[分享]玩具 Inline Hook Manage-编程技术-看雪-安全社区|安全招聘|kanxue.com

[分享]玩具 Inline Hook Manage

发表于: 2015-1-25 12:25 4727

[分享]玩具 Inline Hook Manage

yimingqpa

2015-1-25 12:25

4727

typedef struct _HookTable {

LIST_ENTRY ListEntry;
CHAR chFuncName[128];
DWORD dwOleFuncAddr;
DWORD dwNewFuncAddr;
BYTE byOpCode[15];
UINT uOpLen;

} HookTable, *pHookTable;

namespace CHookManage {

class CHookManageClass {

private:
LIST_ENTRY m_listEntry;
protected:
public:

//实始化
VOID InitiaList();

//清除
VOID ClearList();

//添加HOOK
BOOLEAN AddHookFunc(CHAR* pFuncName, DWORD dwOleFuncAddr, DWORD dwNewFuncAddr, UINT uLen, DWORD* dwFunc);

//HOOK函数
BOOLEAN HookFunc(DWORD dwOleFuncAddr, DWORD dwNewFuncAddr);

//UNHOOK函数
VOID UnHookFunc(DWORD dwOleFuncAddr, PBYTE pOpCode, UINT uLen);

//获取函数地址
DWORD GetFuncAddr(CHAR* pFuncName);
};

//类指向
CHookManageClass* GetThis();
};

CHookManage::CHookManageClass* CHookManage::GetThis()
{
static CHookManage::CHookManageClass _CHookManageClass;

return &_CHookManageClass;
}

VOID CHookManage::CHookManageClass::InitiaList()
{
InitializeListHead(&m_listEntry);
}

VOID CHookManage::CHookManageClass::ClearList()
{
if (!MmIsAddressValid(&m_listEntry)) {

return;
}

while (!IsListEmpty(&m_listEntry)) {

PLIST_ENTRY pListNext = RemoveTailList(&m_listEntry);
pHookTable pHookInfo = CONTAINING_RECORD(pListNext, HookTable, ListEntry);

UnHookFunc(pHookInfo->dwOleFuncAddr, pHookInfo->byOpCode, pHookInfo->uOpLen);

ExFreePool(pHookInfo);
}
}

BOOLEAN CHookManage::CHookManageClass::AddHookFunc(CHAR* pFuncName, DWORD dwOleFuncAddr, DWORD dwNewFuncAddr, UINT uLen, DWORD* dwFunc)
{
BOOLEAN bRet = FALSE;

if ((NULL == pFuncName) || (0 == dwOleFuncAddr) || (0 == dwNewFuncAddr) || (0 == uLen)) {

return bRet;
}

__asm int 3

pHookTable pTempHookTable = (pHookTable)ExAllocatePool(NonPagedPool, sizeof(HookTable));

__try {

RtlZeroMemory(pTempHookTable, sizeof(HookTable));

StringCbCopy(pTempHookTable->chFuncName, 128, pFuncName);
pTempHookTable->dwOleFuncAddr = dwOleFuncAddr;
pTempHookTable->dwNewFuncAddr = dwNewFuncAddr;
pTempHookTable->uOpLen = uLen;
RtlCopyMemory(pTempHookTable->byOpCode, (PVOID)dwOleFuncAddr, uLen);

BYTE byData[] = { 0xE9, 0x00, 0x00, 0x00, 0x00 };
ULONG uJmpAddr = (dwOleFuncAddr + uLen) - ((DWORD)pTempHookTable->byOpCode + uLen) - 5;
RtlCopyMemory(byData + 1, &uJmpAddr, sizeof(ULONG));

RtlCopyMemory((PVOID)((DWORD)pTempHookTable->byOpCode + uLen), byData, sizeof(byData));
InsertHeadList(&m_listEntry, &pTempHookTable->ListEntry);

bRet = HookFunc(dwOleFuncAddr, dwNewFuncAddr);

*dwFunc = GetFuncAddr(pFuncName);

