比任何HOOK库都好用
其它语言。自己看着修改
hookesp_s struct
regEdi dd ?
regEsi dd ?
regEbp dd ?
regEsp dd ?
regEbx dd ?
regEdx dd ?
regEcx dd ?
regEax dd ?
mycall_ret dd ?
call_ret dd ?
arg1 dd ?
arg2 dd ?
arg3 dd ?
arg4 dd ?
arg5 dd ?
arg6 dd ?
arg7 dd ?
arg8 dd ?
hookesp_s ends
esp_s struct
regEdi dd ?
regEsi dd ?
regEbp dd ?
regEsp dd ?
regEbx dd ?
regEdx dd ?
regEcx dd ?
regEax dd ?
call_ret dd ?
arg1 dd ?
arg2 dd ?
arg3 dd ?
arg4 dd ?
arg5 dd ?
arg6 dd ?
arg7 dd ?
arg8 dd ?
esp_s ends
.code
zcopy proc src:dword,des:dword,slen:dword
pushad
mov edi,src
mov esi,des
mov ecx,slen
xcopyloop:
mov al,byte ptr[edi]
mov byte ptr[esi],al
inc edi
inc esi
loop xcopyloop
popad
ret
zcopy endp
acallb proc a_addr:dword,b_addr:dword
local OldProtect
pushad
invoke IsBadWritePtr,a_addr,8
.if eax!=0
invoke VirtualProtect,a_addr,8,PAGE_EXECUTE_READWRITE,addr OldProtect
.endif
mov eax,a_addr
mov edx,b_addr
sub edx,eax
sub edx,5
mov byte ptr[eax],0e8h
xchg [eax+1],edx
popad
ret
acallb endp
ajmpb proc a_addr:dword,b_addr:dword
local OldProtect
pushad
invoke IsBadWritePtr,a_addr,8
.if eax!=0
invoke VirtualProtect,a_addr,8,PAGE_EXECUTE_READWRITE,addr OldProtect
.endif
mov eax,a_addr
mov edx,b_addr
sub edx,eax
sub edx,5
mov byte ptr[eax],0e9h
xchg [eax+1],edx
popad
ret
ajmpb endp
hook_api_jump proc lphnd,lpapi,myapi,jump
LOCAL vaddr
local OldProtect
pushad
invoke VirtualAlloc,0,1000h,MEM_RESERVE+MEM_COMMIT,PAGE_READWRITE
mov vaddr,eax
invoke acallb,vaddr,myapi
invoke GetModuleHandle,lphnd
.if eax!=0
invoke GetProcAddress,eax,lpapi
.if eax!=0
mov ecx,eax
mov ebx,vaddr
add ebx,5
invoke zcopy,ecx,ebx,jump
mov ebx,vaddr
add ebx,5
add ebx,jump
mov ecx,eax
add ecx,jump
invoke ajmpb,ebx,ecx
invoke ajmpb,eax,vaddr
invoke VirtualProtect,vaddr,1000h,PAGE_EXECUTE_READWRITE,addr OldProtect
.endif
.endif
popad
ret
hook_api_jump endp
hook_addr_jump proc lpaddr,myapi,jump
LOCAL vaddr
local OldProtect
pushad
invoke VirtualAlloc,0,1000h,MEM_RESERVE+MEM_COMMIT,PAGE_READWRITE
mov vaddr,eax
invoke acallb,vaddr,myapi
mov ecx,lpaddr
mov ebx,vaddr
add ebx,5
invoke zcopy,ecx,ebx,jump
mov ebx,vaddr
add ebx,5
add ebx,jump
mov ecx,lpaddr
add ecx,jump
invoke ajmpb,ebx,ecx
invoke ajmpb,lpaddr,vaddr
invoke VirtualProtect,vaddr,1000h,PAGE_EXECUTE_READWRITE,addr OldProtect
popad
ret
hook_addr_jump endp
my_WSARecv proc
pushad
mov edi,esp
assume edi:ptr hookesp_s
; push edi
; invoke wsprintf,addr szbuf,SADD("my_WSARecv ret:%08X arg2:%08X arg3:%08X arg4:%08X",0),\
; [edi].call_ret,[edi].arg2,[edi].arg2,[edi].arg4
; invoke OutputDebugString,addr szbuf
; pop edi
push edi
push [edi].arg7
push [edi].arg6
push [edi].arg5
push [edi].arg4
push [edi].arg3
push [edi].arg2
push [edi].arg1
push @f
push [edi].mycall_ret
ret
@@:
pop edi
mov [edi].regEax,eax
mov eax,[edi].arg4
mov eax,dword ptr[eax]
.if !eax
popad
add esp,4
ret 1ch
.endif
.if [edi].arg3==1
invoke RtlZeroMemory,addr buffer,sizeof buffer
mov eax,[edi].arg4
mov ecx,dword ptr[eax]
mov eax,[edi].arg2
mov ebx,dword ptr[eax+4]
invoke Writehex,ebx,ecx
invoke OutputDebugString,addr buffer
.endif
assume edi:nothing
popad
add esp,4
ret 1ch
my_WSARecv endp
hook_WSARecv proc
invoke OutputDebugString,SADD("hook_WSARecv")
invoke hook_api_jump,SADD("WS2_32.dll"),SADD("WSARecv"),offset my_WSARecv,5
ret
hook_WSARecv endp
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
