这几天一直在做一个 Hook 的小项目,是基于 EasyHook 的,顺便自己学习一下,想做一个检测进程创建文件的工具,我 Hook 了 CreateFileA 和 CreateFileW 两个函数,当 notepad.exe 运行的时候可以看到它 CreateFile 检测了自身是否存在,dwCreationDisposition 参数为 0x00000003。如下图:
但当我用 notepad.exe 另存为一个新的文件时,却看不到它调用 CreateFile* 的信息。请问这是为什么?代码如下:
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"
#include "easyhook.h"
#include "DriverShared.h"
#ifndef _WIN64
#pragma comment(lib, "EasyHookLib.lib")
#else
#pragma comment(lib, "EasyHookLib64.lib")
#endif
EXTERN_C BOOL APIENTRY EASYHOOK_DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved);
typedef HANDLE(WINAPI *pfnCREATEFILEA)(
__in LPCSTR lpFileName,
__in DWORD dwDesiredAccess,
__in DWORD dwShareMode,
__in_opt LPSECURITY_ATTRIBUTES lpSecurityAttributes,
__in DWORD dwCreationDisposition,
__in DWORD dwFlagsAndAttributes,
__in_opt HANDLE hTemplateFile
);
typedef HANDLE(WINAPI *pfnCREATEFILEW)(
__in LPCWSTR lpFileName,
__in DWORD dwDesiredAccess,
__in DWORD dwShareMode,
__in_opt LPSECURITY_ATTRIBUTES lpSecurityAttributes,
__in DWORD dwCreationDisposition,
__in DWORD dwFlagsAndAttributes,
__in_opt HANDLE hTemplateFile
);
HMODULE hKernel32 = LoadLibraryA("Kernel32.dll");
TRACED_HOOK_HANDLE hCreateFileA = new HOOK_TRACE_INFO();
TRACED_HOOK_HANDLE hCreateFileW = new HOOK_TRACE_INFO();
NTSTATUS NtStatus;
ULONG ACLEntries[1] = { 0 };
ULONG HookCreateFileA_ACLEntries[1] = { 0 };
ULONG HookCreateFileW_ACLEntries[1] = { 0 };
UNICODE_STRING* NameBuffer = NULL;
pfnCREATEFILEA pfnCreateFileA = NULL;
pfnCREATEFILEW pfnCreateFileW = NULL;
HANDLE WINAPI CreateFileAHook(
__in LPCSTR lpFileName,
__in DWORD dwDesiredAccess,
__in DWORD dwShareMode,
__in_opt LPSECURITY_ATTRIBUTES lpSecurityAttributes,
__in DWORD dwCreationDisposition,
__in DWORD dwFlagsAndAttributes,
__in_opt HANDLE hTemplateFile
)
{
HANDLE hHandle = NULL;
DWORD dwError = 0;
// 执行钩子
if (pfnCreateFileA == NULL)
{
OutputDebugString(L"pfnCreateFileA is NULL\n");
return INVALID_HANDLE_VALUE;
}
else
{
hHandle = (pfnCREATEFILEA)(lpFileName, dwDesiredAccess, dwShareMode,
lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
dwError = GetLastError();
CString csOutput;
csOutput.Format(_T("CreateFileAHook lpFileName = %s, dwCreationDisposition = 0x%08X"),
lpFileName, dwCreationDisposition);
OutputDebugString(csOutput);
}
return hHandle;
}
HANDLE WINAPI CreateFileWHook(
__in LPCWSTR lpFileName,
__in DWORD dwDesiredAccess,
__in DWORD dwShareMode,
__in_opt LPSECURITY_ATTRIBUTES lpSecurityAttributes,
__in DWORD dwCreationDisposition,
__in DWORD dwFlagsAndAttributes,
__in_opt HANDLE hTemplateFile)
{
HANDLE hHandle = NULL;
DWORD dwError = 0;
if (pfnCreateFileW == NULL)
{
OutputDebugString(_T("pfnCreateFileW is NULL\n"));
return INVALID_HANDLE_VALUE;
}
else
{
hHandle = (pfnCREATEFILEW)(lpFileName, dwDesiredAccess, dwShareMode,
lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
