好友
阅读权限10
听众
最后登录1970-1-1
|
WDM式的驱动,即安装时需要提供inf文件,区别于NT式驱动。WDM驱动提供PnP、电源管理等功能,但安装时总会弹出一个烦人的对话框显示安装进度。
本文使用进程内钩子,HOOK MessageBoxW、MessageBeep、ShowWindow、SetForegroundWindow 来达到隐藏窗口目的。至于可以做什么不用我说了吧,见代码:
BYTE g_arrOldShowWindowBytes[3];
void __declspec(naked) hkMessageBox()
{
__asm ret 10h
}
void SetHook()
{
HMODULE hUser32 = GetModuleHandle(_T("user32.dll"));
if (hUser32 == NULL)
{
return;
}
FARPROC pMessageBeep = GetProcAddress(hUser32, "MessageBeep");
if (pMessageBeep == NULL)
{
return;
}
FARPROC pMessageBoxW = GetProcAddress(hUser32, "MessageBoxW");
if (pMessageBoxW == NULL)
{
return;
}
FARPROC pShowWindow = GetProcAddress(hUser32, "ShowWindow");
if (pShowWindow == NULL)
{
return;
}
FARPROC pSetForegroundWindow = GetProcAddress(hUser32, "SetForegroundWindow");
if (pSetForegroundWindow == NULL)
{
return;
}
DWORD dwWritten;
BYTE arrBytes[5] = {0xE9, 0,0,0,0};
*(DWORD*)(arrBytes+1) = (DWORD)hkMessageBox - ((DWORD)pMessageBoxW + 5);
WriteProcessMemory(GetCurrentProcess(), pMessageBeep, "\xc2\x04\x00", 3, &dwWritten);
WriteProcessMemory(GetCurrentProcess(), pMessageBoxW, arrBytes, 5, &dwWritten);
memcpy(g_arrOldShowWindowBytes, pShowWindow, 3);
WriteProcessMemory(GetCurrentProcess(), pShowWindow, "\xc2\x08\x00", 3, &dwWritten);
WriteProcessMemory(GetCurrentProcess(), pSetForegroundWindow, "\xc2\x04\x00", 3, &dwWritten);
}
void UnHook()
{
HMODULE hUser32 = GetModuleHandle(_T("user32.dll"));
if (hUser32 == NULL)
{
return;
}
FARPROC pMessageBeep = GetProcAddress(hUser32, "MessageBeep");
if (pMessageBeep == NULL)
{
return;
}
FARPROC pMessageBoxW = GetProcAddress(hUser32, "MessageBoxW");
if (pMessageBoxW == NULL)
{
return;
}
FARPROC pShowWindow = GetProcAddress(hUser32, "ShowWindow");
if (pShowWindow == NULL)
{
return;
}
FARPROC pSetForegroundWindow = GetProcAddress(hUser32, "SetForegroundWindow");
if (pSetForegroundWindow == NULL)
{
return;
}
DWORD dwWritten;
WriteProcessMemory(GetCurrentProcess(), pMessageBeep, "\x8B\xFF\x55", 3, &dwWritten);
WriteProcessMemory(GetCurrentProcess(), pMessageBoxW, "\x8B\xFF\x55\x8B\xEC", 5, &dwWritten);
WriteProcessMemory(GetCurrentProcess(), pShowWindow, g_arrOldShowWindowBytes, 3, &dwWritten);
WriteProcessMemory(GetCurrentProcess(), pSetForegroundWindow, "\x8B\xFF\x55", 3, &dwWritten);
}
"\xc2\x04\x00" 、"\xc2\x08\x00" 分别是ret 4、ret 8的十六进制机器码;
"\x8B\xFF\x55", 是mov edi,edi的十六进制机器码;
"\x8B\xFF\x55\x8B\xEC"是mov edi,edi,push ebp,mov ebp,esp的十六进制机器码。
不明白的用OD载入任意一个程序,ctrl+E 敲入十六进制看看吧。
这样,进度条窗口调用MessageBeep、SetForegroundWindow就直接返回了,不会弹框了;
对于MessageBox前面几个字节不是mov edi,edi,push ebp,mov ebp,esp,所以直接jmp到自己的处理函数了。
在加载WDM驱动之前调用SetHook、加载完后UnHook。 |
|
[复制链接]
发表于 2011-6-13 21:30
