
unsigned mod_offset = 0;
for (int i = 0; i < 50; ++i){
if (*(unsigned*)(((char*)mod) + i) == 0xff8bff8b){
mod_offset = (unsigned)mod + i + 4 - addr - 5;
break;
}
/* 内存标记未找到 */
if (i == 49)MessageBox(NULL, L".49.", L"..", MB_OK);
}
hk.m_write_buffer[0] = (char)0xE8;
((unsigned*)(hk.m_write_buffer + 1))[0] = mod_offset;
WriteProcessMemory(proc_hand, (char*)addr, hk.m_write_buffer, length, NULL);
#undef hk
CloseHandle(proc_hand);
++h_m.cnt_hook;
return;
}
|
免费评分
-
查看全部评分
|
|
发表于 2016-9-7 17:02
