[求助][求助]iat hook ws2_32的send函数在WAR3里面就不成功-付费问答-看雪论坛-安全社区|非营利性质技术交流社区

[旧帖] [求助][求助]iat hook ws2_32的send函数在WAR3里面就不成功 0.00雪花

发表于: 2011-9-27 15:27 1415

[旧帖] [求助][求助]iat hook ws2_32的send函数在WAR3里面就不成功 0.00雪花

foreverlov 活跃值

2011-9-27 15:27

1415

/ warhook.cpp : Defines the entry point for the DLL application.
//

#include "stdafx.h"
#include <Winsock2.h>
#include "warhook.h"
#include <string.h>
#include <stdio.h>
#include <tchar.h>
#define UNICODE
#define _UNICODE
#pragma comment(lib,"Ws2_32.lib")
void EnableDebugPriv();
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS pNTHeaders;
PIMAGE_OPTIONAL_HEADER pOptHeader;
PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor;
PIMAGE_THUNK_DATA pThunkData;
PIMAGE_IMPORT_BY_NAME pImportByName;
HMODULE hMod=NULL;
DWORD addrread=NULL;
typedef int (WINAPI *p)(SOCKET s,char *buf, int len, int flags);
int WINAPI myfun(SOCKET s,char *buf, int len, int flags);

int * myaddr = (int *)myfun;
int run();
BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
  switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
run();
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
  }
  return TRUE;
}
int run()
{

EnableDebugPriv();//提权用
  HMODULE hms=GetModuleHandle("ws2_32");
  addrread=(DWORD)GetProcAddress(hms,"send");
  hMod = GetModuleHandle(NULL);
  pDosHeader = (PIMAGE_DOS_HEADER)hMod;
  pNTHeaders = (PIMAGE_NT_HEADERS)((BYTE *)hMod + pDosHeader->e_lfanew);
  pOptHeader = (PIMAGE_OPTIONAL_HEADER)&(pNTHeaders->OptionalHeader);
  pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((BYTE *)hMod + pOptHeader->DataDirectory[1].VirtualAddress);
  while(pImportDescriptor->FirstThunk)
  {
  pThunkData = (PIMAGE_THUNK_DATA)((BYTE *)hMod + pImportDescriptor->OriginalFirstThunk);
  int flag = 1;
  while(pThunkData->u1.Function)
  {
  char * funname = (char *)((BYTE *)hMod + (DWORD)pThunkData->u1.AddressOfData + 2);
  PDWORD lpAddr = (DWORD *)((BYTE *)hMod + (DWORD)pImportDescriptor->FirstThunk) +(flag-1);
  if((*lpAddr) == (int)addrread)
  {
  BOOL tt=WriteProcessMemory((void *)-1,lpAddr, &myaddr, sizeof(DWORD), NULL);
if(tt=TRUE)
::MessageBox(NULL,"write ok","",0);
  }
  flag++;
  pThunkData++;
  }

  pImportDescriptor++;
  }

return 0;
}
//////////////////////////////////////////////////////////////////////////////////////////////////

void EnableDebugPriv()

{

  HANDLE hToken;

  LUID sedebugnameValue;

  TOKEN_PRIVILEGES tkp;

  OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);

  LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue);

  tkp.PrivilegeCount = 1;

  tkp.Privileges[0].Luid = sedebugnameValue;

  tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

  AdjustTokenPrivileges(hToken, false, &tkp, sizeof tkp, NULL, NULL);

  CloseHandle(hToken);

}
int WINAPI myfun(SOCKET s,char *buf, int len, int flags)
{
::MessageBox(NULL,"bingo","",0);

int tt=((p)addrread)(s,buf,len,flags);
return tt;
}
/*
我在注入到自己写的一个需要SEND函数的exe里面都可以测试出现“bingo”
注入到war3也提示“write ok ”。。
但是就是不出现我代替send函数里的"bingo"字符串
仅仅是局域网啊。也不行的
iat hook对war3无效？？
写入成功，，函数执行却失败。。求解啊
求解答。。。
*/

[培训]科锐软件逆向54期预科班、正式班开始火爆招生报名啦！！！

收藏・1

免费・0

支持