WriteFileHook.rar

本文的内容笔者还发表在http://www.cnblogs.com/zhxfl/archive/2011/11/10/2243825.html

http://www.cnblogs.com/zhxfl/archive/2011/11/03/2233846.html 这个是笔者之前写过的WriteFile HOOK代码
LoadLibraryA
LoadLibraryExA
LoadLibraryExW
LoadLibraryW

WriteFile
WriteFileEx
WriteFileGather
必须补充对这几个函数的HOOK，才能对WriteFile的所有操作做“比较彻底的拦截”，笔者知道应用层的拦截很容易出现遗漏的，只有编写驱动做文件过滤才会有比较好的效果，不过在实现那个之前，想再应用层做好这些实验，看一下效果。

具体的api函数参数可以在http://msdn.microsoft.com/en-us/library/aa365749%28VS.85%29.aspx里面翻出来

 BOOL WriteFileEx(
  HANDLE hFile,
  LPCVOID lpBuffer,
  DWORD nNumberOfBytesToWrite,
  LPOVERLAPPED lpOverlapped,
  LPOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
);
#include <windows.h>
#include <ImageHlp.h>
#include <TlHelp32.h>
#include <stdio.h>
#pragma comment(lib,"ImageHlp")

#pragma data_seg("Shared")
HHOOK hhk = NULL;
#pragma data_seg()
#pragma comment(linker, "/Section:Shared,rws")

HMODULE hmodThisDll;
#define MyName "DLL.DLL"
typedef struct _IO_STATUS_BLOCK
{
    LONG Status;
    LONG Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

typedef struct _FILE_NAME_INFORMATION
{
    ULONG FileNameLength;
    WCHAR FileName[MAX_PATH];
} FILE_NAME_INFORMATION;