}
__except (EXCEPTION_EXECUTE_HANDLER) {

bRet = FALSE;
}

return bRet;
}

BOOLEAN CHookManage::CHookManageClass::HookFunc(DWORD dwOleFuncAddr, DWORD dwNewFuncAddr)
{
BOOLEAN bRet = FALSE;

if ((0 == dwOleFuncAddr) || (0 == dwNewFuncAddr)) {

return bRet;
}

__try {

BYTE byData[] = { 0xE9, 0x00, 0x00, 0x00, 0x00 };
ULONG uJmpAddr = dwNewFuncAddr - dwOleFuncAddr - 5;

RtlCopyMemory(byData + 1, &uJmpAddr, sizeof(ULONG));

CTool::GetThis()->ShutdownWriteProtect();

RtlCopyMemory((PVOID)dwOleFuncAddr, byData, sizeof(byData));

CTool::GetThis()->OpenWriteProtect();

bRet = TRUE;
}
__except (EXCEPTION_EXECUTE_HANDLER) {

bRet = FALSE;
}

return bRet;
}

VOID CHookManage::CHookManageClass::UnHookFunc(DWORD dwOleFuncAddr, PBYTE pOpCode, UINT uLen)
{
if ((0 == dwOleFuncAddr) || (NULL == pOpCode) || (0 == uLen)) {

return;
}

CTool::GetThis()->ShutdownWriteProtect();

RtlCopyMemory((PVOID)dwOleFuncAddr, pOpCode, uLen);

CTool::GetThis()->OpenWriteProtect();
}

DWORD CHookManage::CHookManageClass::GetFuncAddr(CHAR* pFuncName)
{
DWORD dwRet = 0;

if (NULL == pFuncName) {

return dwRet;
}

PLIST_ENTRY pListNext = m_listEntry.Flink;
while (pListNext != &m_listEntry) {

pHookTable pHookInfo = CONTAINING_RECORD(pListNext, HookTable, ListEntry);
pListNext = pListNext->Flink;

if (_stricmp(pHookInfo->chFuncName, pFuncName) == 0) {

dwRet = (DWORD)pHookInfo->byOpCode;
break;
}
}

return dwRet;
}

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//使用
CHookManage::GetThis()->InitiaList();

CHookManage::GetThis()->AddHookFunc("NtOpenProcess", CSymbol::GetThis()->GetFuncAddr("NtOpenProcess"), (DWORD)Test_NtOpenProcess, 5, (DWORD*)&g_TestNtOpenProcess);

extern "C"
typedef NTSTATUS(NTAPI* T_NtOpenProcess)(__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId);

T_NtOpenProcess g_TestNtOpenProcess;
NTSTATUS NTAPI Test_NtOpenProcess(
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId
)
{
__asm int 3

return g_TestNtOpenProcess(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
}

//卸载
CHookManage::GetThis()->ClearList();

[课程]Linux pwn 探索篇！

收藏・10

免费・0

支持

最新回复 (2)
hnllhuihui 雪币： 67 活跃值： (12) 能力值： ( LV2，RANK：10 ) 在线值：发帖 18 回帖 127 粉丝 0 关注私信	hnllhuihui 2 楼奇葩! 用C++写驱动 2015-1-25 14:44 0
AioliaSky 雪币： 257 活跃值： (67) 能力值： ( LV4，RANK：50 ) 在线值：发帖 11 回帖 668 粉丝 0 关注私信	AioliaSky 1 3 楼什么玩具？先来试试 2015-1-25 15:44 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

yimingqpa

发帖

498

回帖

163

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

专注于PC、移动、智能设备安全研究及逆向工程的开发者社区

最新回复 (2)
hnllhuihui 雪币： 67 活跃值： (12) 能力值： ( LV2，RANK：10 ) 在线值：发帖 18 回帖 127 粉丝 0 关注私信	hnllhuihui 2 楼奇葩! 用C++写驱动 2015-1-25 14:44 0
AioliaSky 雪币： 257 活跃值： (67) 能力值： ( LV4，RANK：50 ) 在线值：发帖 11 回帖 668 粉丝 0 关注私信	AioliaSky 1 3 楼什么玩具？先来试试 2015-1-25 15:44 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复