首页
社区
课程
招聘
HOOK API-DeleteFile中遇到的问题?
发表于: 2014-6-10 08:19 10386

HOOK API-DeleteFile中遇到的问题?

2014-6-10 08:19
10386
刚接触HOOK API,就想写个demo测试下效果,打算把DeleteFileW进行hook,这样所有进程调用DeleteFile的时候我都晓得了,挂个wh_cbt全局钩子,然后把api hook掉,over。
DLL部分:
FileProjectLib.h
/******************************************************************************
Module: FileProjectLib.h
Notices: Copyright (c) 2014 
******************************************************************************/

#include<Windows.h>
#ifndef FILEPROJECTLIBAPI 
#define FILEPROJECTLIBAPI extern "C" __declspec(dllimport)
#endif


///////////////////////////////////////////////////////////////////////////////


FILEPROJECTLIBAPI BOOL WINAPI FileProject_HookAllApps(BOOL bInstall, 
   DWORD dwThreadId);


//////////////////////////////// End of File //////////////////////////////////

FileProjectLib.cpp
/******************************************************************************
Module:  FileProjectLib.cpp
Notices: Copyright (c) 2014 
******************************************************************************/


#include <WindowsX.h>
#include <tchar.h>
#include <stdio.h>
//调试暂用绝对路径
#include "C:\\Users\\yiruirui\\Desktop\\保护\\FileProject\\FileProject\\mhook-lib\\mhook.h"

#define FILEPROJECTLIBAPI extern "C" __declspec(dllexport)
#include "C:\\Users\\yiruirui\\Desktop\\保护\\FileProject\\FileProject\\FileProjectLib.h"


///////////////////////////////////////////////////////////////////////////////


typedef BOOL (WINAPI *PFNDELETEFILEW)( LPCTSTR lpFileName);


PFNDELETEFILEW TrueDeleteFile = (PFNDELETEFILEW)
	GetProcAddress(GetModuleHandle(L"Kernel32"), "DeleteFileW");

// This is the DeleteFileW replacement function
BOOL WINAPI HookDeleteFile( LPCTSTR lpFileName
) {
	MessageBox(0,lpFileName,L"deletefile called",0);
	return TrueDeleteFile(lpFileName);
}


///////////////////////////////////////////////////////////////////////////////

HHOOK g_hhook = NULL;


///////////////////////////////////////////////////////////////////////////////


static LRESULT WINAPI CBTProc(int code, WPARAM wParam, LPARAM lParam) {
   return(CallNextHookEx(g_hhook, code, wParam, lParam));
}


///////////////////////////////////////////////////////////////////////////////


// Returns the HMODULE that contains the specified memory address
static HMODULE ModuleFromAddress(PVOID pv) {

   MEMORY_BASIC_INFORMATION mbi;
   return((VirtualQuery(pv, &mbi, sizeof(mbi)) != 0) 
      ? (HMODULE) mbi.AllocationBase : NULL);
}


///////////////////////////////////////////////////////////////////////////////


BOOL WINAPI FileProject_HookAllApps(BOOL bInstall, DWORD dwThreadId) {

   BOOL bOk;

   if (bInstall) {

//      chASSERT(g_hhook == NULL); // Illegal to install twice in a row

      // Install the Windows' hook
      g_hhook = SetWindowsHookEx(WH_CBT, CBTProc, 
         ModuleFromAddress(FileProject_HookAllApps), dwThreadId);

      bOk = (g_hhook != NULL);
   } else {

     // chASSERT(g_hhook != NULL); // Can't uninstall if not installed
      bOk = UnhookWindowsHookEx(g_hhook);
      g_hhook = NULL;
   }

   return(bOk);
}


//////////////////////////////// End of File //////////////////////////////////

BOOL WINAPI DllMain(                HINSTANCE hinstDLL,
               DWORD fdwReason,
                   LPVOID lpvReserved
)
{
	 switch( fdwReason ) 
    { 
        case DLL_PROCESS_ATTACH:
			Mhook_SetHook((PVOID*)&TrueDeleteFile, HookDeleteFile);
            break;

        case DLL_THREAD_ATTACH:
         // Do thread-specific initialization.
            break;

        case DLL_THREAD_DETACH:
         // Do thread-specific cleanup.
            break;

        case DLL_PROCESS_DETACH:
		Mhook_Unhook((PVOID*)&TrueDeleteFile);
         // Perform any necessary cleanup.
            break;
    }
	return true;
}

EXE部分:
/******************************************************************************
Module:  FileProjectInfo.cpp
Notices: Copyright (c) 2014
******************************************************************************/

