HOOK程序为win7 x64下的notepad.exe,
hook代码写在dll中,通过远程注入到notepad.exe程序中,hook notepad.exe的导入表中kernel32.dll的CreateFileW。
代码如下,思路是:
dll线程创建调用主函数InjectIATHOOK函数,三个参数:1、hook的模块名;2、需要hook的函数;3、我们自己的函数
函数InjectIATHOOK中,获取本模块句柄,解析导入表,修改我们要hook的函数。
经反复测试问题应该出在InjectIATHOOK函数中的这一句代码上,执行失败吧,直接退出dll了,不知道为什么这句总是失败?请大家帮忙看下
pThunk->u1.Function = MyHookProc;
程序代码如下:
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"
#include "tchar.h"
typedef HANDLE (WINAPI *dwCreateFileW)(
_In_ LPCWSTR lpFileName,
_In_ DWORD dwDesiredAccess,
_In_ DWORD dwShareMode,
_In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes,
_In_ DWORD dwCreationDisposition,
_In_ DWORD dwFlagsAndAttributes,
_In_opt_ HANDLE hTemplateFile
);
HANDLE WINAPI MyCreateFileW(
_In_ LPCWSTR lpFileName,
_In_ DWORD dwDesiredAccess,
_In_ DWORD dwShareMode,
_In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes,
_In_ DWORD dwCreationDisposition,
_In_ DWORD dwFlagsAndAttributes,
_In_opt_ HANDLE hTemplateFile
);
dwCreateFileW CreateAPI=NULL;
PROC hookProc=NULL;
bool DebugPriviledge()
{
HANDLE hToken = NULL;
BOOL bRet = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);
if(bRet)
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp),NULL,NULL);
CloseHandle(hToken);
return true;
}
return false;
}
BOOL InjectIATHOOK(LPCSTR szModule, ULONGLONG HookProc, ULONGLONG MyHookProc)
{
if(DebugPriviledge())
MessageBox(NULL, _T("true"), _T("true"), MB_OK);
else
{
MessageBox(NULL, _T("false"),_T("false"),MB_OK);
}
HMODULE hHookProc = GetModuleHandle(NULL);
// 获取导入表
// PIMAGE_IMPORT_DESCRIPTOR pImportDes = (PIMAGE_IMPORT_DESCRIPTOR)&(((PIMAGE_OPTIONAL_HEADER32)&(((PIMAGE_NT_HEADERS)((PIMAGE_DOS_HEADER)(BYTE*)hHookProc)->e_lfanew)->OptionalHeader))->DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]);
PIMAGE_IMPORT_DESCRIPTOR pImportDes = NULL;
PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)hHookProc;
PIMAGE_NT_HEADERS64 pNt = (PIMAGE_NT_HEADERS64)((ULONGLONG)hHookProc+(pDos->e_lfanew));
//MessageBox(0,0,(LPCWSTR)(LPVOID)pNt,0);
PIMAGE_OPTIONAL_HEADER64 pOptional = &(pNt->OptionalHeader);
pImportDes = (PIMAGE_IMPORT_DESCRIPTOR)((ULONGLONG)hHookProc+(pOptional->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress));
// 得到导入模块地址
while(pImportDes)
{
if( _stricmp(szModule, (PCHAR)(pImportDes->Name+(ULONGLONG)hHookProc))==0 )
break;
pImportDes++;
}
// 查找我们需要hook的函数地址
PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)(pImportDes->FirstThunk+(ULONGLONG)hHookProc);
while ( pThunk->u1.Function )
{
// 找到函数地址,HOOK
if( (ULONGLONG)(HookProc)==pThunk->u1.Function )
{
DWORD dwOldProtect;
CreateAPI = (dwCreateFileW)pThunk->u1.Function;
VirtualProtect((LPVOID)pThunk->u1.Function, sizeof(ULONGLONG), PAGE_EXECUTE_READWRITE, &dwOldProtect);
pThunk->u1.Function = MyHookProc;
// memcpy_s(&(pThunk->u1.Function), 8, &MyHookProc, 8);
VirtualProtect((LPVOID)pThunk->u1.Function, sizeof(ULONGLONG), dwOldProtect, NULL);
return TRUE;
}
pThunk++;
}
return FALSE;
}
HANDLE WINAPI MyCreateFileW(
_In_ LPCWSTR lpFileName,
_In_ DWORD dwDesiredAccess,
_In_ DWORD dwShareMode,
_In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes,
_In_ DWORD dwCreationDisposition,
_In_ DWORD dwFlagsAndAttributes,
_In_opt_ HANDLE hTemplateFile
)
{
if( MessageBox(NULL, L"是否打开文件?", L"提示", MB_YESNO) == IDYES )
{
return CreateAPI(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}
else
{
return INVALID_HANDLE_VALUE;
}
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
hookProc = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "CreateFileW");
TCHAR szAddr[100];
_stprintf_s(szAddr, _T("%lld"), MyCreateFileW);
MessageBox(0,szAddr, 0,MB_OK);
_stprintf_s(szAddr, _T("%lld"), (ULONGLONG)(LPVOID)MyCreateFileW);
MessageBox(0,szAddr, 0,MB_OK);
if(InjectIATHOOK("kernel32.dll", (ULONGLONG)hookProc, (ULONGLONG)MyCreateFileW))
{
MessageBox(NULL, L"IAT Hook Success!",L"提示", MB_OK);
}
else
{
MessageBox(NULL, L"IAT Hook Failed!", L"提示", MB_OK);
}
}
break;
case DLL_THREAD_ATTACH:
{
}
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
{
if(InjectIATHOOK("kernel32.dll", (ULONGLONG)MyCreateFileW, (ULONGLONG)hookProc))
{
MessageBox(NULL, L"IAT UnHook Success!",L"提示", MB_OK);
}
else
{
MessageBox(NULL, L"IAT UnHook Failed!", L"提示", MB_OK);
}
}
break;
}
return TRUE;
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