FARPROC ZwQueryInformationFile;
//通过文件句柄,得到文件所在盘符
BOOL GetVolumeNameByHandle(HANDLE hFile, char *szFullPath){
    //得到所有磁盘卷的卷序号
    char szBuf[500];
    int i;
    DWORD dwVolumeSerialNumber;
    memset(szBuf, 0, sizeof(szBuf));
    //通过句柄得到文件的卷序号
    //得到卷序号 lpFileInformation.dwVolumeSerialNumber
    BY_HANDLE_FILE_INFORMATION lpFileInformation;
    if(!GetFileInformationByHandle(hFile, &lpFileInformation) || (lpFileInformation.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)){
        //通过句柄得到文件信息失败 或者 此句柄为文件夹句柄,并非文件句柄
        return FALSE;
    }
    if(::GetLogicalDriveStringsA(sizeof(szBuf) - 1,szBuf)){
        for(i = 0; szBuf[i]; i += 4){
            //得到卷信息->卷序号
            if(!stricmp(&(szBuf[i]), "A:\\") || !stricmp(&(szBuf[i]), "B:\\")){
                //忽略软盘 (一般不会使用,并且查询它的速度非常之慢)
                continue;
            }
            if(GetVolumeInformationA(&(szBuf[i]), NULL, NULL,&dwVolumeSerialNumber,NULL, NULL, NULL, NULL)){
                // 与 lpFileInformation.dwVolumeSerialNumber 比较
                // 如果相同,则找到该磁盘
                if(dwVolumeSerialNumber == lpFileInformation.dwVolumeSerialNumber){
                    //找到
                    char szVolumeName[4];
                    memset(szVolumeName, 0, sizeof(szVolumeName));
                    strcpy(szVolumeName, &(szBuf[i]));
                    szVolumeName[strlen(szVolumeName)-1] = '\0';
                    //得到路径
                    IO_STATUS_BLOCK isb;
                    FILE_NAME_INFORMATION fni;
                    HMODULE hNt = LoadLibraryA("ntdll.dll");
                    if(hNt){
                        ZwQueryInformationFile = ::GetProcAddress(hNt, "ZwQueryInformationFile");
                        if(ZwQueryInformationFile){
                            DWORD dwfni = sizeof(fni);
                            DWORD dwRet = 0;
                            __asm{
                                push 9 ;
                                push dwfni ;
                                lea eax, fni ;
                                push eax ;
                                lea eax, isb ;
                                push eax ;
                                push hFile ;
                                mov eax, ZwQueryInformationFile ;
                                call eax ;//调用 ZwQueryInformationFile 函数
                                mov dwRet, eax;//得到返回值
                            }
                            if(!dwRet){
                                //获取文件路径成功
                                fni.FileName[fni.FileNameLength/2] = 0;
                                //构造成完整路径名
                                char szFilePath[MAX_PATH+1];
                                memset(szFilePath, 0, sizeof(szFilePath));
                                WideCharToMultiByte( CP_ACP, 0, fni.FileName, -1, szFilePath, sizeof(szFilePath) - 1, NULL, NULL);
                                sprintf(szFullPath, "%s%s", szVolumeName, szFilePath);
                                return TRUE;
                            }
                        }
                        FreeLibrary(hNt);
                    }
                }
            }
        }
    }
    //没有找到
    return FALSE;
}
LRESULT CALLBACK GetMsgProc( int nCode,WPARAM wParam,LPARAM lParam){
    return CallNextHookEx(hhk,nCode,wParam,lParam);
}
BOOL MyWriteFile(
                 HANDLE hFile, // 文件句柄
                 LPCVOID lpBuffer,// 数据缓存区指针
                 DWORD nNumberOfBytesToWrite, // 你要写的字节数
                 LPDWORD lpNumberOfBytesWritten, // 用于保存实际写入字节数的存储区域的指针
                 LPOVERLAPPED lpOverlapped // OVERLAPPED结构体指针
                 ){
    char szFullPath[MAX_PATH];
    memset(szFullPath, 0, sizeof(szFullPath));
    if(GetVolumeNameByHandle(hFile, szFullPath))
    {
        MessageBoxA(NULL,szFullPath,"DLL",MB_OK);
    }
    else MessageBoxA(NULL,"HOOK","DLL",MB_OK);
    return WriteFile(hFile,lpBuffer,nNumberOfBytesToWrite,lpNumberOfBytesWritten,lpOverlapped);
}
BOOL MyWriteFileEx( HANDLE hFile,
                   LPCVOID lpBuffer,
                   DWORD nNumberOfBytesToWrite,
                   LPOVERLAPPED lpOverlapped,
                   LPOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
                   ){
    char szFullPath[MAX_PATH];
    memset(szFullPath, 0, sizeof(szFullPath));
    if(GetVolumeNameByHandle(hFile, szFullPath))
    {
        MessageBoxA(NULL,szFullPath,"DLL",MB_OK);
    }
    else MessageBoxA(NULL,"HOOK","DLL",MB_OK);
    return WriteFileEx(hFile,lpBuffer,nNumberOfBytesToWrite,lpOverlapped,lpCompletionRoutine);
}
BOOL WINAPI MyWriteFileGather( HANDLE hFile,
                              FILE_SEGMENT_ELEMENT aSegmentArray[],
                              DWORD nNumberOfBytesToWrite,
                              LPDWORD lpReserved,
                              LPOVERLAPPED lpOverlapped
                              ){
    char szFullPath[MAX_PATH];
    memset(szFullPath, 0, sizeof(szFullPath));
    if(GetVolumeNameByHandle(hFile, szFullPath))
    {
        MessageBoxA(NULL,szFullPath,"DLL",MB_OK);
    }
    else MessageBoxA(NULL,"HOOK","DLL",MB_OK);
    return WriteFileGather(hFile,aSegmentArray,nNumberOfBytesToWrite,lpReserved,lpOverlapped);
}
VOID ModifyIAT(HMODULE hmodCaller,LPCSTR szDllName,PROC pfnOrg,PROC pfnNew){
    PIMAGE_THUNK_DATA pITD;
    ULONG ulSize;
    PIMAGE_IMPORT_DESCRIPTOR pIID;
    pIID = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hmodCaller,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&ulSize);
    if( !pIID )
        return;
    for( ; pIID->Name; pIID++ ){
        if( !lstrcmpiA(szDllName,(LPSTR)((PBYTE)hmodCaller+pIID->Name)) )
            break;
    }
    if( !pIID->Name )
        return;
    pITD = (PIMAGE_THUNK_DATA)((PBYTE)hmodCaller+pIID->FirstThunk);
    for( ; pITD->u1.Function ; pITD++ ){
        PROC* ppfn = (PROC*)&pITD->u1.Function;
        if(*ppfn == pfnOrg){