#include <windowsx.h>
#include <tchar.h>
#include "C:\\Users\\yiruirui\\Desktop\\保护\\FileProject\\FileProject\\FileProjectLib.h"

#pragma comment(lib,"C:\\Users\\yiruirui\\Desktop\\保护\\FileProject\\Debug\\FileProject.lib");

///////////////////////////////////////////////////////////////////////////////


int WINAPI _tWinMain(HINSTANCE hInstExe, HINSTANCE, PTSTR pszCmdLine, int) {

   DWORD dwThreadId = 0;
   //安装全局钩子
   FileProject_HookAllApps(TRUE, dwThreadId);
//测试50秒看效果
   Sleep(50000);
	//卸载全局钩子
   FileProject_HookAllApps(FALSE, 0);
   return(0);
}


//////////////////////////////// End of File //////////////////////////////////


自己生成了一个MFC dialog based程序在里面调用DeleteFile删除文件,发现弹出了MessageBox,证明hook到了DeleteFile,但是再用nsis生成一个安装包,安装包里面调用Delete函数删除文件(nsis源码中Delete会调用DeleteFileA-DeleteFileW)却没有MessageBox弹出,用OD调试运行,查看模块,发现没有我的FileProject.dll,请问是哪里出了问题了?求大虾们指点,所有的资源已经上传了

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

上传的附件:
收藏
免费 0
支持
分享
最新回复 (11)
雪    币: 459
活跃值: (398)
能力值: ( LV8,RANK:120 )
在线值:
发帖
回帖
粉丝
2
hook native api 更好些吧
不过还是支持
2014-6-10 09:01
0
雪    币: 757
活跃值: (3843)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
3
dll加载了,但是貌似没有hook成功,你的nsis中删除什么文件的?
2014-6-10 09:57
0
雪    币: 132
活跃值: (214)
能力值: ( LV6,RANK:80 )
在线值:
发帖
回帖
粉丝
4
桌面上的2345.txt文件,
Section "MainSection" SEC01
Delete "$DESKTOP\2345.txt"
SectionEnd

点击安装的时候进行删除文件操作的。
2014-6-10 10:09
0
雪    币: 239
活跃值: (190)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
5
SetWindowsHookEx能对所有进程安装钩子?
我咋不知道,看来技术 不够呢
2014-6-10 12:06
0
雪    币: 239
活跃值: (190)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
6
你的安装包是什么工具,我不清楚,
但是目测 ,你这个对windowsinstall安装包无效
2014-6-10 12:09
0
雪    币: 757
活跃值: (3843)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
7
HookDll,在def文件中导出函数EnterInjectMode,然后在cmd下
执行rundll32 HookDll.dll  EnterInjectMode,测试OK
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"

#include <mhook.h>

#pragma comment(lib, "mhook.lib")

#pragma comment(linker, "/Section:.shared,RWS")
#pragma data_seg(".shared")
HHOOK g_hHook = NULL;
#pragma data_seg()
HMODULE g_hDll = 0;



typedef BOOL (WINAPI *pfnDeleteFileW)(LPCWSTR lpFileName);

typedef BOOL (WINAPI *pfnDeleteFileA)(LPCSTR lpFileName);

pfnDeleteFileW realDeleteFileW = DeleteFileW;

pfnDeleteFileA realDeleteFileA = DeleteFileA;


BOOL WINAPI MyDeleteFileA(LPCSTR lpFileName)
{
	MessageBox(NULL, lpFileName, "In MyDeleteFileA", 0);
	return FALSE;
}

BOOL WINAPI MyDeleteFileW(LPCWSTR lpFileName)
{
	MessageBoxW(NULL, lpFileName, L"In MyDeleteFileW", 0);
	return FALSE;
}



BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		g_hDll = hModule;
		Mhook_SetHook((PVOID*)&realDeleteFileA, MyDeleteFileA);
		Mhook_SetHook((PVOID*)&realDeleteFileW, MyDeleteFileW);
		break;
	case DLL_THREAD_ATTACH:
		break;
	case DLL_THREAD_DETACH:
		break;
	case DLL_PROCESS_DETACH:		
		Mhook_Unhook((PVOID*)&realDeleteFileA);
		Mhook_Unhook((PVOID*)&realDeleteFileW);
		break;
	}
	return TRUE;
}



