-
-
[求助]这段ring3的eat hook为什么没有生效
-
发表于: 2013-5-16 20:10
-
BOOL Set_EAT_Hook(LPCWSTR lpModuleName,LPCSTR lpFuncName,LPVOID lpHookFunction,LPVOID* lpTrueFunction)
{
LPVOID pBase = NULL;
pBase = GetModuleHandleW(lpModuleName);
if (NULL == pBase)
{
pBase = LoadLibraryW(lpModuleName);
if (NULL == pBase)
{
return FALSE;
}
}
PIMAGE_DOS_HEADER pDosHeader = NULL;
PIMAGE_NT_HEADERS pNtHeader = NULL;
PIMAGE_OPTIONAL_HEADER pOpHeader = NULL;
PIMAGE_EXPORT_DIRECTORY pExportDes = NULL;
pDosHeader = (PIMAGE_DOS_HEADER)pBase;
if (IMAGE_DOS_SIGNATURE != pDosHeader->e_magic)
{
return FALSE;
}
pNtHeader = (PIMAGE_NT_HEADERS)((PBYTE)pBase + pDosHeader->e_lfanew);
if (IMAGE_NT_SIGNATURE != pNtHeader->Signature)
{
return FALSE;
}
pOpHeader = (PIMAGE_OPTIONAL_HEADER)(&pNtHeader->OptionalHeader);
pExportDes = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)pBase + pOpHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
PUCHAR pFuncName = NULL;
PULONG pAddressOfFunctions=(ULONG*)((PBYTE)pBase + pExportDes->AddressOfFunctions);
PULONG pAddressOfNames=(ULONG*)((PBYTE)pBase + pExportDes->AddressOfNames);
PUSHORT pAddressOfNameOrdinals=(USHORT*)((PBYTE)pBase + pExportDes->AddressOfNameOrdinals);
ULONG uMax = pExportDes->NumberOfNames;
USHORT index=0 ;
ULONG addr;
for (ULONG uIndex = 0; uIndex <uMax; uIndex++)
{
index=pAddressOfNameOrdinals[uIndex];
addr=pAddressOfFunctions[index];
pFuncName = (PUCHAR)( (PBYTE)pBase + pAddressOfNames[uIndex]);
addr = pAddressOfFunctions[index];
if(!_stricmp((const char*)pFuncName,lpFuncName))
{
*lpTrueFunction = (LPVOID)(pFuncName);
ULONG uOldProtect;
VirtualProtectEx(GetCurrentProcess(),&pAddressOfFunctions[index],4,PAGE_EXECUTE_READWRITE,&uOldProtect);
pAddressOfFunctions[index]=(ULONG)((PBYTE)lpHookFunction - (PBYTE)pBase);
}
}
return TRUE;
}
typedef int (WINAPI* P_MessageBoxW)(
_In_opt_ HWND hWnd,
_In_opt_ LPCWSTR lpText,
_In_opt_ LPCWSTR lpCaption,
_In_ UINT uType
);
typedef int (WINAPI* P_SHFileOperationW)(
_Inout_ LPSHFILEOPSTRUCTW lpFileOp
);
P_SHFileOperationW g_pSHFileOperationW = NULL;
P_MessageBoxW g_pMessageBoxW = NULL;
int WINAPI Fake_SHFileOperationW(
_Inout_ LPSHFILEOPSTRUCTW lpFileOp
)
{
OutputDebugStringW(L"Fake_SHFileOperationW");
return g_pSHFileOperationW(lpFileOp);
}
int WINAPI Fake_MessageBoxW(
_In_opt_ HWND hWnd,
_In_opt_ LPCWSTR lpText,
_In_opt_ LPCWSTR lpCaption,
_In_ UINT uType
)
{
return g_pMessageBoxW(NULL,lpText,L"eat hook",uType);
}
BOOL MyShCopyFile(LPCWSTR lpInPath,LPCWSTR lpOutPath)
{
SHFILEOPSTRUCTW shFile;
ZeroMemory (&shFile ,sizeof (shFile));
shFile.pFrom = lpInPath;
shFile.pTo = lpOutPath;
shFile.wFunc = FO_COPY;
shFile.fFlags = FOF_SILENT |FOF_ALLOWUNDO |FOF_NOCONFIRMATION;
if (SHFileOperationW(&shFile) != 0 )
{
return FALSE ;
}
else
{
return TRUE ;
}
}
int _tmain(int argc, _TCHAR* argv[])
{
BOOL bRet = Set_EAT_Hook(L"Shell32.dll","SHFileOperationW",Fake_SHFileOperationW,(LPVOID*)&g_pSHFileOperationW);
bRet = Set_EAT_Hook(L"user32.dll","MessageBoxW",Fake_MessageBoxW,(LPVOID*)&g_pMessageBoxW);
FARPROC address = GetProcAddress(GetModuleHandleW(L"shell32.dll"),"SHFileOperationW");
FARPROC address2 = GetProcAddress(GetModuleHandleW(L"user32.dll"),"MessageBoxW");
MyShCopyFile(L"c:\\1.txt",L"e:\\1.txt");
MessageBoxW(NULL,L"xxxx",NULL,MB_OK);
return 0;
}
为什么我取到的address 跟Fake_SHFileOperationW的地址不一样,address2跟Fake_MessageBoxW的地址不一样,hook也没有起作用
,为什么,求助
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
纳尼,这个是IAT hook?难道是我理解错了,大牛们指导下啊
|
|
|
|
|
|
|
|
|
[QUOTE=llydd;1178250]*lpTrueFunction = (LPVOID)(pFuncName);
你这个是不是写错了?应该是*lpTrueFunction = (LPVOID)pAddressOfFunctions[index]吧 程序已经加载了,你再EAT只能影响后续GetProcAddress的结果。[/QUOTE] 这个确实是写错了,确实也只能控制后面的GetProcAddress,但是好像将程序变异为X64后,SHFileOperationW还是不能控制 
|
|
|
|
|
|
为什么win7 x64下 hook shfileoparation失败啊,程序crash
|
