能力值:
( LV3,RANK:20 )
|
-
-
2 楼
hook所有进程的GetHostByName
|
能力值:
( LV3,RANK:30 )
|
-
-
3 楼
估计是DNSClient服务吧,我从服务名上认为是的。
|
能力值:
( LV3,RANK:30 )
|
-
-
4 楼
DNS Client
为此计算机解析和缓冲域名系统 (DNS) 名称。
如果此服务被停止,计算机将不能解析 DNS 名称并定位 Active Directory 域控制器。
如果此服务被禁用,任何明确依赖它的服务将不能启动。
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
HOOK RPC
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
有没有更简单的办法呢,我的意思是尽量减少工作量,如果主机中进程太多,都HOOK的话应该比较麻烦吧
|
能力值:
( LV2,RANK:10 )
|
-
-
7 楼
RPC是?能否给我讲一下原理?谢谢!
|
能力值:
( LV2,RANK:10 )
|
-
-
8 楼
有相关源码吗?我试着改了一个,但是无法HOOK成功啊  :
|
能力值:
( LV3,RANK:20 )
|
-
-
9 楼
在论坛里搜索API Hook,有n种方法、工具和代码。
|
能力值:
( LV2,RANK:10 )
|
-
-
10 楼
我现有有的代码是HOOK到gethostbyname被进程调用的情况,当该函数被调用时,记录调用的时间。
使用的方法是通过修改IAT表,并用远程线程注入的办法。
注入程序很简单,没有问题;现在不知道HOOK那一块儿出了什么问题。把代码贴出来,恳请高手指点!!!
HookIAT.cpp:使用IAT法挂钩.
//
#include "stdafx.h"
#include <afxdllx.h>
#include "HookApi_IAT.h"
#include <windows.h>
#include <time.h>
#include <winsock2.h>
#include<iostream>
#include<fstream>
using namespace std;
void WINAPI ExampleIAT();
void WINAPI ExampleIAT_OFF();
static AFX_EXTENSION_MODULE HookIATDLL = { NULL, NULL };
//extern "C" int APIENTRY
extern "C" __declspec(dllexport) struct hostent* FAR IATgethostbyname(const char* name );
int DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
// Remove this if you use lpReserved
UNREFERENCED_PARAMETER(lpReserved);
if (dwReason == DLL_PROCESS_ATTACH)
{
ExampleIAT();
}
else if (dwReason == DLL_PROCESS_DETACH)
{
ExampleIAT_OFF();
TRACE0("HOOKIAT.DLL Terminating!\n");
// Terminate the library before destructors are called
AfxTermExtensionModule(HookIATDLL);
}
return 1;
}
//---------------------------------------------------------------------------
CHookApi_IAT myIAT;
struct hostent* FAR IATgethostbyname( const char* name ) {
struct hostent* tmp = NULL;
CStdioFile file;
__time32_t nNow = 0;
tm stNow = {0};
_time32(&nNow);
_localtime32_s(&stNow,&nNow);
char buff[255] = {0};
_snprintf(buff,sizeof(buff)-1,"%d.%d.%d.%d.%d.%d",
stNow.tm_year + 1900,
stNow.tm_mon + 1,
stNow.tm_mday,
stNow.tm_hour,
stNow.tm_min,
stNow.tm_sec);
ofstream outfile("gethostbyname.txt",ios::app); //写入文件
for(int i=0;i<255;i++)
outfile<<buff[i];
tmp = gethostbyname(name);
return tmp;
}
//---------------------------------------------------------------------------
// 通过IAT挂钩API
void WINAPI ExampleIAT()
{
PROC HookAPIAddr =(FARPROC)
GetProcAddress(GetModuleHandle("wsock32.dll"), "gethostbyname");
HMODULE hModule= GetModuleHandle(NULL);
// 挂钩所有模块,备用调用.