LRESULT CALLBACK GlobalCBTHook(int nCode, WPARAM w, LPARAM l)
{
	if(g_hHook)
	{
		return CallNextHookEx(g_hHook, nCode, w, l);
	}
	return 0;
}
BOOL WINAPI InstallGlobalHook()
{
	g_hHook = SetWindowsHookEx(WH_CBT, GlobalCBTHook, g_hDll, 0);
	return g_hHook==NULL?FALSE:TRUE;
}
void WINAPI UninstallGlobalHook()
{
	if(g_hHook)
	{
		UnhookWindowsHookEx(g_hHook);
	}
}
LRESULT CALLBACK WndProc(HWND hWnd, UINT msg, WPARAM w, LPARAM l)
{
	if(WM_DESTROY == msg)
	{
		PostQuitMessage(0);
	}
	return DefWindowProcA(hWnd, msg, w, l);
}
void WINAPI EnterMessageLoop()
{
	do
	{
		WNDCLASSEXA wcex = {sizeof(wcex)};
		wcex.style = CS_HREDRAW | CS_VREDRAW;
		wcex.lpfnWndProc = (WNDPROC)WndProc;
		wcex.cbClsExtra = 0;
		wcex.cbWndExtra = 0;
		wcex.hInstance = g_hDll;
		wcex.hIcon = LoadIcon(NULL, IDI_INFORMATION);
		wcex.hCursor = LoadCursor(NULL, IDC_ARROW);
		wcex.hbrBackground = (HBRUSH)GetStockObject(WHITE_BRUSH);
		wcex.lpszClassName = "DeleteHook";
		if(!RegisterClassExA(&wcex))
		{
			break;
		}
		HWND hWnd = CreateWindowExA(0, "DeleteHook", NULL, WS_OVERLAPPEDWINDOW,
			0, 0, 50, 50, NULL, NULL, g_hDll, NULL);
		if(!IsWindow(hWnd))
		{
			break;
		}
		UpdateWindow(hWnd);
		MSG msg;
		while(GetMessage(&msg, hWnd, 0, 0))
		{
			TranslateMessage(&msg);
			DispatchMessageA(&msg);
		}
	} while (FALSE);
}

//导出函数 
void WINAPI EnterInjectMode()
{
	if(!InstallGlobalHook())
	{
		MessageBox(0, "InstallGlobalHook FAIL", "", 0);
		return;
	}
	

	char szExe[MAX_PATH+1] = {0};
	char szPath[MAX_PATH+1] = {0};
	GetModuleFileName(NULL, szPath, MAX_PATH);
	strcpy(szExe, strrchr(szPath, '\\')+1);	
	if(!strcmpi(szExe, "rundll32.exe"))	
		EnterMessageLoop();
}
2014-6-10 15:13
0
雪    币: 132
活跃值: (214)
能力值: ( LV6,RANK:80 )
在线值:
发帖
回帖
粉丝
8
亲,请问在WIN8上有效果么?
2014-6-10 17:29
0
雪    币: 220
活跃值: (726)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
你先看看那个安装进程里有没DLL
2014-6-10 21:04
0
雪    币: 132
活跃值: (214)
能力值: ( LV6,RANK:80 )
在线值:
发帖
回帖
粉丝
10
经过测试,xp,win7可以hook,WIN8中连dll都没注入到那个进程
2014-6-11 09:44
0
雪    币: 132
活跃值: (214)
能力值: ( LV6,RANK:80 )
在线值:
发帖
回帖
粉丝
11
亲,HOOK ShellExecuteA,
typedef HINSTANCE (WINAPI *PFNSHELLEXECUTEA)(HWND hwnd,LPCSTR lpOperation,LPCSTR lpFile,LPCSTR lpParameters,LPCSTR lpDirectory,INT nShowCmd);

PFNSHELLEXECUTEA TrueShellExecute=(PFNSHELLEXECUTEA)GetProcAddress(GetModuleHandle(L"shell32"),"ShellExecuteA");


HINSTANCE WINAPI HookShellExecute(HWND hwnd,LPCSTR lpOperation,LPCSTR lpFile,LPCSTR lpParameters,LPCSTR lpDirectory,INT nShowCmd)
{

	return TrueShellExecute(hwnd,lpOperation,lpFile,lpParameters,lpDirectory,nShowCmd);
}


Mhook_SetHook((PVOID*)&TrueShellExecute,HookShellExecute);


这样运行时候弹出:应用程序初始化失败。。。。。调试发现是
GetProcAddress(GetModuleHandle(L"shell32"),"ShellExecuteA");这块的问题,这里如何调整呢,求指导
2014-6-11 12:09
0
雪    币: 132
活跃值: (214)
能力值: ( LV6,RANK:80 )
在线值:
发帖
回帖
粉丝
12
OK了,对应模块加载进去就好了。
2014-6-11 17:14
0
游客
登录 | 注册 方可回帖
返回
//