            WriteProcessMemory(GetCurrentProcess(),ppfn,&pfnNew,sizeof(pfnNew),NULL);
            return;
        }
    }
}
VOID ModifyIATs(LPCSTR szDllName,PROC pfnOrg,PROC pfnNew){
    BOOL fOk = FALSE;
    MODULEENTRY32 me32;
    HANDLE hSnapshot;
    hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,GetCurrentProcessId());
    me32.dwSize = sizeof( me32 );
    for( fOk = Module32First( hSnapshot,&me32 ); fOk ; fOk = Module32Next(hSnapshot,&me32)){
        if( me32.hModule != hmodThisDll ){
            ModifyIAT(me32.hModule,szDllName,pfnOrg,pfnNew);
        }
    }
    CloseHandle( hSnapshot );
}
FARPROC WINAPI MyGetProcAddress( HMODULE hModule,LPCSTR lpProcName ){
    if( hModule == GetModuleHandle("kernel32.DLL") &&
        !lstrcmpiA(lpProcName,"WriteFile") )
        return (PROC)MyWriteFile;
    else
        return GetProcAddress( hModule,lpProcName );
}
HMODULE WINAPI MyLoadLibraryA( LPCSTR lpLibFileName ){
    HMODULE hmod = LoadLibraryA( lpLibFileName );
    ModifyIAT(hmod,"kernel32.DLL",GetProcAddress(GetModuleHandle("kernel32.DLL"),"WriteFile"),(PROC)MyWriteFile);
    ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"GetProcAddress"),(PROC)MyGetProcAddress);
    ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileEx"),(PROC)MyWriteFileEx);
    ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileGather"),(PROC)MyWriteFileGather);
    return hmod;
}
HMODULE WINAPI MyLoadLibraryW( LPCWSTR  lpLibFileName ){
    HMODULE hmod = LoadLibraryW( lpLibFileName );
    ModifyIAT(hmod,"kernel32.DLL",GetProcAddress(GetModuleHandle("kernel32.DLL"),"WriteFile"),(PROC)MyWriteFile);
    ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"GetProcAddress"),(PROC)MyGetProcAddress);
    ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileEx"),(PROC)MyWriteFileEx);
    ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileGather"),(PROC)MyWriteFileGather);
    return hmod;
}
HMODULE WINAPI MyLoadLibraryExA(LPCTSTR lpFileName,HANDLE hFile,DWORD dwFlags){
    HMODULE hmod = LoadLibraryExA( lpFileName,hFile,dwFlags);
    ModifyIAT(hmod,"kernel32.DLL",GetProcAddress(GetModuleHandle("kernel32.DLL"),"WriteFile"),(PROC)MyWriteFile);
    ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"GetProcAddress"),(PROC)MyGetProcAddress);
    ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileEx"),(PROC)MyWriteFileEx);
    ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileGather"),(PROC)MyWriteFileGather);
    return hmod;
}
HMODULE WINAPI MyLoadLibraryExW(LPCWSTR lpFileName,HANDLE hFile,DWORD dwFlags){
    HMODULE hmod = LoadLibraryExW(lpFileName,hFile,dwFlags);
    ModifyIAT(hmod,"kernel32.DLL",GetProcAddress(GetModuleHandle("kernel32.DLL"),"WriteFile"),(PROC)MyWriteFile);
    ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"GetProcAddress"),(PROC)MyGetProcAddress);
    ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileEx"),(PROC)MyWriteFileEx);
    ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileGather"),(PROC)MyWriteFileGather);
    return hmod;
}
extern "C"_declspec(dllexport) VOID SetHook( ){
    if( !hhk ){
        HINSTANCE hInst = LoadLibrary(MyName);
        if( !hInst )
            return;
        hhk = SetWindowsHookEx(WH_GETMESSAGE,GetMsgProc,hInst,0);
        FreeLibrary( hInst );
    }
}
extern"C"_declspec(dllexport) VOID UnHook(){
    if( hhk )
        UnhookWindowsHookEx( hhk );
}
BOOL WINAPI DllMain(HINSTANCE hInstance,DWORD dwReason,LPVOID lpvReserved){
    hmodThisDll = hInstance;
    switch( dwReason ){
    case DLL_PROCESS_ATTACH:
        ModifyIATs("kernel32.DLL",GetProcAddress(GetModuleHandle("kernel32.DLL"),      "WriteFile"),(PROC)MyWriteFile);
        ModifyIATs("KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),   "LoadLibraryA"),(PROC)MyLoadLibraryA);
        ModifyIATs("KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),   "LoadLibraryW"),(PROC)MyLoadLibraryW);
        ModifyIATs("KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "LoadLibraryExA"),(PROC)MyLoadLibraryExA);
        ModifyIATs("KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "LoadLibraryExW"),(PROC)MyLoadLibraryExW);
        ModifyIATs("KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "GetProcAddress"),(PROC)MyGetProcAddress);
        ModifyIATs("KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),    "WriteFileEx"),(PROC)MyWriteFileEx);
        ModifyIATs("KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileGather"),(PROC)MyWriteFileGather);
        break;
    case DLL_PROCESS_DETACH:
        ModifyIATs("KERNEL32.DLL",(PROC)MyWriteFile      ,GetProcAddress(GetModuleHandle("kernel32.DLL"),"WriteFile"));
        ModifyIATs("KERNEL32.DLL",(PROC)MyLoadLibraryA   ,GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"LoadLibraryA"));
        ModifyIATs("KERNEL32.DLL",(PROC)MyLoadLibraryW   ,GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"LoadLibraryW"));
        ModifyIATs("KERNEL32.DLL",(PROC)MyLoadLibraryExA ,GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"LoadLibraryExA"));
        ModifyIATs("KERNEL32.DLL",(PROC)MyLoadLibraryExW ,GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"LoadLibraryExW"));
        ModifyIATs("KERNEL32.DLL",(PROC)MyGetProcAddress ,GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"GetProcAddress"));
        ModifyIATs("KERNEL32.DLL",(PROC)MyWriteFileEx    ,GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileEx"));
        ModifyIATs("KERNEL32.DLL",(PROC)MyWriteFileGather,GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileGather"));
        break;
    }
    return TRUE;
}

进行了比较全面的拦截，不过会造成系统不稳定，特别是LoadLibararyExA和LoadLibararyExW函数的拦截。另外令人纠结的是fopen打开的文件写操作没有拦截成功，自然freopen这些重定向的也不能成功啦，所有应用层DLL注入的方法实现文件write的过滤是非常不合理的想法，很难做全面的拦截，而且影响系统的正常运行。全面的文件过滤在这个实验里面，不得不承认api hook技术无法承担这个重任，看来只有驱动层能够实现真正意义上的完整文件过滤

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

上传的附件：

• WriteFileHook.rar （76.81kb，32次下载）