// myIAT.HookAllAPI("user32.dll",HookAPIAddr,(PROC)IATMessageBoxA);
// 挂钩单个模块.
myIAT.HookOneAPI("wsock32.dll",HookAPIAddr,(PROC)IATgethostbyname,hModule);
}
//---------------------------------------------------------------------------
// 卸载IAT挂钩API
void WINAPI ExampleIAT_OFF()
{
HMODULE hModule= GetModuleHandle(NULL);
myIAT.HookOneAPI_OFF("wsock32.dll",hModule);
}
// HookApi_IAT.cpp:实现CHookApi_IAT类.
//
#include "stdafx.h"
#include "HookApi_IAT.h"
#include <tlhelp32.h>
#include <imagehlp.h>
#pragma comment (lib,"imagehlp.lib")
//---------------------------------------------------------------------------
CHookApi_IAT::CHookApi_IAT()
{
}
//---------------------------------------------------------------------------
CHookApi_IAT::~CHookApi_IAT()
{
}
//---------------------------------------------------------------------------
BOOL CHookApi_IAT::HookAllAPI(LPCTSTR ModuleName, PROC HookAPIAddr, PROC lpNewFunc)
{
if (ModuleName == NULL||HookAPIAddr == NULL)
return FALSE;
HANDLE hSnapshot;
MODULEENTRY32 hMod = {sizeof(hMod)};
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,NULL);
// 取得所有模块列表中的指定的模块.
BOOL bMoreMods = Module32First(hSnapshot, &hMod);
if (bMoreMods == FALSE) return FALSE;
// 循环取得想要的模块.
for (;bMoreMods; bMoreMods = Module32Next(hSnapshot, &hMod))
{
MEMORY_BASIC_INFORMATION mbi;
// 获取本模块信息.
VirtualQuery(this,&mbi,sizeof(mbi));
// 不在自己的模块中挂钩函数.
if (hMod.hModule != (HMODULE)mbi.AllocationBase)
{
//hMod.hModule:指向当前被挂钩进程的每一个模块.
HookOneAPI( ModuleName,HookAPIAddr,
lpNewFunc,hMod.hModule);
}
}
return TRUE;
}
//---------------------------------------------------------------------------
BOOL CHookApi_IAT::HookOneAPI(PCSTR ModuleName, PROC HookAPIAddr,
PROC lpNewFunc, HMODULE hmodCaller)
{
DWORD size;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc =
(PIMAGE_IMPORT_DESCRIPTOR) ImageDirectoryEntryToData(
hmodCaller,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&size);
if(pImportDesc == NULL) return FALSE;
for (;pImportDesc->Name;pImportDesc++)
{
LPSTR pszDllName = (LPSTR)((PBYTE)hmodCaller + pImportDesc->Name);
if(lstrcmpiA(pszDllName,ModuleName) == 0) break;
}
if(pImportDesc->Name == NULL) return FALSE;
PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)
((PBYTE)hmodCaller + pImportDesc->FirstThunk);//IAT
for(;pThunk->u1.Function;pThunk++)
{
PROC * ppfn= (PROC *)&pThunk->u1.Function;
m_lpOldFunc = (PROC)pThunk->u1.Function;
m_lpNewFunc =lpNewFunc;
if (*ppfn == HookAPIAddr)
{
MEMORY_BASIC_INFORMATION mbi;
ZeroMemory(&mbi, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQuery(ppfn,&mbi,sizeof(MEMORY_BASIC_INFORMATION));
VirtualProtect(mbi.BaseAddress,mbi.RegionSize,
PAGE_READWRITE,&mbi.Protect);
*ppfn = *lpNewFunc;
DWORD dwOldProtect;
VirtualProtect(mbi.BaseAddress,mbi.RegionSize,
mbi.Protect,&dwOldProtect);
return TRUE;
}
}
return FALSE;
}
//---------------------------------------------------------------------------
BOOL CHookApi_IAT::HookOneAPI_OFF(PCSTR ModuleName, HMODULE hmodCaller)
{
return HookOneAPI(ModuleName, m_lpNewFunc,m_lpOldFunc,hmodCaller);
}
|