dwError = GetLastError();
CString csOutput;
csOutput.Format(_T("CreateFileWHook lpFileName = %s, dwCreationDisposition = 0x%08X"),
lpFileName, dwCreationDisposition);
OutputDebugString(csOutput);
}
return hHandle;
}
BOOL InstallHook()
{
TCHAR szCurrentProcessName[MAX_PATH] = { 0 };
GetModuleFileName(NULL, szCurrentProcessName, _countof(szCurrentProcessName));
OutputDebugString(szCurrentProcessName);
pfnCreateFileA = (pfnCREATEFILEA)GetProcAddress(hKernel32, "CreateFileA");
NtStatus = LhInstallHook(pfnCreateFileA, CreateFileAHook, NULL, hCreateFileA);
if (!SUCCEEDED(NtStatus))
{
OutputDebugString(_T("LhInstallHook failed..."));
return FALSE;
}
NtStatus = LhSetInclusiveACL(HookCreateFileA_ACLEntries, 1, hCreateFileA);
if (!SUCCEEDED(NtStatus))
{
OutputDebugString(_T("LhSetInclusiveACL failed..."));
LhUninstallAllHooks();
LhUninstallHook(hCreateFileA);
return FALSE;
}
pfnCreateFileW = (pfnCREATEFILEW)GetProcAddress(hKernel32, "CreateFileW");
if (NULL == pfnCreateFileW)
{
OutputDebugString(_T("pfnCreateFileW is NULL"));
}
NtStatus = LhInstallHook(pfnCreateFileW, CreateFileWHook, NULL, hCreateFileW);
if (!SUCCEEDED(NtStatus))
{
OutputDebugString(_T("LhInstallHook CreateFileWHook failed..."));
return FALSE;
}
NtStatus = LhSetInclusiveACL(HookCreateFileW_ACLEntries, 1, hCreateFileW);
if (!SUCCEEDED(NtStatus))
{
OutputDebugString(_T("LhSetInclusiveACL CreateFileWHook failed..."));
LhUninstallAllHooks();
LhUninstallHook(hCreateFileW);
return FALSE;
}
HANDLE hOpenFile = (HANDLE)CreateFile(PathFindFileName(szCurrentProcessName), GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, NULL, NULL);
if (hOpenFile == INVALID_HANDLE_VALUE)
{
hOpenFile = NULL;
}
return TRUE;
}
BOOL UninstallHook()
{
LhUninstallAllHooks();
if (NULL != hCreateFileA)
{
LhUninstallHook(hCreateFileA);
delete hCreateFileA;
hCreateFileA = NULL;
}
if (NULL != hCreateFileW)
{
LhUninstallHook(hCreateFileW);
delete hCreateFileW;
hCreateFileW = NULL;
}
LhWaitForPendingRemovals();
return TRUE;
}
DWORD WINAPI HookThreadProc(LPVOID lpParamter)
{
InstallHook();
return 0;
}
void StartHookThread()
{
DWORD dwThreadID = 0;
HANDLE hThread = CreateThread(NULL, 0, HookThreadProc, NULL, 0, &dwThreadID);
CloseHandle(hThread);
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
OutputDebugString(_T("DLL_PROCESS_ATTACH"));
EASYHOOK_DllMain(hModule, ul_reason_for_call, lpReserved);
StartHookThread();
}
break;
case DLL_THREAD_ATTACH:
{
EASYHOOK_DllMain(hModule, ul_reason_for_call, lpReserved);
}
break;
case DLL_THREAD_DETACH:
{
EASYHOOK_DllMain(hModule, ul_reason_for_call, lpReserved);
}
break;
case DLL_PROCESS_DETACH:
{
OutputDebugString(_T("DLL_PROCESS_DETACH"));
UninstallHook();
EASYHOOK_DllMain(hModule, ul_reason_for_call, lpReserved);
}
break;
}
return TRUE;
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)